Sflow paring issue #154
Comments
|
vFlow doesn't support expanded flow sample / type 3. It supports type 1 and 2. maybe it sends type 3 as well?! |
|
Alright @mehrdadrad, Yes it's expanded flow. I have another issue is that, getting diff total length in sflow. You can check below tcpdump and output. 11:22:50.476764 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 212) {"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":12581,"SysUpTime":120987363,"SamplesNo":1,"Samples":[{"SequenceNo":2023,"SourceID":0,"SourceIDType":0,"SourceIDIdx":527,"SamplingRate":2000,"SamplePool":4048000,"Drops":0,"InputFormat":0,"Input":527,"OutputFormat":0,"Output":2147483648,"RecordsNo":1,"Records":{"RawHeader":{"L2":{"SrcMAC":"00:50:56:bb:3f:9b","DstMAC":"ff:ff:ff:ff:ff:ff","Vlan":0,"EtherType":2048},"L3":{"Version":4,"TOS":0,"TotalLen":78,"ID":14230,"Flags":0,"FragOff":0,"TTL":128,"Protocol":17,"Checksum":38521,"Src":"172.16.8.112","Dst":"172.16.11.255"},"L4":{"SrcPort":137,"DstPort":137}}}}],"Counters":[],"AgentID":"128.0.0.4","ColTime":1636955570} Here TotalLen getting 78 but actually, it is 96. Here I am attaching another one as well with pcap so you can correct me if I am wrong Edge Cast Output: {"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":22336,"SysUpTime":177701040,"SamplesNo":1,"Samples":[{"SequenceNo":5840,"SourceID":0,"SourceIDType":0,"SourceIDIdx":527,"SamplingRate":1000,"SamplePool":5841000,"Drops":0,"InputFormat":0,"Input":527,"OutputFormat":0,"Output":0,"RecordsNo":1,"Records":{"RawHeader":{"L2":{"SrcMAC":"00:50:56:bb:dc:6e","DstMAC":"33:33:00:01:00:03","Vlan":0,"EtherType":34525},"L3":{"Version":6,"TrafficClass":0,"FlowLabel":0,"PayloadLen":41,"NextHeader":17,"HopLimit":1,"Src":"fe80::6465:df0:31ee:aff4","Dst":"ff02::1:3"},"L4":{"SrcPort":64771,"DstPort":5355}}}}],"Counters":[],"AgentID":"128.0.0.4","ColTime":1637213837} TCP Dump Text, 11:07:17.506673 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 216) PCAP File: could you please help me out to understand? |
|
@mehrdadrad, any plan to support expanded flow sample / type 3? I'm interested in creating a pr to add that |
Hello,
When I am parsing sflow using vflow so in that 2 cases is happening.
12:22:28.035013 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 216) 172.16.14.5.50315 > 10.20.40.34.6343: sFlowv5, IPv4 agent 192.168.2.3, agent-id 0, seqnum 10897, uptime 1741164485, samples 1, length 188 flow sample (1), length 152, seqnum 3168, type 0, idx 527, rate 1000, pool 3169000, drops 0, input 527 output 0 records 1 enterprise 0 Raw packet (1) length 112 protocol Ethernet (1), length 99, stripped bytes 4, header_size 95{"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":10897,"SysUpTime":1741164485,"SamplesNo":1,"Samples":[{"SequenceNo":3168,"SourceID":0,"SamplingRate":1000,"SamplePool":3169000,"Drops":0,"Input":527,"Output":0,"RecordsNo":1,"Records":{"RawHeader":{"L2":{"SrcMAC":"00:50:56:bb:1f:4b","DstMAC":"33:33:00:01:00:03","Vlan":0,"EtherType":34525},"L3":{"Version":6,"TrafficClass":0,"FlowLabel":0,"PayloadLen":41,"NextHeader":17,"HopLimit":1,"Src":"fe80::9de:899c:c1e4:c19c","Dst":"ff02::1:3"},"L4":{"SrcPort":53081,"DstPort":5355}}}}],"Counters":[],"AgentID":"192.168.2.3","ColTime":1635317548}12:15:38.171862 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 232) 172.16.14.5.50315 > 10.20.40.34.6343: sFlowv5, IPv4 agent 192.168.2.3, agent-id 0, seqnum 10851, uptime 1740755104, samples 1, length 204 counter sample (2), length 168, seqnum 4281, type 0, idx 526, records 2 enterprise 0, Generic counter (1) length 88 ifindex 526, iftype 6, ifspeed 1000000000, ifdirection 1 (full-duplex) ifstatus 3, adminstatus: up, operstatus: up In octets 27308635, unicast pkts 303822, multicast pkts 0, broadcast pkts 0, discards 0 In errors 0, unknown protos 0 Out octets 24091432, unicast pkts 184520, multicast pkts 0, broadcast pkts 0, discards 0 Out errors 0, promisc mode 0 enterprise 0, Ethernet counter (2) length 52 align errors 0, fcs errors 0, single collision 0, multiple collision 0, test error 0 deferred 0, late collision 0, excessive collision 0, mac trans error 0 carrier error 0, frames too long 0, mac receive errors 0, symbol errors 0{"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":10851,"SysUpTime":1740755104,"SamplesNo":1,"Samples":[],"Counters":[{"SequenceNo":4281,"SourceIDType":0,"SourceIDIdx":526,"RecordsNo":2,"Records":{"EthInt":{"AlignmentErrors":0,"FCSErrors":0,"SingleCollisionFrames":0,"MultipleCollisionFrames":0,"SQETestErrors":0,"DeferredTransmissions":0,"LateCollisions":0,"ExcessiveCollisions":0,"InternalMACTransmitErrors":0,"CarrierSenseErrors":0,"FrameTooLongs":0,"InternalMACReceiveErrors":0,"SymbolErrors":0},"GenInt":{"Index":526,"Type":6,"Speed":1000000000,"Direction":1,"Status":3,"InOctets":27308635,"InUnicastPackets":303822,"InMulticastPackets":0,"InBroadcastPackets":0,"InDiscards":0,"InErrors":0,"InUnknownProtocols":0,"OutOctets":24091432,"OutUnicastPackets":184520,"OutMulticastPackets":0,"OutBroadcastPackets":0,"OutDiscards":0,"OutErrors":0,"PromiscuousMode":0}}}],"AgentID":"192.168.2.3","ColTime":1635317138}So here I want to understand between two returning counters and the reason for that.
If any further details require please let me know.
The text was updated successfully, but these errors were encountered: