[pmacct-discussion] IPFIX octet delta count with Open-vSwitch

Wed, 13 May 2015 17:53:51 -0700 

Hi All,

I've been attempting to use the IPFIX flow exports on XenServer's Open vSwitch 
and while I appear to be able to get packet counts and other information sent 
with the IPFIX just fine into nfacct 1.5.1, the bytes field remains empty.

Below is a dump of the template exported by Open vSwitch:

---
Frame 372: 962 bytes on wire (7696 bits), 962 bytes captured (7696 bits) on 
interface 0
Ethernet II, Src: Netscreen_ff:25:15 (00:10:db:ff:25:15), Dst: 
Supermic_7e:46:6a (00:30:48:7e:46:6a)
Internet Protocol Version 4, Src: 1.2.176.196 (1.2.176.196), Dst: 2.3.68.5 
(2.3.68.5)
User Datagram Protocol, Src Port: 54921 (54921), Dst Port: omnisky (2056)
Cisco NetFlow/IPFIX
    Version: 10
    Length: 920
    Timestamp: May 14, 2015 09:42:07.000000000 AUS Eastern Standard Time
        ExportTime: 1431560527
    FlowSequence: 294
    Observation Domain Id: 0
    Set 1
        FlowSet Id: Data Template (V10 [IPFIX]) (2)
        FlowSet Length: 904
        Template (Id = 256, Count = 10)
            Template Id: 256
            Field Count: 10
            Field (1/10): observationPointId
                0... .... .... .... = Pen provided: No
                .000 0000 1000 1010 = Type: observationPointId (138)
                Length: 4
            Field (2/10): SRC_MAC
                0... .... .... .... = Pen provided: No
                .000 0000 0011 1000 = Type: SRC_MAC (56)
                Length: 6
            Field (3/10): DESTINATION_MAC
                0... .... .... .... = Pen provided: No
                .000 0000 0101 0000 = Type: DESTINATION_MAC (80)
                Length: 6
            Field (4/10): ethernetType
                0... .... .... .... = Pen provided: No
                .000 0001 0000 0000 = Type: ethernetType (256)
                Length: 2
            Field (5/10): ethernetHeaderLength
                0... .... .... .... = Pen provided: No
                .000 0000 1111 0000 = Type: ethernetHeaderLength (240)
                Length: 1
            Field (6/10): flowStartDeltaMicroseconds
                0... .... .... .... = Pen provided: No
                .000 0000 1001 1110 = Type: flowStartDeltaMicroseconds (158)
                Length: 4
            Field (7/10): flowEndDeltaMicroseconds
                0... .... .... .... = Pen provided: No
                .000 0000 1001 1111 = Type: flowEndDeltaMicroseconds (159)
                Length: 4
            Field (8/10): PKTS
                0... .... .... .... = Pen provided: No
                .000 0000 0000 0010 = Type: PKTS (2)
                Length: 8
            Field (9/10): Unknown(352)
                0... .... .... .... = Pen provided: No
                .000 0001 0110 0000 = Type: Unknown (352)
                Length: 8
            Field (10/10): flowEndReason
                0... .... .... .... = Pen provided: No
                .000 0000 1000 1000 = Type: flowEndReason (136)
                Length: 1       
---

It appears that nfacctd is expecting Field Type 1 (octetDeltaCount) to be sent, 
but this particular implementation of IPFIX is sending type 352 (field 9). In 
this export, this is the one that should be used for populating the byte count 
(see layer2OctetDeltaCount in 
http://www.iana.org/assignments/ipfix/ipfix.xhtml).

Is there any way get to get nfacctd to use Field Type 352 instead of Field Type 
1 for counting bytes?

The aggregate_primitives configuration directive appears to offer mapping of 
types to aggregates, but bytes is not a value you can aggregate.

Thoughts anyone?

Kind Regards,
Jonathan

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to