[pmacct-discussion] nfacctd and huawei netstream

Andrey Chernomyrdin Tue, 30 Jan 2007 06:53:19 -0800

Have a nice day,

I try to use nfacctd to collect netstream (NetFlow) from huawei routers,
The changes made by huawei in Netflow protocol:


First - the flows in-router (inbound) and out-routers (outbound) is different! 
The sequence is different.

In a log looks like:
Jan 30 17:21:51 linux nfacctd[7903]: WARN: expecting flow '1467186' but 
received '1230702' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:51 linux nfacctd[7903]: WARN: expecting flow '1230702' but 
received '1467187' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:52 linux nfacctd[7903]: WARN: expecting flow '1467187' but 
received '1230703' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:52 linux nfacctd[7903]: WARN: expecting flow '1230703' but 
received '1467189' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:53 linux nfacctd[7903]: WARN: expecting flow '1467189' but 
received '1230706' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:53 linux nfacctd[7903]: WARN: expecting flow '1230706' but 
received '1467197' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:55 linux nfacctd[7903]: WARN: expecting flow '1467200' but 
received '1230707' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:55 linux nfacctd[7903]: WARN: expecting flow '1230707' but 
received '1467201' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:58 linux nfacctd[7903]: WARN: expecting flow '1467201' but 
received '1230708' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:21:58 linux nfacctd[7903]: WARN: expecting flow '1230708' but 
received '1467202' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:01 linux nfacctd[7903]: WARN: expecting flow '1467202' but 
received '1230712' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:01 linux nfacctd[7903]: WARN: expecting flow '1230712' but 
received '1467203' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:06 linux nfacctd[7903]: WARN: expecting flow '1467203' but 
received '1230715' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:06 linux nfacctd[7903]: WARN: expecting flow '1230715' but 
received '1467206' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:07 linux nfacctd[7903]: WARN: expecting flow '1467206' but 
received '1230717' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:07 linux nfacctd[7903]: WARN: expecting flow '1230717' but 
received '1467208' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:08 linux nfacctd[7903]: WARN: expecting flow '1467208' but 
received '1230718' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:08 linux nfacctd[7903]: WARN: expecting flow '1230718' but 
received '1467209' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:09 linux nfacctd[7903]: WARN: expecting flow '1467209' but 
received '1230720' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:09 linux nfacctd[7903]: WARN: expecting flow '1230720' but 
received '1467212' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:10 linux nfacctd[7903]: WARN: expecting flow '1467212' but 
received '1230723' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:10 linux nfacctd[7903]: WARN: expecting flow '1230723' but 
received '1467215' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:11 linux nfacctd[7903]: WARN: expecting flow '1467215' but 
received '1230724' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:11 linux nfacctd[7903]: WARN: expecting flow '1230724' but 
received '1467216' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:13 linux nfacctd[7903]: WARN: expecting flow '1467219' but 
received '1230725' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:13 linux nfacctd[7903]: WARN: expecting flow '1230725' but 
received '1467220' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:14 linux nfacctd[7903]: WARN: expecting flow '1467220' but 
received '1230727' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:14 linux nfacctd[7903]: WARN: expecting flow '1230727' but 
received '1467221' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:15 linux nfacctd[7903]: WARN: expecting flow '1467221' but 
received '1230732' collector=1.2.101.3:5678 agent=1.2.101.8:0
Jan 30 17:22:15 linux nfacctd[7903]: WARN: expecting flow '1230732' but 
received '1467228' collector=1.2.101.3:5678 agent=1.2.101.8:0

I made ugly hack for nfacctd - configurable disable sequence check (patch
included)

The second changes - the version bytes in a version-5 flow header,
for inbound packet is 0x00 0x05
for outbound packets is 0x80 0x05
but this feature is may by disabled by config using command:

 ip netstream format no-direction

May be anybody write correct support for huawei netstream in pmacct ?

-- 
Andrey Cheromyrdin

--- pmacct-0.11.2.orig/src/cfg.h
+++ pmacct-0.11.2/src/cfg.h
@@ -86,6 +86,7 @@
   int nfacctd_time;
   int nfacctd_as;
   int sfacctd_renormalize;
+  int nfacctd_ignore_seq;
   int promisc; /* pcap_open_live() promisc parameter */
   char *clbuf; /* pcap filter */
   char *pcap_savefile;
--- pmacct-0.11.2.orig/src/cfg_handlers.c
+++ pmacct-0.11.2/src/cfg_handlers.c
@@ -1612,6 +1612,21 @@
   return changes;
 }
 
+int cfg_key_nfacctd_ignore_seq(char *filename, char *name, char *value_ptr)
+{
+  struct plugins_list_entry *list = plugins_list;
+  int value, changes = 0;
+
+  value = parse_truefalse(value_ptr);
+  if (value < 0) return ERR;
+
+  for (; list; list = list->next, changes++) list->cfg.nfacctd_ignore_seq = value;
+  if (name) Log(LOG_WARNING, "WARN ( %s ): plugin name not supported for key 'nfacctd_ignore_seq'. Globalized.\n", filename);
+
+  return changes;
+}
+
+
 int cfg_key_classifiers(char *filename, char *name, char *value_ptr)
 {
   struct plugins_list_entry *list = plugins_list;
--- pmacct-0.11.2.orig/src/cfg_handlers.h
+++ pmacct-0.11.2/src/cfg_handlers.h
@@ -88,6 +88,7 @@
 EXT int cfg_key_nfacctd_time_secs(char *, char *, char *);
 EXT int cfg_key_nfacctd_time_new(char *, char *, char *);
 EXT int cfg_key_nfacctd_as_new(char *, char *, char *);
+EXT int cfg_key_nfacctd_ignore_seq(char *, char *, char *);
 EXT int cfg_key_nfacctd_mcast_groups(char *, char *, char *);
 EXT int cfg_key_pmacctd_force_frag_handling(char *, char *, char *);
 EXT int cfg_key_pmacctd_frag_buffer_size(char *, char *, char *);
--- pmacct-0.11.2.orig/src/xflow_status.c
+++ pmacct-0.11.2/src/xflow_status.c
@@ -93,6 +93,9 @@
     // entry->seqno = seqno; /* Init */
     entry->counters.good++;
   }
+  else if ( config.nfacctd_ignore_seq ) {
+    entry->counters.good++;
+  }
   else {
     if (seqno == entry->seqno+entry->inc) {
       // entry->seqno = seqno;
--- pmacct-0.11.2.orig/src/pmacct-data.h
+++ pmacct-0.11.2/src/pmacct-data.h
@@ -264,6 +264,7 @@
   {"nfacctd_time_secs", cfg_key_nfacctd_time_secs},
   {"nfacctd_time_new", cfg_key_nfacctd_time_new},
   {"nfacctd_as_new", cfg_key_nfacctd_as_new},
+  {"nfacctd_ignore_seq", cfg_key_nfacctd_ignore_seq},
   {"nfacctd_mcast_groups", cfg_key_nfacctd_mcast_groups},
   {"pmacctd_force_frag_handling", cfg_key_pmacctd_force_frag_handling},
   {"pmacctd_frag_buffer_size", cfg_key_pmacctd_frag_buffer_size},

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] nfacctd and huawei netstream

Reply via email to