Hi Inge,
On Fri, Mar 16, 2007 at 05:09:30PM +0100, Inge Bj?rnvall Arnesen wrote:
> Then I looked at pkt_handler.c and compared it with the tcdump/Ethereal dumps
> from Juniper:
>
> In NF_counters_renormalize_handler(), starting line 1199 it says:
>
> switch (hdr->version) {
> case 5:
> hdr5 = (struct struct_header_v5 *) pptrs->f_header;
> is_sampled = ( ntohs(hdr5->sampling) & 0xC000 );
> srate = ( ntohs(hdr5->sampling) & 0x3FFF );
> if (is_sampled) {
> pdata->pkt_len = pdata->pkt_len * srate;
> pdata->pkt_num = pdata->pkt_num * srate;
> }
> break;
> default:
> break;
> }
>
> This looks neat as I interpret, but it does not match the v5 datagrams from
> Juniper. Looking at that, it has in its Netflow v5 header (taken from
> Etherreal):
>
> 00.. .... .... .... = SamplingMode: No sampling mode configured (0)
> ..00 0011 1110 1000 = SampleRate: 1000
>
> [ ... ]
>
> Questions:
>
> 1: Does Netflow v5 say that sampling mode must be set for sample rate to be
> valid?
> 2: Has anybody else gotten this to work and if so, how?
> 3: Can I get Juniper/cFlow to report sampling mode?
1. Yes, it has. The meaning of the first two bits are: "00" no sampling,
01 sampling is enabled, so read the remaining 14 bits to get the sampling
rate. Of course the quick and dirty solution to make it working with your
Juniper is to replace the check on the first two bits with a check on the
remaining 14 bits:
+ if (srate) {
- if (is_sampled) {
A more polite solution would be to add a configuration option to do this.
2. I've got this working reading NetFlow v5 datagrams coming from a few
Cisco gears. Can't remember right now of any other vendors. Also note that
this feature is not enabled for NetFlow v9 yet. Only all sFlow versions
and NetFlow v5. IHMO, the NetFlow v9 way of hande sampling is certainly
greatly flexible but smells a lot of over-engineering.
3. Yes. You can either report the issue to Juniper or apply the patch of
1). It should work straight away. Or a mix of the two solutions, one for
the short term, the other for the longer term.
Hope this helps.
Cheers,
Paolo
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
