Hi Jonathan, Can you please send me privately a brief capture of your ipfix packets? Adding support for field ID #352 in alternative to #1 is super easy and the trace will help my QA.
You are also right about the aggregate_primitives infrastructure. It allows for aggregation (key) primitives but not for non-key ones (on which, additionally, you may want to do operation on, like sums). Your trace can result useful also in this context, to add such feature for a more longer-term solution/broader view of the issue. Cheers, Paolo On Thu, May 14, 2015 at 12:50:11AM +0000, Jonathan Thorpe wrote: > Hi All, > > I've been attempting to use the IPFIX flow exports on XenServer's Open > vSwitch and while I appear to be able to get packet counts and other > information sent with the IPFIX just fine into nfacct 1.5.1, the bytes field > remains empty. > > Below is a dump of the template exported by Open vSwitch: > > --- > Frame 372: 962 bytes on wire (7696 bits), 962 bytes captured (7696 bits) on > interface 0 > Ethernet II, Src: Netscreen_ff:25:15 (00:10:db:ff:25:15), Dst: > Supermic_7e:46:6a (00:30:48:7e:46:6a) > Internet Protocol Version 4, Src: 1.2.176.196 (1.2.176.196), Dst: 2.3.68.5 > (2.3.68.5) > User Datagram Protocol, Src Port: 54921 (54921), Dst Port: omnisky (2056) > Cisco NetFlow/IPFIX > Version: 10 > Length: 920 > Timestamp: May 14, 2015 09:42:07.000000000 AUS Eastern Standard Time > ExportTime: 1431560527 > FlowSequence: 294 > Observation Domain Id: 0 > Set 1 > FlowSet Id: Data Template (V10 [IPFIX]) (2) > FlowSet Length: 904 > Template (Id = 256, Count = 10) > Template Id: 256 > Field Count: 10 > Field (1/10): observationPointId > 0... .... .... .... = Pen provided: No > .000 0000 1000 1010 = Type: observationPointId (138) > Length: 4 > Field (2/10): SRC_MAC > 0... .... .... .... = Pen provided: No > .000 0000 0011 1000 = Type: SRC_MAC (56) > Length: 6 > Field (3/10): DESTINATION_MAC > 0... .... .... .... = Pen provided: No > .000 0000 0101 0000 = Type: DESTINATION_MAC (80) > Length: 6 > Field (4/10): ethernetType > 0... .... .... .... = Pen provided: No > .000 0001 0000 0000 = Type: ethernetType (256) > Length: 2 > Field (5/10): ethernetHeaderLength > 0... .... .... .... = Pen provided: No > .000 0000 1111 0000 = Type: ethernetHeaderLength (240) > Length: 1 > Field (6/10): flowStartDeltaMicroseconds > 0... .... .... .... = Pen provided: No > .000 0000 1001 1110 = Type: flowStartDeltaMicroseconds (158) > Length: 4 > Field (7/10): flowEndDeltaMicroseconds > 0... .... .... .... = Pen provided: No > .000 0000 1001 1111 = Type: flowEndDeltaMicroseconds (159) > Length: 4 > Field (8/10): PKTS > 0... .... .... .... = Pen provided: No > .000 0000 0000 0010 = Type: PKTS (2) > Length: 8 > Field (9/10): Unknown(352) > 0... .... .... .... = Pen provided: No > .000 0001 0110 0000 = Type: Unknown (352) > Length: 8 > Field (10/10): flowEndReason > 0... .... .... .... = Pen provided: No > .000 0000 1000 1000 = Type: flowEndReason (136) > Length: 1 > --- > > It appears that nfacctd is expecting Field Type 1 (octetDeltaCount) to be > sent, but this particular implementation of IPFIX is sending type 352 (field > 9). In this export, this is the one that should be used for populating the > byte count (see layer2OctetDeltaCount in > http://www.iana.org/assignments/ipfix/ipfix.xhtml). > > Is there any way get to get nfacctd to use Field Type 352 instead of Field > Type 1 for counting bytes? > > The aggregate_primitives configuration directive appears to offer mapping of > types to aggregates, but bytes is not a value you can aggregate. > > Thoughts anyone? > > Kind Regards, > Jonathan > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
