Netflow V5 and V9 versus ipfix

[SteveBeauchemin]

It turns out that the netflow data being sent to my NNA is a combination of 3 types of flow data. I am getting netflow_v5 netflow_v9 and ipfix all though an F5 load balancer.

There seems to be a problem with nfcapd dealing with ipfix data. I have read that it is only partially implemented in the nfdump suite.
My log files have a steady stream of errors. So, either I get thousands of these every 10 seconds in /var/log/messages

Code: Select all

nfcapd[24931]: Process_v9: flowset zero length error.
and
nfcapd[25022]: Process_v9: flowset length error. Expected bytes: 48369 > buffersize: 1

I didn't like that so I added an rsyslog filter

Code: Select all

cat /etc/rsyslog.d/ignore-nfcapd-noise.conf 
if $programname == "nfcapd" and ($msg contains "flowset length error" or $msg contains "flowset zero length error") then stop

so now I get this every 10 seconds instead

Code: Select all

journal: Suppressed 7366 messages from /system.slice/nagiosna.service

In any case, there is flow data being ignored.

I have also found a post on line that may be a way around that. Basically take all the nfcapd information and feed it to nfreplay and convert it to Netflow_V5.

Like this.

Code: Select all

nfcapd -t 300 -z -D -p 9999 -l /home/dmsh/netflow/nfcapd/ -x 'nfreplay -r %d/%f -p 9998'

It listens on port 9999, converts the data to netflow v5 and sends to flow-capture which is running on port 9998.

I am not sure this even works. If someone has some way to do this in the NNA setup I would appreciate knowing the result.

When and if you have time.

Thanks

Steve B

[scottwilkerson]

I would give it a whirl, however I don't have anything that generates ipfix data, so I'm guessing it would be somewhat of a moot test