Aggregation primitives definition based on netflow template

[ixodis]

Hi Paolo!

I have problems with flowID (#148) field. Cisco ASA allocates 4 bytes for it and Palo Alto – 8 bytes, so I can’t use one instance of nfacctd to process netflow from Cisco and Palo Alto simultaneously. I have to run two nfacctds with different primitives lists:

This one for Cisco:

name=flowID field_type=148 len=4 semantics=u_int

And this one for PA:

name=flowID field_type=148 len=8 semantics=u_int

Is it possible to define aggregation primitives automatically based on information from template file that already contains all the information about fields?

{"type": 0
"otpl": {"off": 0
"len": 4
"tpl_len": 4
"tpl_index": 148}

[paololucente]

Hi @ixodis ,

This is not possible but, in some form of it to be studied, it could definitely be a good idea to implement. I am going to mark this as enhancement and leave it open.

Paolo

[laurentduru]

Hi @paololucente,

I have a similar case where two OS versions of Cisco WLC have two definition of the same field :
Old WLC : name=wlanSSID field_type=147 len=33 semantics=str
New WLC (based on IOS XE) : name=wlanSSID field_type=147 len=32 semantics=str

I tried a workaround by static mapping tag & flowset id & aggregate-primitive file :
Pretagmap file :
set_tag2=258 flowset_id=258
set_tag2=256 flowset_id=256
set_tag2=261 flowset_id=261
set_tag2=264 flowset_id=264

Conf file :
[...]
plugins: print[264]
pre_tag2_filter[264]: 264
aggregate_primitives[264]: /etc/pmacct/primitives-264.conf
[...]

But it seems I can't configure aggregate_primitives file by tag :
WARN: [/etc/pmacct/flow2log.conf] plugin name not supported for key 'aggregate_primitives'. Globalized.

Would you please confirm I'm on the wrong way (or not), is there a planning to implement "Aggregation primitives definition based on netflow template" ?
Is there another way to implement this ?
I'm not a big fan of running as many nfacctd process as flowsetID with "overlapping".

Best regards,

Laurent

[paololucente]

Hi Laurent ( @laurentduru ),

I got your use-case here and, unfortunately, i can confirm that currently the only way you can resolve this - as you were saying - is to run separate nfacctd instances.

Paolo

[laurentduru]

Hi Paolo (@paololucente);

Many thanks for your answer, we gave a try to a len=vlen definition for this primitive, it's seems to do the job.
name=wlanSSID field_type=147 len=vlen semantics=str
Can you details the "limits" to use this type of length definition ?

Regards,
Laurent

[paololucente]

Hi Laurent ( @laurentduru ),

Thank you VERY MUCH for reporting back about this finding. You are right vlen will work for your NetFlow / IPFIX case, i didn't think about it! I did also review the code and, yes, it will work without any specific "limits"; while vlen was specifically thought for IPFIX - which has a mechanism to declare variable-length fields - once the actual length is decoded (static or variable), vlen can be used to just use that value for the string copy.

As a side node, this issue can't be closed since this still won't work for the OP since (s)he is using u_int kind of semantics.

Paolo