Netflow 9 graphs do not line up with MIB2 data
Description
Acceptance / Success Criteria
Attachments
- 30 May 2019, 02:31 PM
- 30 May 2019, 02:30 PM
Lucidchart Diagrams
Activity
Christian Pape June 17, 2019 at 8:08 AM
Merged
Christian Pape June 6, 2019 at 1:32 PM
The PCAP data indicates, that the data templates and records originate from port 50101 while the options template and options records are coming from port 50103. So, our template management mechanism did not add values like SAMPLING_INTERVAL because of the different endpoints. We reviewed all the Netflow v9 specifications (RFC 3954) and it seems, that different sessions should not be distinguished by the remote port:
Source ID
A 32-bit value that identifies the Exporter Observation Domain.
NetFlow Collectors SHOULD use the combination of the source IP
address and the Source ID field to separate different export
streams originating from the same Exporter.The behavior in IPFIX (RFC 7011) is different, because here a session is identified by the Transport Session and the Observation Domain ID:
Transport Session
...
In UDP, the Transport Session is known as the UDP session, which
is uniquely identified by the combination of IP addresses and UDP
ports used.
Observation Domain ID
...
Collecting Processes SHOULD use the Transport Session and the
Observation Domain ID field to separate different export streams
originating from the same Exporter.
...So, we changed the behavior for Netflow v9. We hope, that this will solve this problem.
@Jesse White Can you test this branch (jira/https://opennms.atlassian.net/browse/NMS-10721#icft=NMS-10721) at the customer site?
See attached screenshots.
Issue may be that the sampling interval is not being applied.