The issue we have is when DIRECTION is neither 0 nor 1, but we want to graph ingress and egress relative to a specific interface.
For example, given interface eth0-wan with ifIndex: 8 and some bridge or tap interface with ifIndex: 42 on the same router, we're seeing many packets with INPUT_SNMP 42, OUTPUT_SNMP 8, and DIRECTION 255. Currently, OpenNMS sets netflow.direction 0 in this case, and thus those flows will always be displayed as INGRESS. But we know that packets leaving eth0-wan are egress.
This is further complicated by using Linux-based routers, because Linux is not capable of preserving ifIndex across restarts. So while eth0-wan had index 8 last week, it might have index 10 tomorrow.
Christian Pape May 16, 2022 at 8:12 AM
Edited
Sorry, I really do not understand this issue. Can you provide more details, what you want to achieve? INPUT_SNMP and OUTPUT_SNMP are normally both set. If only one of the fields is set this means that the traffic originates or terminates on the exporting host itself.
When a Netflow v9 packet's
DIRECTIONfield contains an invalid value, OpenNMS defaults to tagging it asINGRESS.RFC 3954 also defines
INPUT_SNMPandOUTPUT_SNMPfields, which identify theifIndexof the interface(s) involved in the conversation.Those fields can be used to tag a packet's direction when the
DIRECTIONfield is invalid, instead of using an arbitrary default direction.