Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing NetFlow Option packets #15075

Closed
SirBreadc opened this issue Mar 28, 2024 · 7 comments · Fixed by #15180
Closed

Missing NetFlow Option packets #15075

SirBreadc opened this issue Mar 28, 2024 · 7 comments · Fixed by #15180
Assignees
@srebhan
Labels
feature request Requests for new plugin and for new features to existing plugins

Comments

@SirBreadc
Copy link

Relevant telegraf.conf

[global_tags]
  VM = "${HOSTNAME}"

[agent]
  debug = false
  quiet = true
  metric_batch_size = 5000

  metric_buffer_limit = 2000000

  flush_interval = "1s"
 
  flush_jitter = "5s"

  precision = "0s"



  hostname = "${HOST_HOSTNAME}"
  omit_hostname = false

# Netflow v5, Netflow v9 and IPFIX collector
[[inputs.netflow]]

  service_address = "udp4://:2055"
  

  protocol = "ipfix"


  private_enterprise_number_files = ["conf/custom_fields.csv"]

  dump_packets = false

# # Configuration for sending metrics to InfluxDB 2.0
[[outputs.influxdb_v2]]
   
   urls = ["host1","host2","host3"]

   token = "{INFLUXADMINTOKEN}"

   organization = "org"
   namepass = ["netflow"]

   bucket = "${BUCKET_NAME}"
   content_encoding = "gzip"
   timeout = "15s"

    insecure_skip_verify = true

Logs from Telegraf

See attached file

System info

Telegraf 1.30, Centos,CentOS Linux 7

Docker

No response

Steps to reproduce

  1. Send Netflow from device.

Expected behavior

Option packets are also writen to output

Actual behavior

Option packets are not written to outputs

Additional info

No response
@SirBreadc SirBreadc added the bug unexpected problem or unintended behavior label Mar 28, 2024
@SirBreadc
Copy link
Author

SirBreadc commented Mar 28, 2024
edited
Loading

For My netflowV9 and IPFIX I am sending snmp option packets with interface snmp mib to long/short name mappings. Looks like telegarf is ignoring these option packets. See IOS XE configuration below along with exporter templates details for the Option options interface-table.

IOS XE exporter configurations:

flow exporter Telegraf
 destination <ip>
 source Loopback0
 transport udp 2055
 option interface-table

# show flow exporter templates details 
Flow Exporter Telegraf:
  Client: Option options interface-table
  Exporter Format: NetFlow Version 9
  Template ID    : 256
  Source ID      : 6
  Record Size    : 110
  Template layout
  _________________________________________________________________________________________
  |                           Field                             |  Type | Offset |  Size  |
  -----------------------------------------------------------------------------------------
  | v9-scope system                                             |     1 |     0  |     4  |
  | interface input snmp                                        |    10 |     4  |     4  |
  | interface name short                                        |    82 |     8  |    33  |
  | interface name long                                         |    83 |    41  |    65  |
  | interface output snmp                                       |    14 |   106  |     4  |
  -----------------------------------------------------------------------------------------

  Client: Flow Monitor FLOW-MONITOR-IPV4-v2
  Exporter Format: NetFlow Version 9
  Template ID    : 256
  Source ID      : 256
  Record Size    : 52
  Template layout
  _________________________________________________________________________________________
  |                           Field                             |  Type | Offset |  Size  |
  -----------------------------------------------------------------------------------------
  | ip fragmentation id                                         |    54 |     0  |     2  |
  | ipv4 source address                                         |     8 |     2  |     4  |
  | ipv4 destination address                                    |    12 |     6  |     4  |
  | ip tos                                                      |     5 |    10  |     1  |
  | ip dscp                                                     |   195 |    11  |     1  |
  | ip protocol                                                 |     4 |    12  |     1  |
  | transport source-port                                       |     7 |    13  |     2  |
  | transport destination-port                                  |    11 |    15  |     2  |
  | transport tcp flags                                         |     6 |    17  |     1  |
  | interface input snmp                                        |    10 |    18  |     4  |
  | application id                                              |    95 |    22  |     4  |
  | routing next-hop address ipv4                               |    15 |    26  |     4  |
  | interface output snmp                                       |    14 |    30  |     4  |
  | flow direction                                              |    61 |    34  |     1  |
  | flow sampler                                                |    48 |    35  |     1  |
  | counter bytes                                               |     1 |    36  |     4  |
  | counter packets                                             |     2 |    40  |     4  |
  | timestamp sys-uptime first                                  |    22 |    44  |     4  |
  | timestamp sys-uptime last                                   |    21 |    48  |     4  |
  -----------------------------------------------------------------------------------------

  Client: Flow Monitor FLOW-MONITOR-IPV6-v2
  Exporter Format: NetFlow Version 9
  Template ID    : 257
  Source ID      : 512
  Record Size    : 85
  Template layout
  _________________________________________________________________________________________
  |                           Field                             |  Type | Offset |  Size  |
  -----------------------------------------------------------------------------------------
  | ipv6 source address                                         |    27 |     0  |    16  |
  | ipv6 destination address                                    |    28 |    16  |    16  |
  | ip dscp                                                     |   195 |    32  |     1  |
  | ip protocol                                                 |     4 |    33  |     1  |
  | transport source-port                                       |     7 |    34  |     2  |
  | transport destination-port                                  |    11 |    36  |     2  |
  | transport tcp flags                                         |     6 |    38  |     1  |
  | interface input snmp                                        |    10 |    39  |     4  |
  | application id                                              |    95 |    43  |     4  |
  | routing next-hop address ipv6                               |    62 |    47  |    16  |
  | interface output snmp                                       |    14 |    63  |     4  |
  | flow direction                                              |    61 |    67  |     1  |
  | flow sampler                                                |    48 |    68  |     1  |
  | counter bytes                                               |     1 |    69  |     4  |
  | counter packets                                             |     2 |    73  |     4  |
  | timestamp sys-uptime first                                  |    22 |    77  |     4  |
  | timestamp sys-uptime last                                   |    21 |    81  |     4  |
  -----------------------------------------------------------------------------------------

Should this work out of the box? or is this a new feature request?

@SirBreadc
Copy link
Author

Telegraf logs
log.log

@srebhan
Copy link
Member

srebhan commented Apr 3, 2024

@SirBreadc currently option data-flow-sets are not processed by the plugin. Could you please provide some samples of the data using the dump_packets = true setting and Telegraf's debug mode?

@srebhan srebhan self-assigned this Apr 3, 2024
@srebhan srebhan added feature request Requests for new plugin and for new features to existing plugins waiting for response waiting for response from contributor and removed bug unexpected problem or unintended behavior labels Apr 3, 2024
@SirBreadc
Copy link
Author

log_telegarf_snmp_options_table.zip
@srebhan Sorry for the delay here is the dump file you request with one device enabled sending the snmp table option:

` Exporter Format: NetFlow Version 9
Template ID : 256
Source ID : 6
Record Size : 110
Template layout

| Field | Type | Offset | Size |

| v9-scope system | 1 | 0 | 4 |
| interface input snmp | 10 | 4 | 4 |
| interface name short | 82 | 8 | 33 |
| interface name long | 83 | 41 | 65 |
| interface output snmp | 14 | 106 | 4 |
-----------------------------------------------------------------------------------------`

@telegraf-tiger telegraf-tiger bot removed the waiting for response waiting for response from contributor label Apr 15, 2024
@srebhan srebhan mentioned this issue Apr 17, 2024
Merged
1 task
@srebhan
Copy link
Member

srebhan commented Apr 17, 2024

@SirBreadc I've added Netflow v9 options support in PR #15180, available as soon as CI finished the builds. Please give it a try and let me know if this what you expect. The options are reported as netflow_options metrics.

Just for clarification, the "missing template" warnings are an inherent problem of the netflow protocol. The warning will disappear once the device will resend the templates. This cannot be triggered by Telegraf and without the templates the data cannot be interpreted... This mostly happens if you start/restart after the device established a connection to Telegraf...

@SirBreadc
Copy link
Author

@srebhan Thanks that works well, can this also be added for IPFIX too? as I am only seeing the netflow_option packet for our V9 devices. Will get you a dump for one of those devices if that's needed

@srebhan
Copy link
Member

srebhan commented Apr 23, 2024

Yeah I would need another dump from those devices and another feature-request if possible...

@SirBreadc SirBreadc mentioned this issue May 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@srebhan srebhan

Labels
feature request Requests for new plugin and for new features to existing plugins
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(inputs.netflow): Add support for netflow v9 option packets srebhan/telegraf
2 participants
@srebhan @SirBreadc