goflow2 icon indicating copy to clipboard operation
goflow2 copied to clipboard
verified publisher icon netsampler

IPFIX field packetTotalCount(86) is ignored

Open ruru0x opened this issue 9 months ago • 1 comments

IPFIX packets that use the field packetTotalCount(86) for a flow's packet count are misinterpreted.

To Reproduce Collect IPFIX packets that use the field packetTotalCount(86). yaf is a flowmeter that uses this field. Packet count in the flowMessage will be set to 0 by goflow2.

Expected behavior flowMessage.Packets should contain the uint64 value in the field packetTotalCount(86).

Sampler device: yaf

Additional context Can be fixed by adding the case netflow.IPFIX-FIELD_packetTotalCount and setting flowMessage.Packets = binary.BigEndian.Uint64(v) in producer_nf.go

ruru0x avatar Jun 05 '25 09:06 ruru0x

According to https://www.iana.org/assignments/ipfix/ipfix.xhtml

packetTotalCount

The total number of incoming packets for this Flow at the Observation Point since the Metering Process (re-)initialization for this Observation Point.

This seems to require keeping state in order to calculate the delta. I do not think this is the proper interpretation of the packets field emitted by GoFlow2.

Nonetheless a pcap from yaf shows permanent packets which seems to match the interpretation

Image

lspgn avatar Jun 07 '25 21:06 lspgn