nfdump icon indicating copy to clipboard operation
nfdump copied to clipboard
verified publisher icon phaag

Question about ObservationPointID and ObservationDomainID

Open amorenoz opened this issue 3 years ago • 4 comments

Hello,

I'd like to ask about the IPFIX fields ObservationPointID and ObservationDomainID.

These two fields are currently not being printed (IIUC, "ObservationPointID" is not even being extracted from flow samples) and I'd like to kindly ask if there is any reason why this information should not be printed and if you'd accept a PR that makes them printable.

Why I'm asking? In OpenvSwitch, these two fields are the of key importance because we can configure them at the bridge level or at the flow level.

On the other hand, OVN is a OpenFlow Controller that implements many different "Datapaths" on top of OpenvSwitch (e.g: Logical Switches, Logical Routers, etc). Each of them is comprised of many "stages" (e.g: L2 security, MAC learning, Routing, etc). We are discussing in the OVN mailing list the possibility of using IPFIX sampling and using ObservationDomainID and ObservationPointID to identify what logical datapath and stage the packet is in. That way we can use IPFIX to really observe what OVS/OVN is doing with traffic, which is otherwise quite complicated.

Thanks.

amorenoz avatar Jun 21 '22 11:06 amorenoz

If there is a need, I certainly can check how to integrate these values. So far, I have not seen any relevance. Given your explanation, it would make sense. Let me check for a solution.

phaag avatar Jun 25 '22 10:06 phaag

@amorenoz - Would it be possible for you to create a pcap from data, sent to the collector containing these 2 fields? A few minutes would be ok, including the relevant template and data records. You may send it to my email in the AUTHORS file.

phaag avatar Jun 25 '22 11:06 phaag

@phaag, sure! Thanks

amorenoz avatar Jun 27 '22 08:06 amorenoz

Find the implementation in the unicorn branch:

ObservationDomainID: IPFIX element #149: If #149 is sent, it overwrites the DomainID in the IPFIX header.

ObservationPointID: IPFIX element #138. Automatically recognized and collected.

Filter syntax: Follows the general nfdump syntax. may be hex ( 0x...) or decimal optional compare ( >, <, >= .. etc) observation domain id [] observation point id []

Statistics: Follows the general -s nfdump syntax. -s [/orderby] -s odid for ObservationDomainID -s opid for ObservationPointID

Aggregation: Follows the general -A aggregation syntax. -A odid -A opid

can be combined with any other aggregation field, therefore also -A odid,opid for example

Output: Implemented in output format -o raw, -o json and -o fmt.

fmt: Follows the general nfdump fmt output syntax: %odid for ObservationDomainID %opid for ObservationPointID

for example: Append to line format: -o "fmt %line %odid %pid" Add -6 for IPv6 long output format.

The man page nfdump(1) should be up to date.

phaag avatar Jul 03 '22 11:07 phaag

Seems to work, otherwise reopen the ticket.

phaag avatar Sep 28 '22 12:09 phaag