Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Flowmon General
  4. Flowmon Collector

Packet sampling detection in flow data

Updated

 

Information

 

Summary:

Multiple ways of detecting packet sampling in flow data provided by various flow sources. 
Environment:

Product: Flowmon OS

Version: Any

Platform: Any
Question/Problem Description:

How to verify that packet sampling is used on the flow source?
Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:

Third-party flow sources, especially routers and firewalls are often using packet sampling and generate flow data only from a small portion of packets because these devices are not powerful enough to consider all packets for flow generation.

Information about flow sampling is sent in a special flow template called "Options-Template" and sampling values are sent as standard flow data or as "Options-Data". 

Flowmon Collector detects the sampling automatically in most cases. When sampling information is not provided properly, according to RFC, then it may not be detected. In that cases, it could be configured manually in Configuration Center - FMC Configuration - Listening ports - Edit.

If the entered value is positive, it is used only if the flow monitoring port does not provide the sampling rate information. If it provides the sampling rate, then this value is used. If the entered value is negative, the sampling rate overrides information provided by the flow source. 

Packet sampling can be obtained from nfcapd file with nfdump tool:

nfdump -E /data/nfsen/profiles-data/live/<flow-source-IP>_<listening_port>/<year>/<month>/<day>/nfcapd.<timestamp>

Eg.

nfdump -E /data/nfsen/profiles-data/live/1-2-3-4_p3000/2022/10/11/nfcapd.202210111145

Prints:

SysID: 1, IP: 1.2.3.4, version: 9, ID: 1, Sequence failures: 0, packets: 504, flows: 3332
Sampler for Exporter SysID: 1, Generic Sampler: mode: 1, interval: 100

Packet sampling information can be also verified in Wireshark. It is necessary to get the packet capture of flow data with tcpdump tool, eg.:

tcpdump -i eth0 -w /data/tmp/flows.pcap 'host <flow-source-IP> and port <listening-port>'

If different listening port number than 2055 is used, it is necessary to add the custom port to Wireshark to be able to decode flows: Edit - Preferences - Protocols - CFLOW - NetFlow UDP Port(s).

When flows are decoded, it is possible to use filter "cflow.sampling_interval" to filter only packets containing sampling interval information:

mceclip0.png

 
Workaround:  
Notes:  

Comments

In this document