Packet sampling detection in flow data
Information
Summary: |
Multiple ways of detecting packet sampling in flow data provided by various flow sources. |
Environment: |
Product: Flowmon OS Version: Any Platform: Any |
Question/Problem Description: |
How to verify that packet sampling is used on the flow source? |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: | |
Resolution: |
Third-party flow sources, especially routers and firewalls are often using packet sampling and generate flow data only from a small portion of packets because these devices are not powerful enough to consider all packets for flow generation. Information about flow sampling is sent in a special flow template called "Options-Template" and sampling values are sent as standard flow data or as "Options-Data". Flowmon Collector detects the sampling automatically in most cases. When sampling information is not provided properly, according to RFC, then it may not be detected. In that cases, it could be configured manually in Configuration Center - FMC Configuration - Listening ports - Edit. If the entered value is positive, it is used only if the flow monitoring port does not provide the sampling rate information. If it provides the sampling rate, then this value is used. If the entered value is negative, the sampling rate overrides information provided by the flow source. Packet sampling can be obtained from nfcapd file with nfdump tool: nfdump -E /data/nfsen/profiles-data/live/<flow-source-IP>_<listening_port>/<year>/<month>/<day>/nfcapd.<timestamp> Eg. nfdump -E /data/nfsen/profiles-data/live/1-2-3-4_p3000/2022/10/11/nfcapd.202210111145 Prints: SysID: 1, IP: 1.2.3.4, version: 9, ID: 1, Sequence failures: 0, packets: 504, flows: 3332 Packet sampling information can be also verified in Wireshark. It is necessary to get the packet capture of flow data with tcpdump tool, eg.: tcpdump -i eth0 -w /data/tmp/flows.pcap 'host <flow-source-IP> and port <listening-port>' If different listening port number than 2055 is used, it is necessary to add the custom port to Wireshark to be able to decode flows: Edit - Preferences - Protocols - CFLOW - NetFlow UDP Port(s). When flows are decoded, it is possible to use filter "cflow.sampling_interval" to filter only packets containing sampling interval information:
|
Workaround: | |
Notes: |