Sflow paring issue about vflow HOT 3 OPEN

vFlow doesn't support expanded flow sample / type 3. It supports type 1 and 2. maybe it sends type 3 as well?!

from vflow.

Alright @mehrdadrad, Yes it's expanded flow.

I have another issue is that, getting diff total length in sflow. You can check below tcpdump and output.

11:22:50.476764 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 212)
172.16.14.5.52991 > 10.20.40.34.6343: sFlowv5, IPv4 agent 128.0.0.4, agent-id 0, seqnum 12581, uptime 120987363, samples 1, length 184
flow sample (1), length 148, seqnum 2023, type 0, idx 527, rate 2000, pool 4048000, drops 0, input 527 output 2147483648 records 1
enterprise 0 Raw packet (1) length 108
protocol Ethernet (1), length 96, stripped bytes 4, header_size 92

{"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":12581,"SysUpTime":120987363,"SamplesNo":1,"Samples":[{"SequenceNo":2023,"SourceID":0,"SourceIDType":0,"SourceIDIdx":527,"SamplingRate":2000,"SamplePool":4048000,"Drops":0,"InputFormat":0,"Input":527,"OutputFormat":0,"Output":2147483648,"RecordsNo":1,"Records":{"RawHeader":{"L2":{"SrcMAC":"00:50:56:bb:3f:9b","DstMAC":"ff:ff:ff:ff:ff:ff","Vlan":0,"EtherType":2048},"L3":{"Version":4,"TOS":0,"TotalLen":78,"ID":14230,"Flags":0,"FragOff":0,"TTL":128,"Protocol":17,"Checksum":38521,"Src":"172.16.8.112","Dst":"172.16.11.255"},"L4":{"SrcPort":137,"DstPort":137}}}}],"Counters":[],"AgentID":"128.0.0.4","ColTime":1636955570}

Here TotalLen getting 78 but actually, it is 96.

Here I am attaching another one as well with pcap so you can correct me if I am wrong

Edge Cast Output:

{"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":22336,"SysUpTime":177701040,"SamplesNo":1,"Samples":[{"SequenceNo":5840,"SourceID":0,"SourceIDType":0,"SourceIDIdx":527,"SamplingRate":1000,"SamplePool":5841000,"Drops":0,"InputFormat":0,"Input":527,"OutputFormat":0,"Output":0,"RecordsNo":1,"Records":{"RawHeader":{"L2":{"SrcMAC":"00:50:56:bb:dc:6e","DstMAC":"33:33:00:01:00:03","Vlan":0,"EtherType":34525},"L3":{"Version":6,"TrafficClass":0,"FlowLabel":0,"PayloadLen":41,"NextHeader":17,"HopLimit":1,"Src":"fe80::6465:df0:31ee:aff4","Dst":"ff02::1:3"},"L4":{"SrcPort":64771,"DstPort":5355}}}}],"Counters":[],"AgentID":"128.0.0.4","ColTime":1637213837}

TCP Dump Text,

11:07:17.506673 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 216)
172.16.14.5.49674 > ranjit-HP-ProBook-430-G3.6343: sFlowv5, IPv4 agent 128.0.0.4, agent-id 0, seqnum 22336, uptime 177701040, samples 1, length 188
flow sample (1), length 152, seqnum 5840, type 0, idx 527, rate 1000, pool 5841000, drops 0, input 527 output 0 records 1
enterprise 0 Raw packet (1) length 112
protocol Ethernet (1), length 99, stripped bytes 4, header_size 95

PCAP File:

sflow_data.zip

could you please help me out to understand?

from vflow.

@mehrdadrad, any plan to support expanded flow sample / type 3? I'm interested in creating a pr to add that

from vflow.