[netsa-tools-discuss] Reflecting ipfix flow to another collector

[Poole, Ruth J.]

Hello all,

In our setup, we have a udp packet reflector which receives feeds from multiple sources.  Our feed consists of netflow v5, v9, and IPFIX, so we split the feed by netflow version, so that we can run separate instances of flowcap for each version.  We were having issues with the v9 and IPFIX not getting read correctly because by going through the reflector, the packets all looked like they were coming from the same source, but were actually from different routers, so the templates got mixed up between the different sources.  We modified the reflector so that now it retains the original source address in the ip and udp headers.  The v5 and v9 flowcop collectors now process the incoming packets correctly.  The IPFIX collector, however, appears to be rejecting the incoming packets from the reflector.  The reflector sets the ip checksum to zero and it gets recalculated.  It calculates and sets the udp header.  I have checked the packets in Wireshark, and the ip and udp checksums are correct.  I'm wondering is flowcap doing validation on the md5 checksum in the IPFIX records and rejecting them because it no longer matches after modifying the destination address in the original packet? I don't get any error messages even with log-level=debug  Is there a way to turn off this validation in flowcap?  Or do I have to also calculate a new md5 checksum in the reflector?

Ruth Poole
Phone: 507-284-0456
Email: poole.ruth at mayo.edu<mailto:poole.ruth at mayo.edu>
-------------- next part --------------
HTML attachment scrubbed and removed