[netsa-tools-discuss] Multi-protocol support in fixbuf using same listener

John Green John.Green at jisc.ac.uk
Fri Jul 17 04:22:27 EDT 2015


On Tue, 2015-07-14 at 18:25 +0000, Poole, Ruth J. wrote:
> > 
> > Unfortunately, you are correct that it is not currently possible to 
> > receive the different flow protocols on the same receiving port. 
> >  You are actually the first person to request this functionality.
> 
> Let me be the second to officially request this functionality.  We 
> are receiving v9, ipfix, and v5 (though hopefully v5 only 
> temporarily), on the same port.

Hi,

A possible workaround, if your collector in running linux, is to use iptables.

eg
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 11111 -s 1.2.3.4 -j REDIRECT --to-port 50005
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 11111 -s 2.3.4.5 -j REDIRECT --to-port 50009

Where all netflow is arriving on udp/11111 and 1.2.3.4 is sending v5 and 2.3.4.5 is sending v9.

If you really wanted to confuse things you could use u32 to create generic rules for each netflow version

eg to send all traffic where the 2nd payload octet is 0x0a (eg IPFIX) to port 50010
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 11111 -m u32 --u32 "0>>22&0x3C at 6&0xFF=0x0a" -j REDIRECT --to-port 50010

John

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  


More information about the netsa-tools-discuss mailing list