[netsa-tools-discuss] Losing first flow after a template reset on UDP

Raistlin Majere raistmaj at gmail.com
Mon Feb 1 01:10:35 EST 2016 

Hi I found the problem. The library doesnt consider the MTU of your system,
so if you call append and the emission is set to auto, you will lose
packages.

Kind regards.
Jose Palma
El 28/1/2016 18:10, "Emily Sarneso" <ecoff at cert.org> escribió:

> Hello Raistlin,
>
> Sorry for the delayed response.
>
> Let me make sure I’m understanding your question:
>
> You have one template with some set number of fields.
> You resend the template using fbSessionExportTemplate at some timeout.
> You are sending 2 data records using that template.
> You call fBufAppend twice on those 2 data records.
> In tcpdump you are seeing 2 UDP packets.  You expect to see 3 UDP packets.
>
> Based on how fixbuf works, I believe that the first UDP packet will
> contain the template and the second UDP packet should contain both data
> records.
>
> fbSessionExportTemplate() calls fBufEmit which essentially closes an IPFIX
> message and sends the UDP packet.  fixbuf then opens a new IPFIX message
> and fBufAppend appends data records to that message until it is full (data
> = MTU).   If you want each IPFIX record to be in a separate UDP packet,
> then you’ll need to call fBufEmit() after each fBufAppend().
>
> It’s helpful to use a tool such as wireshark (use the “decode as CFLOW”
> option) or tshark to decode the IPFIX so that you can see what the message
> contains:
>
> tshark -r file.cap -d udp.port=18000,cflow -V -n (where 18000 is the port
> where IPFIX is being received)
>
> Please let me know if I misunderstood your question.
>
> Hope that helps,
>
> Emily
>
>
>
> --------------------
> Emily Sarneso
> CMU/SEI/CERT
> ecoff at cert.org
>
>
>
>
>
> > On Jan 18, 2016, at 9:57 AM, Raistlin Majere <raistmaj at gmail.com> wrote:
> >
> > Hi,
> >
> > I'm experiencing something pretty weird, as the protocol establishes, I
> must refresh the template after a timeout under UDP.
> >
> > Well I have a uniflow streamer, that means that for a lot of events I
> produce two messages with the source / destination / octects etc "swapped",
> from A-B and from B-A, this means that under the tcpdump, I should see the
> two packages for some actions on the system. The problem comes after I call
> the function fbSessionExportTemplate, I can see that I'm appending two
> messages(I'm calling fBufAppend twice) but only one is delivered and
> registered on the tcpdump.
> >
> > Do I need to wait or call a function after exporting the template to
> avoid the lost of that flow?
> >
> > Kind regards,
> > Jose Palma.
>
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list