[netsa-tools-discuss] Losing first flow after a template reset on UDP

Emily Sarneso ecoff at cert.org
Thu Jan 28 12:09:57 EST 2016 

Hello Raistlin,

Sorry for the delayed response. 

Let me make sure I’m understanding your question:

You have one template with some set number of fields.
You resend the template using fbSessionExportTemplate at some timeout.
You are sending 2 data records using that template. 
You call fBufAppend twice on those 2 data records.
In tcpdump you are seeing 2 UDP packets.  You expect to see 3 UDP packets.

Based on how fixbuf works, I believe that the first UDP packet will contain the template and the second UDP packet should contain both data records.

fbSessionExportTemplate() calls fBufEmit which essentially closes an IPFIX message and sends the UDP packet.  fixbuf then opens a new IPFIX message and fBufAppend appends data records to that message until it is full (data = MTU).   If you want each IPFIX record to be in a separate UDP packet, then you’ll need to call fBufEmit() after each fBufAppend().

It’s helpful to use a tool such as wireshark (use the “decode as CFLOW” option) or tshark to decode the IPFIX so that you can see what the message contains:

tshark -r file.cap -d udp.port=18000,cflow -V -n (where 18000 is the port where IPFIX is being received)

Please let me know if I misunderstood your question.

Hope that helps,

Emily



--------------------
Emily Sarneso
CMU/SEI/CERT
ecoff at cert.org





> On Jan 18, 2016, at 9:57 AM, Raistlin Majere <raistmaj at gmail.com> wrote:
> 
> Hi,
> 
> I'm experiencing something pretty weird, as the protocol establishes, I must refresh the template after a timeout under UDP.
> 
> Well I have a uniflow streamer, that means that for a lot of events I produce two messages with the source / destination / octects etc "swapped", from A-B and from B-A, this means that under the tcpdump, I should see the two packages for some actions on the system. The problem comes after I call the function fbSessionExportTemplate, I can see that I'm appending two messages(I'm calling fBufAppend twice) but only one is delivered and registered on the tcpdump.
> 
> Do I need to wait or call a function after exporting the template to avoid the lost of that flow?
> 
> Kind regards,
> Jose Palma.

More information about the netsa-tools-discuss mailing list