-
-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Directionality of "in" and "out" flows #31
Comments
See also discussion on nfdump-users |
I am having the same problem with exported ASA flows. |
I agree that this is unclear. Rather than "in" and "out, or "fwd" and "rev", I propose these be named "src" and "dst". This would match the originator IP address of each byte count. For example: The default in this model is "src bytes", which is consistent with unidirectional flows. |
Interesting. Thinking about this, you could say the underlying problem is with the labels "src" and "dst" themselves. These very terms imply that packets are travelling from source to destination! Unfortunately, I don't think we are going to be able to rename them to something generic like "A" and "B". The terms src and dst are baked into the netflow protocols; and in any case the 90% use case is for unidirectional flows, which are from src to dst. Now, my initial reaction was that it's clearer that "fwd" means packets from source to destination (the natural flow when talking about a "source" and a "destination"), and "rev" means packets in the reverse direction, i.e. destination to source - it's the reverse of what the terms "source" and "destination" imply. Thinking about NSEL-type bidirectional flows, the "src" is actually the side which initiated the UDP/TCP exchange, and "dst" is the side which answered it. Let's think how would this work in practice. Suppose a client on the outside made an inbound HTTP connection through my firewall to an internal webserver. The http request would be counted as "src bytes" and the response as "dst bytes". I'm not sure it's immediately clear that "dst bytes" means the bytes downloaded by the client; it means bytes generated by dst, not bytes received at the dst. Perhaps some other pair of labels can be found which implies this asymmetry. "request bytes" and "response bytes"? "originate bytes" and "answer bytes"? "up" and "down" ?? I agree that the terms "in" / "out" would be too confusing: if there's someone on the outside of firewall who originates a connection into your network, the first packet is "out" from their perspective but "inbound" from ours. I'm happy to rule that out. Aside: I am guessing that when nfdump synthesises bidirectional flows, it's the first packet of the flow which determines which end is "src" and which is "dst"? |
"send" and "receive"? |
I'm not sure "send" and "receive" would work, though - who is sending and who is receiving? Since the "src" is a characteristic assigned by either the original NetFlow/NSEL/etc or nfdump, the output UI can address this. For example:
and
The This should not be a problem for NSEL-style flows, as the "src" and "dst" are explicitly assigned rather than implicitly assumed as with unidirectional flows represented with bidirectional aggregation. |
Yeah, you're right - we expect a source to be sending, and a destination to be receiving. I still think
I certainly agree that calling from src to dst "In" is counter-intuitive - that's what I was saying when I opened the ticket in the first place. As for But we still need a suitable label for "src to dst" and "dst to src", which is better than "in" and "out" respectively. |
I could see "s2d" and "d2s" - that's entirely unambiguous. Good solution! And yes, as long as the directionality is swapped to match what's represented as "src" or "dst", we're good to go. Would really like to see this reflected in a future version! |
sorry for being late ... The story is a longer one. Back in the good old days, flows were uni-directional and therefore it was clear the the number of packets/bytes could not mistakenly mixed up. The history of nfcapd/nfdump was focused on these unid-dir netflow data and the CISCO definitions. The respective tags are: According the CISCO definition: According to these definitions and the following versions of CISCO, nfdump stores IN_BYTES in the respective structures internally and names them respectively in the output. This did not confuse as long as also v9 was uni-dir only. The question is, what is out and what is in. In the CISCO perspective it is in the view of the interface, where netflow is enabled and collected - this mostly matches with the view of the destination IP in many situations. With NSEL/ASA these got a new dimension: For historical reason and to map these counters in netflow structures these values are internally mapped to in_bytes as it was with IN_BYTES in v9. With 9.1 we have a mixture of flows and events and the definition is: And here I agree, it is clear, that it is no longer the perspective from the destination but by definition from the source. As such it is a nfcapd bug for ASA 9.1 which incorrectly collects these counters. So, how to fix this As I have no ASA/NSEL device neither for testing nor for development and operational work, I rely on user input, how I should proceed here. I would prefer to remap _NF_F_FWD_FLOW_DELTA_BYTES internally, add s2d and d2s tokens to make it more clear for NSEL/ASA and increase the major version to 1.7. The question is, should s2d and d2s also be available for standard v9 flows, as it is still in interface perspective and not clearly defined. The pacth would not affect standard v9 anyway. Comments and proposals are welcome. |
Thanks for the detailed explanation! Very helpful in understanding the nuances of these terms. I do not have an ASA/NSEL device either, but I may be able to get one. I will ask around and let you know if I am successful. With regard to applying s2d and d2s, I think those tokens should be straightforward for any bidirectional flow (explicit or calculated/derived). I would have to see it in practice to say if that terminology is useful and valid or not, but my gut feeling is that it will be. Would the s2d and d2s tokens be used in addition to the existing token values or in place of them? |
Aha, I had forgotten that. It makes a lot of sense now as to why "src to dest" is counted as "in". This raises another question. In modern versions of IOS, you can enable netflow in both directions on the same interface. Would one set of flows have NF9_IN_BYTES and the other set NF9_OUT_BYTES? I believe these are unidirectional flows, and I thought it was just a "bytes" counter, plus a flag which indicates in/out (since you can write filters in nfdump like Now, if both in and out are unidirectional flows, then of course the traffic would be "src" to "dest" by definition. As long as it's all written as NF9_IN_BYTES then there would be no problem treating this as "s2d". I guess it would be possible to set something up with dynamips to test this.
My gut feeling is that they should replace them. It seems silly to have 4 different sets of counters. "s2d" would be the new name for "in", and "d2s" would be the new name for "out". This leaves the issue of pre-existing NSEL records being the wrong way round. Personally, I would be happy to take that hit; I care more that it is right going forward, than the quality of the historical data. But it's not my call. I don't know if you can identify the source as NSEL within the record, but bumping the version number would probably be good enough for anyone who cares. That is: if you see a bidirectional flow, and you happen to know it was collected from NSEL, and it has the old version number, then you know that s2d/d2s are the wrong way round. |
(Aside: I was wrong about in/out being a flag, there are separate fields for inif and outif) As I had the dynamips bits more or less ready, I decided to run a test. This is a 7200 with IOS 15.1
This is Netflow v9 by default:
I now have both the nfdump files, and raw pcap files taken at the same time. Looking at some short HTTPS sessions:
And decoding the packets with tshark:
OK, that's as expected:
|
i have question regarding the bidirectional i would like to have the in / out pps,pbs,bpp and in/out duration |
Sorry I don't understand what you're saying. Can you show:
|
this is the command nfdump -R /var/cache/nfdump/nfcapd.201701312347:nfcapd.201702010022 -o "fmt:%ts %td %pr %sap -> %dap %flg %ipkt %opkt %ibyt %obyt %fl " -b | more Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags In Pkt Out Pkt In Byte Out Byte Flows --now for bidirectional format i have (inpackts,outpackts,in bytes,outbytes) this is not enogh for me i would like to have(inpps,outpps,inpbs,outpbs,inbpp,outbpp,induration,outduration) |
I think extra formats like Try option (In future, support questions would probably be best submitted via the mailing list, rather than added to an existing ticket) |
thank you ./nfdump -b -w - | nfdump -R /var/cache/nfdump/nfcapd.201701312347:nfcapd.201702010022 -o "fmt:%ts %td %pr %sap -> %dap %flg %ipkt %opkt %ibyt %obyt %obps %pps %bpp %fl " -b | more you can see the error when i use %obps |
Like I said, there are various extra formats like Calculate |
please is there any way by NFDUMP to convert a time from ISO 8601 format to Unix(epoch) format |
Please don't ask questions on tickets. Support requests should go to the nfdump-users mailing list. |
Hi all! |
I think the original question of this thread should be answered. Please do do ask not related questions to issues for other topics. Please open a new issue? |
In a standard unidirectional netflow, for traffic from "src" to "dst", the counters are stored in
Then to support bi-directional flows, there are these extensions for "dst" to "src":
Therefore "src" to "dst" is considered as "in", and "dst" to "src" is considered as "out". I believe this is the opposite to how most people would think of it.
This becomes confusing when dealing with devices which do actually generate bi-directional flows.
In the case of Cisco ASA NSEL, it gives
NF_F_FWD_FLOW_DELTA_BYTES
andNF_F_REV_FLOW_DELTA_BYTES
. FWD refers to the "src" to "dst" direction, and REV to the "dst" to "src" direction. But these are stored as "in" and "out" respectively by nfdump.The result is: when you are looking at flows for (e.g.) a user connecting to a webserver, and looking separately at "ibytes" and "obytes", the outbound request is counted as "ibytes" and the downloaded traffic from webserver to user is counted as "obytes".
Netflow version 9 has
NF9_IN_BYTES
andNF9_OUT_BYTES
. I don't have a source to test these with, but I would expect "OUT" refers to the src to dst direction. (Need to check whether unidirectional flows set NF9_OUT_BYTES only)To make this consistent, and assuming people would be happier with src to dst being "out" rather than "in" I have some suggestions:
The text was updated successfully, but these errors were encountered: