Also in the unit test we have:
ovs-vsctl --id=@br get Bridge br-int \
-- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\"
template_interval=1 \
-- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br
ipfix=@ipfix
This uses Flow_Sample_Collector_Set id=100, I assume that this is to
match the collector
the test created earlier:
collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1
probability=65535 set_id=100)
And if we also wanted data from the collector2, the test created:
collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2
probability=65535 set_id=200)
We'd have to add
ovs-vsctl --id=@br get Bridge br-int \
-- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\"
template_interval=1 \
-- --id=@cs create Flow_Sample_Collector_Set id=200 bridge=@br
ipfix=@ipfix
Brendan
On 16/10/2025 12:19, Brendan Doyle via discuss wrote:
Hi,
I'm trying to use the IPFIX feature of OVN, I'm running with the
latest STS for OVS and OVN:
# ovs-vsctl -V
ovs-vsctl (Open vSwitch) 3.6.0
DB Schema 8.8.0
# ovn-nbctl -V
ovn-nbctl 25.09.0
Open vSwitch Library 3.6.0
DB Schema 7.12.0
I have recreated the unit test for IPFIX:
https://urldefense.com/v3/__https://github.com/ovn-org/ovn/blob/800fd0681579a553c5d381dfcd30cc7ff1a50798/tests/system-ovn.at*L13353-L13567__;Iw!!ACWV5N9M2RV99hQ!K9niwcmLcrVGSeoWtxcVYSl5Z9yu4JATsCn1yUQ5TwHxc0gIwicLUevSeB5187c4RNvK_XpCndTuOAnpw-p30shho8PUQA$
Except I've set it up on a live config, part of that unit test, when
checking the results is:
AT_CHECK([for f in $(ls -1 nfcapd.*); do nfdump -o json -r $f; done |
grep observationPoint
When I look at the samples I've collected, I get:
# for f in $(ls -1 nfcapd.*); do nfdump -o json -r $f; done | grep
observation
#
Nothing because there is no Observation Domain ID or Observation Point
ID in the sample, which makes it of little use as I can't
correlate the sample to thee ACL/Logical switch that it is taken from.
The samples just contain these:
{
"type" : "FLOW",
"sampled" : 0,
"export_sysid" : 1,
"t_first" : "2025-10-16T03:40:54.183",
"t_last" : "2025-10-16T03:40:54.183",
"proto" : 6,
"src4_addr" : "192.16.1.5",
"dst4_addr" : "192.16.1.6",
"src_port" : 58178,
"dst_port" : 19765,
"fwd_status" : 0,
"tcp_flags" : "........",
"src_tos" : 0,
"in_packets" : 145,
"in_bytes" : 11996,
"input_snmp" : 33,
"output_snmp" : 0,
"src_mask" : 0,
"dst_mask" : 0,
"dst_tos" : 0,
"direction" : 0,
"in_src_mac" : "52:54:00:e6:4f:46",
"out_dst_mac" : "00:00:00:00:00:00",
"in_dst_mac" : "52:54:00:be:06:16",
"out_src_mac" : "00:00:00:00:00:00",
"ip4_router" : "127.0.0.1",
"t_received" : "2025-10-16T03:40:54.186",
"label" : "<none>"
}
1) Have I setup the test case wrong (details below)?
2) Is this a bug in OVN/OVS? Is there a southbound flow, or OVS flow
that I can examine to see if an Observation domain is being
generated?
3) Is it a bug in nfdump?
Here is how I setup the test case:
On each controller node:
ovs-vsctl --id=@br get Bridge br-int -- --id=@ipfix create IPFIX
targets=\"127.0.0.1:4242\" template_interval=1 -- --id=@cs create
Flow_Sample_Collector_Set id=100 bridge=@br ipfix=@ipfix
Then the OVN central config:
export collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1
probability=65535 set_id=100)
export collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2
probability=65535 set_id=200)
ovn-nbctl create Sampling_App type="acl-new" id="42"
ovn-nbctl create Sampling_App type="acl-est" id="43"
ovn-nbctl create Sampling_App type="drop" id="44"
# ovn-nbctl list Sample_Collector
_uuid : b8e7dac8-7761-401f-92cf-8b8dfd02c84e
external_ids : {}
id : 1
name : c1
probability : 65535
set_id : 100
_uuid : bfb3679d-5d14-40c5-b31a-b294228722d8
external_ids : {}
id : 2
name : c2
probability : 65535
set_id : 200
export collector1="b8e7dac8-7761-401f-92cf-8b8dfd02c84e"
ovn-nbctl -- --id=@sample_in_1c_new create Sample
collector="$collector1" metadata=1001 -- --id=@sample_in_1c_est create
Sample collector="$collector1" metadata=1002 --
--sample-new=@sample_in_1c_new --sample-est=@sample_in_1c_est acl-add
ls_vcn1_net1 from-lport 1 "inport ==
\"00bff7c0-2e2d-41ba-9485-3b5fa9801365\" && tcp.dst == 19765"
allow-related
# ovn-nbctl acl-list ls_vcn1_net1
from-lport 1 (inport == "00bff7c0-2e2d-41ba-9485-3b5fa9801365" &&
tcp.dst == 19765) allow-related
# ovn-nbctl list Sample
_uuid : f06aad64-ee19-49b4-a1c6-231f2f0b71a6
collectors : [b8e7dac8-7761-401f-92cf-8b8dfd02c84e]
metadata : 1002
_uuid : 1fb536ae-baf9-4c47-a3df-b064b4b4e3ce
collectors : [b8e7dac8-7761-401f-92cf-8b8dfd02c84e]
metadata : 1001
[root@sca15-rain01 v3]# ovn-nbctl list Sample_Collector
_uuid : b8e7dac8-7761-401f-92cf-8b8dfd02c84e
external_ids : {}
id : 1
name : c1
probability : 65535
set_id : 100
_uuid : bfb3679d-5d14-40c5-b31a-b294228722d8
external_ids : {}
id : 2
name : c2
probability : 65535
set_id : 200
# ovn-nbctl list Sampling_App
_uuid : fddee87c-cbed-4143-b750-7377c87a2011
external_ids : {}
id : 42
type : acl-new
_uuid : 872d6ca6-54ad-4df7-ad72-748b91ca129a
external_ids : {}
id : 44
type : drop
_uuid : 808a5722-520d-466e-b200-053c77f2b77c
external_ids : {}
id : 43
type : acl-est
I generate traffic, I get samples, but they don't contain any
Observation ID data, so I can't relate them to
what ACL generated them.
Brendan.
_______________________________________________
discuss mailing list
[email protected]
https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!K9niwcmLcrVGSeoWtxcVYSl5Z9yu4JATsCn1yUQ5TwHxc0gIwicLUevSeB5187c4RNvK_XpCndTuOAnpw-p30sif6yLF7w$
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
