On 10/20/25 3:56 PM, Brendan Doyle via discuss wrote:
> When I do a tcpdump on the loopback interface, I get packets like:
>
>
> 00:00:00.000008 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4
> (0x0800), length 381: (tos 0x0, ttl 64, id 52083, offset 0, flags [DF],
> proto UDP (17), length 367)
> 127.0.0.1.34813 > 127.0.0.1.4242: [bad udp cksum 0xff6e -> 0xc601!]
> UDP, length 339
> 0x0000: 0000 0000 0000 0000 0000 0000 0800 4500
> 0x0010: 016f cb73 4000 4011 7008 7f00 0001 7f00
> 0x0020: 0001 87fd 1092 015b ff6e 000a 0153 68f2
> 0x0030: 69be 0000 0003 2b00 0007 011a 0143 0000
> 0x0040: 03ea 0052 5400 be06 1652 5400 e64f 4608
> 0x0050: 000e 0000 0017 0000 0000 0c6f 766e 2d73
> 0x0060: 6361 3135 2d2d 3100 0440 0600 0000 c010
> 0x0070: 0106 c010 0105 4d35 ead8 fdff 0206 fdff
> 0x0080: 0205 1161 2917 c107 0300 0007 0004 baf0
> 0x0090: 0004 baf0 0000 0000 0000 0001 0000 0000
> 0x00a0: 0000 0002 0000 0000 0000 0001 0000 0000
> 0x00b0: 0000 0002 0000 0000 0000 0002 0000 0000
> 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000
> 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000
> 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000
> 0x00f0: 0000 004a 0000 0000 0000 0094 0200 0000
> 0x0100: 0000 0000 3c00 0000 0000 0000 7800 0000
> 0x0110: 0000 0000 3c00 0000 0000 0000 7800 0000
> 0x0120: 0000 000e 1000 0000 0000 001c 2000 0000
>
> The metadata which should map to the obs point ID was 1001 which is 03ea
> hex, and I see
> that in the pkts always at the same offset 0x0040, so it could be that
> it is being generated
> by OVS, but that nfcapd does not have a template to decode it, I don't
> know what the ovn/ovs
> templates are.
>
> What we see in the nfcapd logs are:
>
> ynamically add source ident: 127-0-0-1 in directory:
> /root/nfcapd/127-0-0-1/nfcapd.current.1228009
> Process_ipfix: New exporter: SysID: 1, Observation domain 0 from: 127.0.0.1
> Process_ipfix: New exporter: SysID: 2, Observation domain 704643079
> from: 127.0.0.1
> Process_ipfix: [704643079] Add template 256
> Process_ipfix: [704643079] Add template 257
>
> But the flows are always like:
>
> {
> "type" : "FLOW",
> "sampled" : 0,
> "export_sysid" : 2,
> "t_first" : "2025-10-17T09:07:25.687",
> "t_last" : "2025-10-17T09:07:25.687",
> "proto" : 6,
> "src4_addr" : "192.16.1.5",
> "dst4_addr" : "192.16.1.6",
> "src_port" : 60120,
> "dst_port" : 19765,
> "fwd_status" : 0,
> "tcp_flags" : "........",
> "src_tos" : 0,
> "in_packets" : 1,
> "in_bytes" : 60,
> "input_snmp" : 33,
> "output_snmp" : 0,
> "src_mask" : 0,
> "dst_mask" : 0,
> "dst_tos" : 0,
> "direction" : 0,
> "in_src_mac" : "52:54:00:e6:4f:46",
> "out_dst_mac" : "00:00:00:00:00:00",
> "in_dst_mac" : "52:54:00:be:06:16",
> "out_src_mac" : "00:00:00:00:00:00",
> "ip4_router" : "127.0.0.1",
> "t_received" : "2025-10-17T09:07:25.691",
> "label" : "<none>"
> }
>
> Could it be I need a newer version of nfcapd? or I need to specify an
> arg to enable
> OVN/OVS templates, where would I get these templates from?
>
> The versions I'm using are :
>
> # nfcapd -V
> nfcapd: Version: 1.6.24
>
> # nfdump -V
> nfdump: Version: NSEL-NEL1.6.24
>
> #nfprofile -V
> nfprofile: Version: 1.6.24
>
> # nfreplay -V
> nfreplay: Version: 1.6.24
>
Yeah, it seems like you need a newer version. AFAICT, nfcapd only supports
these fields starting with 1.7.0:
https://github.com/phaag/nfdump/issues/351
https://github.com/phaag/nfdump/commit/2d786aa383a3691a86c702633752d8146c4a5b1a
Information is in the packet, old nfcapd just doesn't parse/show it.
Best regards, Ilya Maximets.
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
