Re: [ovs-discuss] [External] : IPFIX samples don't contain an Observation Domain ID or Observation Point ID

[Brendan Doyle via discuss]

On 20/10/2025 16:43, Ilya Maximets wrote:
On 10/20/25 3:56 PM, Brendan Doyle via discuss wrote:
When I do a tcpdump on the loopback interface, I get packets like:


   00:00:00.000008 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4
(0x0800), length 381: (tos 0x0, ttl 64, id 52083, offset 0, flags [DF],
proto UDP (17), length 367)
      127.0.0.1.34813 > 127.0.0.1.4242: [bad udp cksum 0xff6e -> 0xc601!]
UDP, length 339
          0x0000:  0000 0000 0000 0000 0000 0000 0800 4500
          0x0010:  016f cb73 4000 4011 7008 7f00 0001 7f00
          0x0020:  0001 87fd 1092 015b ff6e 000a 0153 68f2
          0x0030:  69be 0000 0003 2b00 0007 011a 0143 0000
          0x0040:  03ea 0052 5400 be06 1652 5400 e64f 4608
          0x0050:  000e 0000 0017 0000 0000 0c6f 766e 2d73
          0x0060:  6361 3135 2d2d 3100 0440 0600 0000 c010
          0x0070:  0106 c010 0105 4d35 ead8 fdff 0206 fdff
          0x0080:  0205 1161 2917 c107 0300 0007 0004 baf0
          0x0090:  0004 baf0 0000 0000 0000 0001 0000 0000
          0x00a0:  0000 0002 0000 0000 0000 0001 0000 0000
          0x00b0:  0000 0002 0000 0000 0000 0002 0000 0000
          0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000
          0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000
          0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000
          0x00f0:  0000 004a 0000 0000 0000 0094 0200 0000
          0x0100:  0000 0000 3c00 0000 0000 0000 7800 0000
          0x0110:  0000 0000 3c00 0000 0000 0000 7800 0000
          0x0120:  0000 000e 1000 0000 0000 001c 2000 0000

The metadata which should map to the obs point ID was 1001 which is 03ea
hex, and I see
that in the pkts always at the same offset 0x0040, so it could be that
it is being generated
by OVS, but that nfcapd does not have a template to decode it, I don't
know what the ovn/ovs
templates are.

What we see in the nfcapd logs are:

ynamically add source ident: 127-0-0-1 in directory:
/root/nfcapd/127-0-0-1/nfcapd.current.1228009
Process_ipfix: New exporter: SysID: 1, Observation domain 0 from: 127.0.0.1
Process_ipfix: New exporter: SysID: 2, Observation domain 704643079
from: 127.0.0.1
Process_ipfix: [704643079] Add template 256
Process_ipfix: [704643079] Add template 257

But the flows are always like:

{
          "type" : "FLOW",
          "sampled" : 0,
          "export_sysid" : 2,
          "t_first" : "2025-10-17T09:07:25.687",
          "t_last" : "2025-10-17T09:07:25.687",
          "proto" : 6,
          "src4_addr" : "192.16.1.5",
          "dst4_addr" : "192.16.1.6",
          "src_port" : 60120,
          "dst_port" : 19765,
          "fwd_status" : 0,
          "tcp_flags" : "........",
          "src_tos" : 0,
          "in_packets" : 1,
          "in_bytes" : 60,
          "input_snmp" : 33,
          "output_snmp" : 0,
          "src_mask" : 0,
          "dst_mask" : 0,
          "dst_tos" : 0,
          "direction" : 0,
          "in_src_mac" : "52:54:00:e6:4f:46",
          "out_dst_mac" : "00:00:00:00:00:00",
          "in_dst_mac" : "52:54:00:be:06:16",
          "out_src_mac" : "00:00:00:00:00:00",
          "ip4_router" : "127.0.0.1",
          "t_received" : "2025-10-17T09:07:25.691",
          "label" : "<none>"
}

Could it be I need a newer version of nfcapd? or I need to specify an
arg to enable
OVN/OVS templates, where would I get these templates from?

The versions I'm using are :

# nfcapd -V
nfcapd: Version: 1.6.24

# nfdump -V
nfdump: Version: NSEL-NEL1.6.24

#nfprofile -V
nfprofile: Version: 1.6.24

# nfreplay -V
nfreplay: Version: 1.6.24

Yeah, it seems like you need a newer version.  AFAICT, nfcapd only supports
these fields starting with 1.7.0:
   
https://urldefense.com/v3/__https://github.com/phaag/nfdump/issues/351__;!!ACWV5N9M2RV99hQ!PGyrW6qX9NDWEBRE3payXcZP6EECfK-WddWkqcv0fb6WTc4OYtGaOzOfcATXaxH_8g3pUlBNYnavL5OHlVdrmQ$
   
https://urldefense.com/v3/__https://github.com/phaag/nfdump/commit/2d786aa383a3691a86c702633752d8146c4a5b1a__;!!ACWV5N9M2RV99hQ!PGyrW6qX9NDWEBRE3payXcZP6EECfK-WddWkqcv0fb6WTc4OYtGaOzOfcATXaxH_8g3pUlBNYnavL5PvpM-TvA$

Information is in the packet, old nfcapd just doesn't parse/show it.

Best regards, Ilya Maximets.

Thanks, I downloaded, compiled and installed the latest code and now it 
is working:

[root@sca15-rain05 127-0-0-1]# for f in $(ls -1 nfcapd.*); do nfdump -o 
json -r $f; done | grep observation
  "observationDomainID" : 704643079,
  "observationPointID" : 1001,
  "observationDomainID" : 721420295,
  "observationPointID" : 1002,
  "observationDomainID" : 721420295,


Brendan.


_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss