MPLS Label

[southzyzy]

Hi its me again, I have been using fbitdump to view the storage data created by the fastbit database and realise that it is able to display netflow records, the usual information ie. |start|end|prot|srcip|sport|dstip|dport|pkt|bytes|flows|.

However, I have a small network configuration where mpls_label is involved in the netflow data. However, I tried editing the fbitdump.xml template to try and display the mpls_label, I am unable to do so.

I am definitely sure that there are mpls_label when it captures the netflow data, but is the mpls label stored in fastbit ? If it is, is it possible for me to view them with fbitdump?

Thank you !!

[thorgrin]

Hi, if the data is sent to the collector, you will definitely be able to view it - it was designed to collect everything. You have to know the MPLS element ID and the type.

The simplest way to check what elements are captured is to run

fbitdump -r /path/to/single/timeslot/directory -T

The -T will display used templates with all captured elements and also whether the mapping for the elements exists in the configuration file.

I guess that you have the MPLS label exported as mplsTopLabelStackSection (IANA id 70 ), which is of a bytearray type. This is a bit more complicated, because it cannot be simply displayed as an integer. I believe that it should print a hexdump od the bytearray by default. To see it as numbers, you would have to create a simple plugin for fbitdump that converts the MPLS blob to human readable number. It is quite easy, there are other plugins that can be used as an example. However, if you do not feel up to the task, you can send me a small sample of captured flows containing the MPLS elements and I can write that conversion plugin for you and integrate it in the fbitdump tool directly.

[southzyzy]

Hey thanks for the help ! But i realise that along the way as I was sending the netflow records, I encounter an error. At first, i was using Vermont to export netflow records to IPFixCol. Then I went on to test it on my self-developed exporter and I receive error upon receiving. I was able to send the netflow records via UDP. But on the IPFixCol side, I am receiving this error:

I think that this error is due to the format that IPFixcol is reading. The netflow records sent is in this format: start,end,prot,srcip,sport,dstip,dport,pkt,bytes,flows,... as bytes to IPFixCol.
Is there a template that IPFixCol follows and unpack the data, base on the format ? Because I'm pretty sure the structure that I am sending data to IPFixCol is wrong.

Thank you for your help once again !!

[thorgrin]

The IPFIXcol natively works with the IPFIX protocol. Netflow is converted to IPFIX before further processing, and the error you see happens somewhere during the conversion (https://github.com/CESNET/ipfixcol/blob/master/base/src/utils/conversion/convert.c). You can compile the collector and run in the debugger to see which part of the conversion is failing. It might be a conversion problem as well, but we have to check.

In the meantime, can you provide minimal packet capture of the data it fails on?