NetFlow v9 Collectors

How-To use libfixbuf as a NetFlow v9 Collector:

libfixbuf can be used as a NetFlow v9 collector and convert NetFlow to IPFIX. Follow the steps above to create an fbListener. After creating the listener, retrieve the collector by calling fbListenerGetCollector() before calling fbCollectorSetNetflowV9Translator(). Fixbuf can decode all NetFlow v9 information elements up to 346. Since fixbuf removes the SysUpTime from the NetFlow v9 Header, when fixbuf encounters elements 21 and 22 (which rely on the SysUpTime to determine flow start and end times) it will add IPFIX Element 160 (systemInitTimeMilliseconds) to the template and corresponding flow record. systemInitTimeMilliseconds is the Packet Export Time (found in the NetFlow v9 Header) converted to milliseconds minus the SysUpTime. Also, for arbitrary Cisco Elements (ID > 346), fixbuf will convert the element ID to 9999 in order to decode the element properly. The exceptions are elements 33002 (NF_F_FW_EXT_EVENT) and 40005 (NF_F_FW_EVENT) which are often exported from Cisco's ASA device. These elements will be converted to their corresponding element id's in libfixbuf's default Information Model, 9997 and 9998 respectively. Similarly, the Cisco ASA will also export elements 40001, 40002, 40003, and 40004. These elements are substituted with the IPFIX elements 225, 226, 227, and 228 respectively.

libfixbuf will also convert NetFlow v9 Options Templates and Options Records to IPFIX. Due to the differences between IPFIX and NetFlow v9 Options Templates the NetFlow v9 Scope Field Type is dropped and replaced with the Information Element ID 263, messageScope. The Scope Field Length will be carried over to the IPFIX Options Template, and the messageScope will have the length specified by Scope Field Length. This holds true for all Scope Elements defined in the NetFlow v9 Options Template. In order to retrieve the value for the Scope Field Type, the IPFIX internal template should use the messageScope Information Element and use the length override (the default length for messageScope is 1).

libfixbuf differentiates Netflow v9 streams by IP and observation domain. If no activity is seen from a NetFlow v9 exporter within 30 minutes, the session and all the templates associated with it will be freed. It is best to set the template timeout period on the device to under 30 minutes.

fbCollectorGetNetflowMissed() can be used to retrieve the number of potential missed export packets. This is not the number of FLOW records that the collector has missed. NetFlow v9 increases sequence numbers by the number of export packets it has sent, NOT the number of flow records. An export packet may not contain any flow records. Fixbuf tries to account for any reboot of the device and not count large sequence number discrepancies in it's missed count.

To disable NetFlow v9 log messages such as sequence number mismatch messages, option template removal messages, and record count discrepancy messages, run make clean, CFLAGS="-DFB_SUPPRESS_LOGS=1" make -e, make install when installing libfixbuf.