-1

I've got a problem recently where my netflow Analyzer is reporting more than 100% utilization on an interface. Having looked at some of the packets in a pcap, I can see that some of the "flows" appear to be duplicate. You can see one example attached (IP info scrubbed) where all of the info in green is identical between the two flows, the only difference is the two fields highlighted in red (Padding and IP ToS). The attached is for an ICA session, but I can see the same behavior for other protocols also, so it's nothing ICA specific.

Is it normal for the same flow to be reported twice by the netflow engine like this ? If so, what would be the reason ? According to the URL below, the padding field is reserved and should always be zero:

https://www.plixer.com/support/netflow-v5/

So that would just leave the IP ToS field, but why would it be reported twice like this ? Is it because the packet is being recorded before and after it goes through the ToS engine on the device ? Could this be a mis-confiugration on the device, or is it something the Analyzer should handle ?

Apologies, my netflow knowledge is not very deep; I have done some research, but haven't found anybody else reporting this at all.

ipfix duplicate flows with different IP ToS values

another_one
  • 356
  • 4
  • 13

1 Answers1

0

Ingress metering (incoming traffic) and egress metering (outgoing traffic) can be enabled on the same interface.

Correct, most NetFlow v5 implementations only support ingress metering but, I have see exceptions. If your Cisco 800 is exporting both, your collection system will absolutely need the flow direction element in the export.

I'll ask some of our developers about this and see if they have any insight.

Michael
  • 1