Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPFIX fields missing for newer netobserv features (Connection RTT, DNS decode etc) #544

Open
rupertgregoryibm opened this issue Nov 22, 2023 · 5 comments
Open

IPFIX fields missing for newer netobserv features (Connection RTT, DNS decode etc) #544

rupertgregoryibm opened this issue Nov 22, 2023 · 5 comments

Comments

@rupertgregoryibm
Copy link

Hello team,

As the main agent has been leaping forward, it seems the IPFIX export feature of FLP needs an update to support export of these fields -

DnsFlags
DnsFlagsResponseCode
DnsId
DnsLatencyMs
RTT
DstK8S_HostIP
DstK8S_HostName
DstK8S_Name
DstK8S_Namespace
DstK8S_OwnerName
DstK8S_OwnerType,
DstK8S_Type

....there may be (read: probably are) more fields, I've just done brief scan of various MRs over the past few months.

Please can we get the IPFIX export updated. I'm happy to allocate new IPFIX entries if someone can help or point me to the complete schema for all the possible fields and also what each one means.

Many thanks. R.
@jotak
Copy link
Member

jotak commented Nov 22, 2023

Some of these fields are indeed probably missing but some of them are not expected: all the "DstK8S..." stuff comes from kube enrichment stage that happens in flowlogs-pipeline ie downstream of the agent.

@msherif1234 we should look for a way to assert that all exporters are always on par with their exported fields ... Like in my current PR here I'm adding assertions that the grpc or direct-flp export produce the same result; maybe we can try to generalize to include ipfix too

@rupertgregoryibm
Copy link
Author

Thanks for the quick response @jotak - yes, should have been clearer, theres some upstream fields from the eBPF agent and some FLP enriched fields - all should be consumable irrespective of the export method.. which you've highlighted 👍

I have also let @dushyantbehl know as well as some of this he worked on.

@jotak
Copy link
Member

jotak commented Nov 22, 2023

Oh I didn't realize you posted on flowlogs-pipeline repo I thought it was the ebpf agent repo ... it is a bit confusing because both the agent and FLP have the ability to export as ipfix ; so you're using IPFIX export from FLP and not from the Agent, so indeed you should get the kube enriched fields.
On the new fields such as DNS / RTT etc. I guess yes they need to be added somewhere on this file https://github.com/netobserv/flowlogs-pipeline/blob/main/pkg/pipeline/write/write_ipfix.go

@rupertgregoryibm
Copy link
Author

@jotak is there a master field schema anywhere in the ebpf agent? I assume it would be buried in a protobuf def somewhere?

@jotak
Copy link
Member

jotak commented Nov 30, 2023

@rupertgregoryibm yes indeed, here's the protobuf defintion https://github.com/netobserv/netobserv-ebpf-agent/blob/main/proto/flow.proto
And here's where it's converted in FLP format: https://github.com/netobserv/netobserv-ebpf-agent/blob/main/pkg/decode/decode_protobuf.go#L44

@bhale bhale mentioned this issue Feb 20, 2024
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jotak @rupertgregoryibm