Question about possible IPFIX 315 support

[rganascim]

Hi,

First of all, thanks for nfdump — it’s a great and very reliable tool.

I’d like to ask a simple question: is there any intention or interest in
supporting IPFIX 315 (packet-based IPFIX export) in the future?

References:
https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5000/system-monitoring/75x/b-system-monitoring-cg-ncs5000-75x/implementing-ipfix-315.pdf
https://documentation.nokia.com/sr/25-10/7750-sr/books/md-cli-command-reference/cflowd-cflowd_0.html#d2591

Thanks a lot for your time and for maintaining the project.

Best regards,
Rafael

[gabrielmocan]

That would be nice to have!

[phaag]

I can certainly have a look into this. Looks like it’s a kind of raw packet.
In order to make myself familiar, I would appreciate a packet dump of an ipfix stream to the collector. Please send it to my email in the AUTHORS file.

[phaag]

Just another question in order to understand your needs. Given, nfdump implements #315, which is your benefit, or what could you do better?

[rganascim]

I first learned about this new format for exporting enriched NetFlow data from a LinkedIn post by Pavel Odintsov, from the FastNetMon project [1].

After that, I started researching and studying it, and the main use case seems to be obtaining very fast flow telemetry combined with a short but deep packet snapshot. This can help collect useful information such as attack signatures, malware indicators, and similar data.

In my view, this significantly improves traffic visibility and opens the door to more advanced analytics.

[1] https://www.linkedin.com/posts/podintsov_in-257r1-release-nokia-routers-finally-activity-7417921963320393728-e-YU