I am looking into porting an existing flow exporter that is based on Ubuntu + ipt-netflow to VyOS. As far as I can see, its flow-accounting feature seems to be using pmacct internally.
Right now, I am heavily making use of ipt-netflow’s (port) aggregation feature to aggregate uninteresting ports, while retaining individual statistics for a short list of well-known (22, 80, …) ports.
With pmacct, it seems that I can achieve a similar behaviour by providing a ports_file. I have no test setup yet, so I am asking ahead of time here: (how) is it currently supported to manually tailor the accounting behaviour of flow accounting/pmacct beyond what is made accessible through VyOS’ documented settings?
The problem with them all is that they are samplebased so you will never see exactly everything going on the links.
Any samplerate below give or take every 1000’th packet will bring a huge stress on the mgmt CPU unless there is specific offloading in hardware (fpga/asic) for that.
Generally most vendors seems to not recommend using sample rate below every 16384’th packet.
Main difference between Netflow9 and sFlow as I understand it is while sFlow sends a report for every sampled packet Netflow have a fixed tablesize (seems often to be 32k flows) which gives that Netflow9 often is more true to the reality than sFlow but since they all are samplebased its only a matter of degrees in hell.
Question is if not conntrack table could be exported somehow if you choose to enable the firewall in VyOS?
I mean that would be the most truthful of them all (except for flows you define as NOTRACK).
It would basically be just like Netflow9 tables but for ALL sessions and not just the last 32k.
Thanks for the pointer! But my original question applies to this stack as well: (how) does this exporter support (port based) aggregation? Even hsflowd’s documentation does not even mention any possibility of aggregation, just plenty of (sub)sampling options. My use case is accounting, so I want sampling rate = 1, but not at the native granularity that NetFlow/sFlow can deliver.
