I have a question about logging in the docker container and was going to use the slack link, but it redirects and says the shared join link is no longer valid. Can you please fix so I can ask my question there?

Thanks.

Hi Just trying to install and run configs: cat /etc/vflow/vflow.conf ipfix-workers: 600 sflow-workers: 300 sflow-port: 9999 stats-http-port: 10080 log-file: /var/log/vflow.log

cat /etc/vflow/mq.conf brokers: - 127.0.0.1:9092 retry-max: 1 retry-backoff: 30

netstat -na | grep 9092 netstat -na | grep 9092 tcp6 0 0 :::9092 :::* LISTEN

logs for vflow with -verbose show no errors - last in log: [vflow] 2017/11/06 19:51:20 netflow v9 is running (UDP: listening on [::]:4729 workers#: 200) [vflow] 2017/11/06 19:51:20 ipfix is running (UDP: listening on [::]:4739 workers#: 600)

The kafka library from segmentio provides the same kafka connectivity capability in a smaller package size. According to the authors it should also use less memory. Also included is functionality to support the use of a bootstrap server ( a dns record that points to available brokers ).

• I build with the git master branch

run command

./vflow -config vflow.conf -mqueue-conf mq.conf  \
                 -sflow-max-udp-size 100000 -sflow-port 6343

vflow.conf

cat vflow.conf
sflow-workers: 1
log-file: /var/log/vflow.log
verbose: true
mq-name: kafka
ipfix-enabled: false
netflow9-enabled: false
sflow-topic: vflow

mq.conf

brokers:
  - xxxxx.cn:9092

output log

[vflow] 2018/04/26 00:50:49 rcvd sflow data from: xxxx:6343, size: 1396 bytes
[vflow] 2018/04/26 00:50:49 rcvd sflow data from: xxxx:6343, size: 1268 bytes
[vflow] 2018/04/26 00:50:49 rcvd sflow data from: xxxx:6343, size: 1220 bytes
[vflow] 2018/04/26 00:50:49 rcvd sflow data from: xxxx:6343, size: 1312 bytes

monitor

{
    "UDPQueue": 0,
    "MessageQueue": 0,
    "UDPCount": 750,
    "DecodedCount": 0,
    "MQErrorCount": 0,
    "Workers": 1
}

tcpdump of sflow sending

01:09:45.347017 IP xxxxx.sflow > xxxxx.sflow: sFlowv5, IPv4 agent xxxxx.com, agent-id 8, length 1216
01:09:45.482522 IP xxxxx.com.sflow > 1xxxxw: sFlowv5, IPv4 agent xxxx, agent-id 8, length 1372

Problem

• No one sflow msg was decoded, and I cann't tell the reason.

Hello All,

i get "fatal error: runtime: out of memory" after some minutes vflow is running and this is my vflow.conf:

netflow9-workers: 50 log-file: /var/log/vflow.log ipfix-tpl-cache-file: /usr/local/vflow/vflow.templates netflow9-topic: anomaly ipfix-enabled: false sflow-enabled: false dynamic-workers: false

I'm having trouble with some v9 templates not being parsed from a Juniper SRX.. Some are, and some aren't.. As an example below - template id# 261 seems to fail to be defined, even though its definition gets transmitted 60 seconds by the sending router. First some background:

• sending device - SRX210HE JUNOS Software Release [12.1X46-D67]
• receiving devices (similar results from both)
  • smartos - go version go1.8 solaris/amd64 - joyent_20170928T144204Z
  • debian stretch - go version go1.7.4 linux/amd64 - Linux version 4.9.0-4-amd64 ([email protected]) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.51-1 (2017-09-28)
• built from git (today), VERSION=0.4.1 in Makefile (although interestingly that version doesn't populate into the version [vflow] 2017/12/03 14:31:45 Welcome to vFlow v.unknown Apache License 2.0)

Router config:

set services flow-monitoring version9 template template_1 ipv4-template
set services flow-monitoring version9 template template_2 ipv6-template
set forwarding-options sampling input rate 1
set forwarding-options sampling family inet output flow-inactive-timeout 30
set forwarding-options sampling family inet output flow-active-timeout 60
set forwarding-options sampling family inet output flow-server 10.232.6.89 port 4729
set forwarding-options sampling family inet output flow-server 10.232.6.89 version9 template template_1
set forwarding-options sampling family inet output inline-jflow source-address 10.232.4.5
set forwarding-options sampling family inet6 output flow-inactive-timeout 30
set forwarding-options sampling family inet6 output flow-active-timeout 60
set forwarding-options sampling family inet6 output flow-server 10.232.6.89 port 4729
set forwarding-options sampling family inet6 output flow-server 10.232.6.89 version9 template template_2
set forwarding-options sampling family inet6 output inline-jflow source-address 10.232.4.5

From the vflow.log file.. The "can not read data" appears every minute.

[vflow] 2017/11/28 11:10:16 Multiple errors:
- 10.232.4.5 unknown netflow template id# 261
- can not read the data
- can not read the data
- can not read the data
[vflow] 2017/11/28 11:10:16 rcvd netflow v9 data from: 10.232.4.5:63651, size: 144 bytes
[vflow] 2017/11/28 11:10:16 Multiple errors:
- can not read the data
- can not read the data
- can not read the data
- can not read the data
- can not read the data
- can not read the data
- can not read the data
- can not read the data
- can not read the data
- can not read the data
- can not read the data
- can not read the data
[vflow] 2017/11/28 11:10:18 rcvd netflow v9 data from: 10.232.4.5:58938, size: 144 bytes
[vflow] 2017/11/28 11:10:18 10.232.4.5 unknown netflow template id# 261

(After a few days it also crashes with a backtrace that I haven't really had a look at yet)

To me it looks like the definition of template 261 is being sent every minute, along with a few flows using the same template id.. Here's a packet.

Frame 16: 618 bytes on wire (4944 bits), 618 bytes captured (4944 bits) on interface 0
    Interface id: 0 (net0)
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec  3, 2017 15:02:37.876916000 AEDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1512273757.876916000 seconds
    [Time delta from previous captured frame: 2.002214000 seconds]
    [Time delta from previous displayed frame: 2.002214000 seconds]
    [Time since reference or first frame: 19.046828000 seconds]
    Frame Number: 16
    Frame Length: 618 bytes (4944 bits)
    Capture Length: 618 bytes (4944 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:cflow]
Ethernet II, Src: JuniperN_cb:2f:01 (80:71:1f:cb:2f:01), Dst: 82:c5:5d:98:41:4a (82:c5:5d:98:41:4a)
    Destination: 82:c5:5d:98:41:4a (82:c5:5d:98:41:4a)
        Address: 82:c5:5d:98:41:4a (82:c5:5d:98:41:4a)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: JuniperN_cb:2f:01 (80:71:1f:cb:2f:01)
        Address: JuniperN_cb:2f:01 (80:71:1f:cb:2f:01)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.232.4.5, Dst: 10.232.6.89
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 604
    Identification: 0x7864 (30820)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 63
    Protocol: UDP (17)
    Header checksum: 0xe0ff [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.232.4.5
    Destination: 10.232.6.89
User Datagram Protocol, Src Port: 54060, Dst Port: 4729
    Source Port: 54060
    Destination Port: 4729
    Length: 584
    Checksum: 0xfb15 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
Cisco NetFlow/IPFIX
    Version: 9
    Count: 10
    SysUptime: 2613.569000000 seconds
    Timestamp: Dec  3, 2017 15:02:37.000000000 AEDT
        CurrentSecs: 1512273757
    FlowSequence: 372
    SourceId: 142
    FlowSet 1 [id=261]
        FlowSet Id: (Data) (261)
        FlowSet Length: 184
        Data (180 bytes), no template found
            [Expert Info (Warning/Malformed): Data (180 bytes), no template found]
                [Data (180 bytes), no template found]
                [Severity level: Warning]
                [Group: Malformed]
    FlowSet 2 [id=1] (Options Template): 256
        FlowSet Id: Options Template(V9) (1)
        FlowSet Length: 24
        Options Template (Id = 256) (Scope Count = 1; Data Count = 2)
            Template Id: 256
            Option Scope Length: 4
            Option Length: 8
            Field (1/1) [Scope]: System
                Scope Type: System (1)
                Length: 0
            Field (1/2): SAMPLING_ALGORITHM
                Type: SAMPLING_ALGORITHM (35)
                Length: 1
            Field (2/2): SAMPLING_INTERVAL
                Type: SAMPLING_INTERVAL (34)
                Length: 4
        Padding: 0000
    FlowSet 3 [id=256] (1 flows)
        FlowSet Id: (Data) (256)
        FlowSet Length: 12
        [Template Frame: 16]
        Flow 1
            Sampling algorithm: Random sampling (2)
            Sampling interval: 1
        Padding: 000000
    FlowSet 4 [id=0] (Data Template): 261
        FlowSet Id: Data Template (V9) (0)
        FlowSet Length: 92
        Template (Id = 261, Count = 21)
            Template Id: 261
            Field Count: 21
            Field (1/21): IP_SRC_ADDR
                Type: IP_SRC_ADDR (8)
                Length: 4
            Field (2/21): IP_DST_ADDR
                Type: IP_DST_ADDR (12)
                Length: 4
            Field (3/21): IP_TOS
                Type: IP_TOS (5)
                Length: 1
            Field (4/21): PROTOCOL
                Type: PROTOCOL (4)
                Length: 1
            Field (5/21): L4_SRC_PORT
                Type: L4_SRC_PORT (7)
                Length: 2
            Field (6/21): L4_DST_PORT
                Type: L4_DST_PORT (11)
                Length: 2
            Field (7/21): ICMP_TYPE
                Type: ICMP_TYPE (32)
                Length: 2
            Field (8/21): INPUT_SNMP
                Type: INPUT_SNMP (10)
                Length: 4
            Field (9/21): SRC_MASK
                Type: SRC_MASK (9)
                Length: 1
            Field (10/21): DST_MASK
                Type: DST_MASK (13)
                Length: 1
            Field (11/21): SRC_AS
                Type: SRC_AS (16)
                Length: 4
            Field (12/21): DST_AS
                Type: DST_AS (17)
                Length: 4
            Field (13/21): BGP_NEXT_HOP
                Type: BGP_NEXT_HOP (18)
                Length: 4
            Field (14/21): TCP_FLAGS
                Type: TCP_FLAGS (6)
                Length: 1
            Field (15/21): OUTPUT_SNMP
                Type: OUTPUT_SNMP (14)
                Length: 4
            Field (16/21): IP_NEXT_HOP
                Type: IP_NEXT_HOP (15)
                Length: 4
            Field (17/21): BYTES
                Type: BYTES (1)
                Length: 4
            Field (18/21): PKTS
                Type: PKTS (2)
                Length: 4
            Field (19/21): FIRST_SWITCHED
                Type: FIRST_SWITCHED (22)
                Length: 4
            Field (20/21): LAST_SWITCHED
                Type: LAST_SWITCHED (21)
                Length: 4
            Field (21/21): IP_PROTOCOL_VERSION
                Type: IP_PROTOCOL_VERSION (60)
                Length: 1
    FlowSet 5 [id=261] (4 flows)
        FlowSet Id: (Data) (261)
        FlowSet Length: 244
        [Template Frame: 16]
        Flow 1
            SrcAddr: xxx.xxx.xxx.xxx
            DstAddr: xxx.xxx.xxx.xxx
            IP ToS: 0x00
            Protocol: TCP (6)
            SrcPort: 443 (443)
            DstPort: 17776 (17776)
            ICMP Type: 0x0000
            InputInt: 539
            SrcMask: 32
            DstMask: 32
            SrcAS: 0
            DstAS: 0
            BGPNextHop: 0.0.0.0
            TCP Flags: 0x1b, ACK, PSH, SYN, FIN
                00.. .... = Reserved: 0x0
                ..0. .... = URG: Not used
                ...1 .... = ACK: Used
                .... 1... = PSH: Used
                .... .0.. = RST: Not used
                .... ..1. = SYN: Used
                .... ...1 = FIN: Used
            OutputInt: 0
            NextHop: 0.0.0.0
            Octets: 6166
            Packets: 9
            [Duration: 1.320000000 seconds (switched)]
                StartTime: 2609.845000000 seconds
                EndTime: 2611.165000000 seconds
            IPVersion: 4
        Flow 2
            SrcAddr: xxx.xxx.xxx.xxx
            DstAddr: xxx.xxx.xxx.xxx
            IP ToS: 0x00
            Protocol: TCP (6)
            SrcPort: 17776 (17776)
            DstPort: 443 (443)
            ICMP Type: 0x0000
            InputInt: 536
            SrcMask: 32
            DstMask: 32
            SrcAS: 0
            DstAS: 0
            BGPNextHop: 0.0.0.0
            TCP Flags: 0x1b, ACK, PSH, SYN, FIN
                00.. .... = Reserved: 0x0
                ..0. .... = URG: Not used
                ...1 .... = ACK: Used
                .... 1... = PSH: Used
                .... .0.. = RST: Not used
                .... ..1. = SYN: Used
                .... ...1 = FIN: Used
            OutputInt: 539
            NextHop: 0.0.0.0
            Octets: 1441
            Packets: 13
            [Duration: 1.319000000 seconds (switched)]
                StartTime: 2609.816000000 seconds
                EndTime: 2611.135000000 seconds
            IPVersion: 4
        Flow 3
            SrcAddr: xxx.xxx.xxx.xxx
            DstAddr: xxx.xxx.xxx.xxx
            IP ToS: 0x00
            Protocol: UDP (17)
            SrcPort: 53 (53)
            DstPort: 12494 (12494)
            ICMP Type: 0x0000
            InputInt: 539
            SrcMask: 32
            DstMask: 29
            SrcAS: 0
            DstAS: 0
            BGPNextHop: 0.0.0.0
            TCP Flags: 0x00
                00.. .... = Reserved: 0x0
                ..0. .... = URG: Not used
                ...0 .... = ACK: Not used
                .... 0... = PSH: Not used
                .... .0.. = RST: Not used
                .... ..0. = SYN: Not used
                .... ...0 = FIN: Not used
            OutputInt: 536
            NextHop: 10.232.4.3
            Octets: 76
            Packets: 1
            [Duration: 0.000000000 seconds (switched)]
                StartTime: 2552.968000000 seconds
                EndTime: 2552.968000000 seconds
            IPVersion: 4
        Flow 4
            SrcAddr: xxx.xxx.xxx.xxx
            DstAddr: xxx.xxx.xxx.xxx
            IP ToS: 0x00
            Protocol: UDP (17)
            SrcPort: 12494 (12494)
            DstPort: 53 (53)
            ICMP Type: 0x0000
            InputInt: 536
            SrcMask: 29
            DstMask: 32
            SrcAS: 0
            DstAS: 0
            BGPNextHop: 0.0.0.0
            TCP Flags: 0x00
                00.. .... = Reserved: 0x0
                ..0. .... = URG: Not used
                ...0 .... = ACK: Not used
                .... 0... = PSH: Not used
                .... .0.. = RST: Not used
                .... ..0. = SYN: Not used
                .... ...0 = FIN: Not used
            OutputInt: 539
            NextHop: 0.0.0.0
            Octets: 60
            Packets: 1
            [Duration: 0.000000000 seconds (switched)]
                StartTime: 2552.811000000 seconds
                EndTime: 2552.811000000 seconds
            IPVersion: 4

Some other templates are working fine.. I haven't worked out what the relationship is between the successful and failing ones yet.

[vflow] 2017/12/03 14:52:29 {"AgentID":"10.232.4.5","Header":{"Version":9,"Count":7,"SysUpTime":1708483,"UNIXSecs":1512272852,"SeqNum":427,"SrcID":142},"DataSets":[[{"I":35,"V":2},{"I":34,"V":1},{"I":1,"V":"0x"}],[{"I":35,"V":0},{"I":34,"V":0},{"I":1,"V":"0x"}],[{"I":35,"V":1},....... Any thoughts on how to debug this futher?

C:\Users\59401>go get github.com/VerizonDigital/vflow/vflow

github.com/VerizonDigital/vflow/mirror

d:\users\go\src\github.com\VerizonDigital\vflow\mirror\mirror.go:65: undefined: syscall.IPPROTO_RAW d:\users\go\src\github.com\VerizonDigital\vflow\mirror\mirror.go:88: cannot assign syscall.Handle to conn.fd (type int) in multiple assignment d:\users\go\src\github.com\VerizonDigital\vflow\mirror\mirror.go:95: cannot use c.fd (type int) as type syscall.Handle in argument to syscall.Sendto d:\users\go\src\github.com\VerizonDigital\vflow\mirror\mirror.go:100: cannot use c.fd (type int) as type syscall.Handle in argument to syscall.Close

github.com/VerizonDigital/vflow/producer

d:\users\go\src\github.com\VerizonDigital\vflow\producer\kafka.go:78: undefined: sarama.CompressionLZ4

How can i use Grafana and InfluxDb for monitoring vflow? I could not find any documentation for enabling monitoring. I am running vflow and influxdb on a separate dockers.

Last release was 0.9.0 back in 2020.

At that point in time, The go.mod in this project referred to this project as,github.com/VerizonDigital/vflow. See

Go tooling tries to pull the latest tag which is 0.9.0 and then fails because it's trying to download github.com/EdgeCast/vflow but the project in that tag is still called, github.com/VerizonDigital/vflow.

emerald :: ~/hobby/netflow.test 130 » go get -u github.com/EdgeCast/vflow/vflow
go: github.com/EdgeCast/[email protected]: parsing go.mod:
	module declares its path as: github.com/VerizonDigital/vflow
	        but was required as: github.com/EdgeCast/vflow

Please create a new release. The project name in go.mod has been updated already so a new release should fix the problem.

we are receiving netflow v9 flows from a huawei device. vflow immediately errors out:

panic: runtime error: index out of range

goroutine 66 [running]:
github.com/VerizonDigital/vflow/ipfix.Interpret(0xc4202ceb20, 0xf, 0xc4202ceac0, 0xc420126918)
        /root/go/src/github.com/VerizonDigital/vflow/ipfix/interpret.go:67 +0x63c
github.com/VerizonDigital/vflow/netflow/v9.(*Decoder).decodeData(0xc4202ceeb0, 0x160523, 0xc4203b6000, 0x16, 0x20, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /root/go/src/github.com/VerizonDigital/vflow/netflow/v9/decoder.go:345 +0x1f3
github.com/VerizonDigital/vflow/netflow/v9.(*Decoder).decodeSet(0xc4202ceeb0, 0xc4203702c0, 0x20, 0x2a, 0xc4202d6140, 0x0, 0x0)
        /root/go/src/github.com/VerizonDigital/vflow/netflow/v9/decoder.go:463 +0x422
github.com/VerizonDigital/vflow/netflow/v9.(*Decoder).Decode(0xc4202ceeb0, 0xc4203702c0, 0x20, 0x2a, 0x1, 0xb7c620, 0xc4202de000)
        /root/go/src/github.com/VerizonDigital/vflow/netflow/v9/decoder.go:399 +0x156
main.(*NetflowV9).netflowV9Worker(0xc420121b60, 0xc4203400c0)
        /root/go/src/github.com/VerizonDigital/vflow/vflow/netflow_v9.go:204 +0x394
main.(*NetflowV9).run.func1(0xc420121b60)
        /root/go/src/github.com/VerizonDigital/vflow/vflow/netflow_v9.go:107 +0x89
created by main.(*NetflowV9).run
        /root/go/src/github.com/VerizonDigital/vflow/vflow/netflow_v9.go:108 +0x180

can send a pcap file in a private mail if you prefer.

we are running the binary downloaded from the release page on redhat 7.2

According to RFC7011 Section 6.1.6, "The string is sent as an array of zero or more octets using Information Element fixed or variable length." we can have a variable length "In the Template Set, the Information Element Field Length is as 65535. This reserved length value notifies the that the value of the Information Element will be carried the Information Element content itself." but this is not supported by vFlow and use 65535 for the size of all of the strings.

ipfix/nf9 templates define fields and their length, but not their exact type (string, byte, etc). The type is defined in list maintained by IANA (https://www.iana.org/assignments/ipfix/ipfix.xhtml), and there's rfc51024_model.go and the ipfix.elements files in the vflow project that try to keep up with known elements.

In addition, there's support for organization level elements, which vflow has no chance to keep up with each element added by every netflow exporter out there.

Today when vflow encounters an unknown element it aborts handling of other fields, see ipfix/decoder.go, method decodeData, where it returns nonfatalerror if InfoModel has no information.

I think it is not reasonable to ignore all data if one part cannot be accurately parsed, forcing vflow users to continuously chace new elements send by the multitude of vendors in their network.

Option 1) Change the logic to skip over such elements. This can perhaps be covered by an new options flag. Option 2) Encode such unknown elements to the resulting JSON, but as do not know the type, send them as octet array. This behavior can perhaps be toggled by a new options flag.

At any rate, we can leave the ipfix.elements file, in case someone does wish to add type info for some elements, if he wishes to get those, and wants vflow to properly parse them and not get them as octetArray.

In both cases, the code in ipfix/decoder.go getDataLength method must be changed, as it today checks the field type to handle the special case of length 65535. If we do not know the type, we cannot check it. The RFC at any rate doesn't say that the special encoding of 65535 can only be used for string or octetArray.

Input from the community on this would be appreciated.

There are several people that asked for extending vflow support of sflow that it'll parse extended sample and counter packets (type 3 and 4). Specifically, @KrunalT, @yangyu66 in issue #154, and @ttrading in issue #125

At my place of work we also need to support this. Some work was done internally at my place of work, but it is not fully polished, and while working on the code, saw several issues with the parsing done today, which need to be solved before adding support for type 3 and 4.

Issue 1 is that in compact format of sflow sample, the source id is today read as the first 8 bits, which is wrong. This is explained in more detail in issue #178 In extended format, after issue #178 is fixed, then the code change is pretty straight-forward. In compact format read the first 1 byte and cast to 4 bytes as the source id format, and read the remaining 3 bytes and cast to 32-bit as the source id value. For extended format just read 4 bytes and 4 bytes, as the source id format and source id value. This applies to both sflow expanded sample and sflow expanded counter.

Issue 2 is that the output interface in sflow sample is read as the whole 32 bits, while the standard says that the first 2 bits are to be parsed as type, and the rest 30 bits are the value. The value should be interpreted as index only if the first 2 bits are b00. For b01 it represents some drop reason, and for b10 it represents the number of interfaces the packet was sent to. Sending the whole 32 bits as output interface index is wrong, but at least gives the opportunity for the reader of vflow's output the ability to parse the value, as it knows vflow only supports non-extended format. For this to work properly when we add support for extended format, IMHO the most reasonable thing is to change vflow JSON output, so that we no longer give just "Output" as the output interface index, but split it OutputInterfaceType and OutputInterfaceValue. The OutputInterfaceType will be either 2 or 32 bits from the packet (depending on compact/expanded format) and the OutputInterfaceValue will be the next 30/32 bits from the packet (depending on compact/expanded format). This is a breaking change, but I think it is reasonable.

The input interface is also split as 4+4 bytes (compared to 2/30 bits in compact format), but the standard says that the first 4 bytes (or first 2 bits) are always 0, and the remaining 4 bytes always represent the input interface index. This requires minor adjustment of the code to just skip over the first 4 bytes.

Input from the community is appreciated, both regarding the proposed code / JSON format change, and how you today handle the problematic behaviour of vflow for compact formats for the source id and the output interface.

According to the sflow RFC 3176, page 19, the struct flow_sample contains 4 bytes of source id, where the first byte is the type (0 = ifindex, 1 = smonVlanDataSource, etc), and the remaining 3 bytes is the actual value (interface index, vlan id, etc)

The code in flow_sample reads only the first 1 byte, skipping the other 3, and declares this as "SourceID". See FlowSample's unmarshel method. This is wrong. The code in flow_counter does the right thing, and reads those 4 bytes into two fields, SourceIDType and SourceIDIdx. See CounterSample's unmarshal method.

I suggest we copy the code behaviour from sflow_counter.go to sflow_sample.go. This leads to breaking of the output, which isn't that great, but honestly can't think of anybody today who reads the the current SourceID field from the JSON, as it contains no useful information.

Input from the community on this would be appreciated.

The nf9/ipfix protocols have many fields of type 'string'. The code today just takes the string as it appears in the packet and puts it in the JSON output. There are various special characters that cannot be written to JSON as-is, for example double-quote. These need to be properly escaped.

One possible solution is to keep the existing manual marshaling code, but change this case string: b.WriteByte('"') b.WriteString(m.DataSets[i][j].Value.(string)) b.WriteByte('"')

to use Go's built-in json.Marshel function, like so:

case string:
	var asJson, _ = json.Marshal(m.DataSets[i][j].Value.(string))
	b.Write(asJson)

My measurements show that this has minimal impact on performance.

Another option would be to properly encode special characters manually.