I was looking at a WireShark packet capture of some IPFIX traffic coming from a Nortel switch and quickly saw a few things that puzzled me. At first, I started splitting hairs because I was thinking that if Nortel is going to market IPFIX support, it should adhere to the standard (RFC 5101).
Then again, it might have better luck working with the various NetFlow traffic analyzer solutions on the market if it makes the exported data look like Cisco NetFlow v9.
Below is a screen capture of WireShark tearing apart a Nortel IPFIX/NetFlow v9 frame. Notice it says Version v9 and see below the value in hexadecimal 00 09. According to the RFC, it should be 00 0a, if it was truly IPFIX.
I want to point out again that above it says Cisco NetFlow/IPFIX, so you can see what I mean by splitting hairs. The section that confused me from RFC 5101 is below.
By the way, if you want to learn more about the differences between IPFIX and Cisco NetFlow v9, check out this blog post.
RFC 5101 IPFIX Protocol Specification January 2008
Message Header Field Descriptions:
Version of Flow Record format exported in this message. The value
of this field is 0x000a for the current version, incrementing by
one the version used in the NetFlow services export version 9
<<< — end paste — >>>
Yes, I know it is silly to point out and I’m not making a huge fuss over it, but I think it is important to point this stuff out. These things can confuse some people like me (LOL).
And by the way, it is sampled IPFIX. Nortel claims 100% capture like Cisco and Enterasys on the Nortel 8600 series, but our customers haven’t seen it work too well.