Flow record [8800,2] from Ubiquiti, VyOS

[Tyler Hart]

Hello all,

I'm in the process of adding sFlow functionality to the Flow Analyzer project and have run into a snag - 8800,2 coming from Ubiquiti and VyOS devices. I've wrote parsers for almost every record format in Enterprise 0, and I see that 8800 is mentioned in code comments as coming from PMACCT, So far I see mentions of sFlow Extended Class and sFlow Extended Tag, but from there the documentation takes me in circles.

I've parsed the single UINT field in 8800,2 and gotten "4", but I can't find a structure that helps me parse what "4" means. Any help would be very much appreciated! Thanks.

[Peter Phaal]

Published structure numbers are listed on sFlow.org:

http://sflow.org/developers/structures.php

Enterprise number 8800
(https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers)
is registered to:

8800
YH Consulting
Robert Ellis
r.ellis&snet.net

It looks like PMACCT is using the 8800 enterprise number to define
structures associated with its packet classifier.

https://github.com/pmacct/pmacct

/* enterprise = 8800 pmacct */
SFLFLOW_EX_CLASS = (8800 << 12) + 1,
SFLFLOW_EX_TAG = (8800 << 12) + 2,

You will need to look at the PMACCT code or ask a question on the
PMACCT mailing list to get more information on their meaning.

[Tyler Hart]

Thanks for replying Peter. I've been digging through the pmacct code and their documentation, but again it's leading me in circles (or the docs are incomplete). I'm going to ping them on their mailing list and once I get an answer I'll document and reply here just in case anyone else is seeing the same. Thanks again!