Re: [IPFIX] Question regarding packet capturing with IPFIX

Paul Aitken <> Fri, 10 April 2015 08:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A920A1B2ABD for <>; Fri, 10 Apr 2015 01:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 15qNi3cDjCUo for <>; Fri, 10 Apr 2015 01:18:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 53B7D1A7011 for <>; Fri, 10 Apr 2015 01:18:53 -0700 (PDT)
Received: from pps.filterd ( []) by (8.14.7/8.14.7) with SMTP id t3A83Rgs022392; Fri, 10 Apr 2015 01:18:42 -0700
Received: from ([]) by with ESMTP id 1tp0txs3db-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 10 Apr 2015 01:18:42 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 10 Apr 2015 01:18:41 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 10 Apr 2015 02:18:40 -0600
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1044.25; Fri, 10 Apr 2015 02:18:39 -0600
Received: from ([fe80::18c9:7b21:74fd:7e48]) by ([fe80::4878:eab3:43ba:cfca%12]) with mapi; Fri, 10 Apr 2015 10:18:38 +0200
From: Paul Aitken <>
To: Prashant Upadhyaya <>, "" <>
Date: Fri, 10 Apr 2015 10:18:30 +0200
Thread-Topic: Question regarding packet capturing with IPFIX
Thread-Index: AdBzT4DkarROHuwfSsaYZ9X6lSAFtAAEDJxQ
Message-ID: <>
References: <3280fb63009e499dbdeeceeb1049f06f@GURMBXV02.AD.ARICENT.COM>
In-Reply-To: <3280fb63009e499dbdeeceeb1049f06f@GURMBXV02.AD.ARICENT.COM>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_23B7BE54EACBED43957AB709C564F7B702B6E4448FEMEAEXCH01cor_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-04-10_02:2015-04-09,2015-04-10,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1504100066
Archived-At: <>
Subject: Re: [IPFIX] Question regarding packet capturing with IPFIX
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFIX WG discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Apr 2015 08:18:55 -0000


Refer to RFC2804, "IETF Policy on Wiretapping". Several of the IPFIX and PSAMP RFCs (7013, 7014, 7133, 5474, 5476, 5477) refer to that.

Some of the Information Elements also specifically call out RFC2804 - eg, 313 ipHeaderPacketSection:

With sufficient length, this element also reports octets from the IP payload. However, full packet capture of arbitrary packet streams is explicitly out of scope per the Security Considerations sections of [RFC5477] and [RFC2804].


From: IPFIX [] On Behalf Of Prashant Upadhyaya
Sent: 10 April 2015 06:33
Subject: [IPFIX] Question regarding packet capturing with IPFIX


We can sample an IP flow with IPFix.
My question is that when a packet is picked up in the sampling in IPFix, can I take that full packet out and export it outside for analysis or only a certain number of bytes of that packet as an upper limit.
Eg. when using sFlow, the sampled packet's maximum number of bytes captured is 256.


"DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."