[j-nsp] cFlow record sequence numbers?

[Pete Crocker]

Hey Juniper gurus,

I'm trying to make sense of some cflow records being generated by a  
T640. There T640s are doing cflow export, both with two equal cost  
interfaces towards the flow collection / fanout box.

I've done some tcpdumps, it took a little while to spot this but the  
following is happening. I see two interleaved sets of flow packet  
batches. One set has sequence numbers beginning with 8 and the other  
beginning with 2. All arriving in the correct order.

So we have 60-70 packets in a row with seq 8xxxxxxx
60-70 packets in a row with seq 2xxxxxxx
60-70 packets in a row with seq 8xxxxxxx
60-70 packets in a row with seq 2xxxxxxx

Each 8xxx batch follows sequentially from the previous 8xxx batch  
etc. and the time stamps are all in time order across all batches.

It looks as though the Juniper is using a different sequence number  
set for each equal-cost interface it has towards the flow collector  
and sends one batch from each alternately. I am not sure if sequence  
numbers are meant to be separate sequences for each interface being  
monitored or whether they are aggregated together and are a sequence  
for the entire router. Equally, I can kind of understand that this  
would be a way of marking which packets are which when multiple  
interfaces are used, but can't you ascertain that from the flow  
record anyways?

Can anyone provide some insight in to why two sets of sequence  
numbers are used?

Cheers,
-pete