This is to answer my own e-mail. The packets are sflow packets which can be captured by sfcapd.
---------------------------------------- From: dbpa...@hotmail.com To: nfdump-discuss@lists.sourceforge.net Date: Wed, 30 Jul 2014 17:48:23 +0800 Subject: [Nfdump-discuss] Unable to decode this netflow packets I am now trying to use nfdump to replace a propriety product which is currently monitoring dozens of network equipments of other users. I found that nfcapd is unable to store capture packets with these equipments, which can be done from the propriety product. The netflow packet header is "00 00 00 04 ..." (highlighted in red). If interpreted directly with it's definition will mean "netflow version 0 with 4 flows exported in this packet", which is obviously incorrect. The packets are captured by "tcpdump". I can capture the valid packets from other equipments, so I am sure the capture process is no problem. Please advice if you have any idea what netflow version or variant is it? And if nfcapd/nfdump can capture/decode it? Packet dump (packet #3): 0000 08 00 27 39 52 3e 08 00 27 71 39 ca 08 00 45 00 ..'9R>..'q9...E. 0010 00 cc ee bd 00 00 40 11 70 fa 0a 63 e0 52 0a 63 ......@.p..c.R.c 0020 25 51 04 02 08 07 00 b8 36 c1 00 00 00 04 00 00 %Q......6....... 0030 00 01 0a 63 e0 52 00 a8 89 08 9f 0c 5d 34 00 00 ...c.R......]4.. 0040 00 01 00 00 00 01 00 8b d7 47 00 00 00 04 00 00 .........G...... 0050 03 e8 72 73 df 69 00 00 00 00 00 00 00 00 00 00 ..rs.i.......... 0060 00 04 00 00 00 01 00 00 00 01 00 00 00 40 00 00 .............@.. 0070 00 3c 00 1a f0 13 89 41 00 23 89 4f 4b cd 08 00 .<.....A.#.OK... 0080 45 00 00 28 3e f0 40 00 7d 06 7f e6 0a 0e 02 76 E..(>.@.}......v 0090 0a 75 28 01 00 50 0c 62 57 e0 ee 48 73 f1 e4 63 .u(..P.bW..Hs..c 00a0 50 10 ff 70 c6 39 00 00 00 00 00 00 00 00 00 00 P..p.9.......... 00b0 00 02 00 00 00 02 00 00 00 01 0a 63 e0 51 00 00 ...........c.Q.. 00c0 00 18 00 00 00 10 00 00 00 01 00 00 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 .......... ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
