Hi all
As far as I can tell nfdump currently does not support parsing ethertype
field from ethernet headers.
I have a Cisco 4500X netflow v9 exporter that exports records with the
following L2 info:
flow record L2
match datalink ethertype
match datalink mac source address input
match datalink mac destination address input
collect interface input
collect interface output
collect counter bytes long
collect counter packets long
This is exported fine - "screenshots" from Wireshark:
Flexible Netflow Template:
Cisco NetFlow/IPFIX
Version: 9
Count: 1
SysUptime: 21745108
Timestamp: Nov 27, 2014 11:15:00.000000000 CET
FlowSequence: 3953
SourceId: 0
FlowSet 1
FlowSet Id: Data Template (V9) (0)
FlowSet Length: 36
Template (Id = 256, Count = 7)
Template Id: 256
Field Count: 7
Field (1/7): ethernetType (256)
Field (2/7): SRC_MAC (56)
Field (3/7): DESTINATION_MAC (80)
Field (4/7): INPUT_SNMP (10)
Field (5/7): OUTPUT_SNMP (14)
Field (6/7): BYTES (1)
Field (7/7): PKTS (2)
Flow data:
Cisco NetFlow/IPFIX
Version: 9
Count: 1
SysUptime: 21878064
Timestamp: Nov 27, 2014 11:17:13.000000000 CET
FlowSequence: 4003
SourceId: 0
FlowSet 1
FlowSet Id: (Data) (256)
FlowSet Length: 42
Flow 1
Ethernet Type: 34525 (86dd -> IPv6)
Source Mac Address: Cisco_xx:xx:xx (58:8d:09:xx:xx:xx)
Destination Mac Address: Cisco_yy:yy:yy (00:1b:0d:yy:yy:yy)
InputInt: 9
OutputInt: 43
Octets: 1955
Packets: 18
By running nfcapd with -T 10,11 I can see MAC addresses:
# nfcapd -p 1555 -l . -T 10,11 -E
Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
Add extension: in src/out dst mac address
Add extension: in dst/out src mac address
Bound to IPv4 host/IP: any, Port: 1555
Startup.
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 96
first = 0 [1970-01-01 01:00:00]
last = 0 [1970-01-01 01:00:00]
msec_first = 0
msec_last = 0
src addr = 0.0.0.0
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0 0
(src)tos = 0
(in)packets = 19
(in)bytes = 8771
input = 9
output = 15
in src mac = 58:8d:09:xx:xx:xx
out dst mac = 00:00:00:00:00:00
in dst mac = 00:1b:0d:yy:yy:yy
out src mac = 00:00:00:00:00:00
But ethertype data is missing. And there is no extension for it as far
as I can tell. Am I just missing something obvious?
Could support for this be added?
Best regards
Matej Vadnjal
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
