Hello Everyone,
I am trying to set up nfdump / nfcapd to work with Cisco Flexible Netflow
(Sup2T). From what I see, there is some alignment problem with the data
collected. Here's what I have:
Cisco config:
flow exporter Flowviewer1
destination 192.168.7.74
source lo1
dscp 63
ttl 5
transport udp 9992
template data timeout 120
option exporter-stats timeout 120
flow monitor FLOW-OUT
exporter Flowviewer1
record platform-original ipv4 interface-full
flow record platform-original ipv4 interface-full:
Description: Original platform IPv4 interface-full fields
No. of users: 1
Total field space: 41 bytes
Fields:
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
nfcapd run:
/usr/bin/nfcapd -w -D -p 9992 -u nfcapd -g nfcapd -B 200000 -S 1 -P
/storage/nfsen/var/run/p9992.pid -z -T all -I gw-linx-1 -l
/storage/nfsen/profiles-data/live/gw-linx-1
When I run nfdump I get:
[mrayevskiy@adm2 ~]$ nfdump -M /storage/nfsen/profiles-data/live/gw-linx-1 -T
-R 2015/02/09/nfcapd.201502091750:2015/02/09/nfcapd.201502091850 -o raw -c 1
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 86
first = 1423493350 [2015-02-09 17:49:10]
last = 1423493394 [2015-02-09 17:49:54]
msec_first = 962
msec_last = 362
src addr = 91.233.219.77
dst addr = 31.162.147.183
src port = 80
dst port = 52024
fwd status = 0
tcp flags = 0x00 ......
proto = 6 TCP
(src)tos = 0
(in)packets = 190
(in)bytes = 267398
input = 262
output = 0
src as = 28719
dst as = 9433
ip next hop = 219.254.195.34
ip router = 0.0.91.233
engine type = 130
engine ID = 136
received at = 2814749788827345 [91165-11-14 16:20:27.345]
Summary: total flows: 1, total bytes: 267398, total packets: 190, avg bps:
49289, avg pps: 4, avg bpp: 1407
Time window: 2014-12-22 00:51:12 - 2015-02-09 17:54:58
Total flows processed: 12188, Blocks skipped: 0, Bytes read: 1048524
Sys: 0.000s flows/second: 0.0 Wall: 0.004s flows/second: 2778841.8
This seems to be OK, except:
Router IP is in fact 91.233.219.254
NEXTHOP IP is 195.34.36.218 (so it would seem that part of the router address
moved into nexthop IP)
SRC AS is in fact a DST AS for the destination IP
DST AS is probably temperature on Venus since it's not even our AS (57629)
And the 'received at' timestamp is totally from the far-away future. :)
Finally, both nfcapd and nfdump are at version 1.6.13.
I would really appreciate some help with the matter.
Maxim Rayevskiy
Senior Manager
ivi.ru online movies
tel.: +7 495 276-06-31 (ext. 206)
cell: +7 964 551 12 43
e-mail: ra...@ivi.ru
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
