Hi Aleksandar!
Thank you for your reply.
Yes, you are right. CGSE does not export time of events occured (there
are no such fields in there templates). It was discovered with the help
of tcpdump and Wireshark. Also, as it is known CGSE cards don't export
flow data less then one second, the using of "received at" time should
look Ok.
Thank you again,
Andrey
30.03.2015 1:31, Aleksandar Ciric пишет:
Hi Andrei,
CGSE thingie does not export all the values we might like it too,
check the events and templates with associated fields here. I myself
am planning for production use with bulk port allocation feature and
am ok with using "received at" field for time data.
http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-3/cg_nat/configuration/guide/cgnat_cg43crs/cgnat51log.html
On Wed, Mar 25, 2015 at 12:14 PM, Андрей Седлецкий
<asedlet...@spdop.ru <mailto:asedlet...@spdop.ru>> wrote:
Hi all!
We have an issue with the Cisco CRS's CGSE+ module. The module is used
to do NAT (PAT) and the export of netflow is configured on it.
I try to use nfdump (now it is nfdump-1.6.13) as a netflow
collector but
experience problems wih some fields:
/usr/local/nfdump-1.6.13/bin/nfdump -r nfcapd.201503250700 -o "fmt:%ts
%te %sap-->%nsa:%nsp >> %nda:%ndp-->%dap %pr %nevt %ivrf %evrf" | less
Date first seen Date last seen Src IP
Addr:Port X-late Src IP XsPort X-late Dst IP XdPort
Dst IP Addr:Port Proto Event I-VRF-ID E-VRF-ID
1970-01-01 03:00:00.000 1970-01-01 03:00:00.000
10.114.136.169:49958--> 37.190.63.117 <http://37.190.63.117>:
55550 >> 0.0.0.0 <http://0.0.0.0>: 0-->
37.58.73.181:80 <http://37.58.73.181:80> TCP IGNORE
1610612766 1610612754
1970-01-01 03:00:00.48984 1970-01-01 03:00:00.000
10.114.136.169:37764--> 37.190.63.117 <http://37.190.63.117>:
22597 >> 0.0.0.0 <http://0.0.0.0>: 0-->
37.58.73.181:80 <http://37.58.73.181:80> TCP IGNORE
1610612766 1610612754
1970-01-01 03:00:00.25651 1970-01-01 03:00:00.000
10.114.228.152:30947--> 37.190.63.114 <http://37.190.63.114>:
62311 >> 0.0.0.0 <http://0.0.0.0>: 0-->
62.112.113.170:53 <http://62.112.113.170:53> UDP IGNORE
1610612766 1610612754,
Mostly it concernes such fields as "Date first seen", "Date last seen"
etc, while X-late fields as well as "source/destination" fields are
seems to be correct.
What I would like to know is if nfdump can support netflow streams
from
CGSE+ card installed in Cisco CRS chassis ?
If so, are there any special ./configure options? The current one was
compiled with "$ ./configure --prefix=/usr/local/nfdump-1.6.13
--enable-nsel --enable-nel" options.
I have also contacted Cisco Technical Support about the problem. They
answered the ASR9k/CRS routers inform (periodically) the netflow
collector about the format of data transmitted and then send the
data in
accordence to it.
Hence they advised to find out if nfdump supports Dynamic Templates.
Thank you in advance.
Best regards,
Andrey
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel
Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your
hub for all
things parallel software development, from weekly thought
leadership blogs to
news, videos, case studies, tutorials and more. Take a look and
join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
<mailto:Nfdump-discuss@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
