Hi Maxim,
I would need a pcap trace in oder to see, what's wrong. next hop, router ip and
time received are tested on many
platforms and work as expected.
Would you mind to collect a few minutes pcap traffic to the collector and send
it to me off list.
Many thanks
- Peter
On 09.02.15 17:14, Maxim Rayevskiy wrote:
> Hello Everyone,
>
> I am trying to set up nfdump / nfcapd to work with Cisco Flexible Netflow
> (Sup2T). From what I see, there is some alignment problem with the data
> collected. Here's what I have:
>
> Cisco config:
>
> flow exporter Flowviewer1
> destination 192.168.7.74
> source lo1
> dscp 63
> ttl 5
> transport udp 9992
> template data timeout 120
> option exporter-stats timeout 120
>
> flow monitor FLOW-OUT
> exporter Flowviewer1
> record platform-original ipv4 interface-full
>
>
> flow record platform-original ipv4 interface-full:
> Description: Original platform IPv4 interface-full fields
> No. of users: 1
> Total field space: 41 bytes
> Fields:
> match ipv4 protocol
> match ipv4 source address
> match ipv4 destination address
> match transport source-port
> match transport destination-port
> match interface input
> collect routing source as
> collect routing destination as
> collect routing next-hop address ipv4
> collect counter bytes
> collect counter packets
> collect timestamp sys-uptime first
> collect timestamp sys-uptime last
>
> nfcapd run:
> /usr/bin/nfcapd -w -D -p 9992 -u nfcapd -g nfcapd -B 200000 -S 1 -P
> /storage/nfsen/var/run/p9992.pid -z -T all -I gw-linx-1 -l
> /storage/nfsen/profiles-data/live/gw-linx-1
>
> When I run nfdump I get:
>
> [mrayevskiy@adm2 ~]$ nfdump -M /storage/nfsen/profiles-data/live/gw-linx-1
> -T -R 2015/02/09/nfcapd.201502091750:2015/02/09/nfcapd.201502091850 -o raw
> -c 1
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 1
> size = 86
> first = 1423493350 [2015-02-09 17:49:10]
> last = 1423493394 [2015-02-09 17:49:54]
> msec_first = 962
> msec_last = 362
> src addr = 91.233.219.77
> dst addr = 31.162.147.183
> src port = 80
> dst port = 52024
> fwd status = 0
> tcp flags = 0x00 ......
> proto = 6 TCP
> (src)tos = 0
> (in)packets = 190
> (in)bytes = 267398
> input = 262
> output = 0
> src as = 28719
> dst as = 9433
> ip next hop = 219.254.195.34
> ip router = 0.0.91.233
> engine type = 130
> engine ID = 136
> received at = 2814749788827345 [91165-11-14 16:20:27.345]
>
> Summary: total flows: 1, total bytes: 267398, total packets: 190, avg bps:
> 49289, avg pps: 4, avg bpp: 1407
> Time window: 2014-12-22 00:51:12 - 2015-02-09 17:54:58
> Total flows processed: 12188, Blocks skipped: 0, Bytes read: 1048524
> Sys: 0.000s flows/second: 0.0 Wall: 0.004s flows/second: 2778841.8
>
>
> This seems to be OK, except:
> Router IP is in fact 91.233.219.254
> NEXTHOP IP is 195.34.36.218 (so it would seem that part of the router address
> moved into nexthop IP)
> SRC AS is in fact a DST AS for the destination IP
> DST AS is probably temperature on Venus since it's not even our AS (57629)
> And the 'received at' timestamp is totally from the far-away future. :)
>
> Finally, both nfcapd and nfdump are at version 1.6.13.
>
> I would really appreciate some help with the matter.
>
> Maxim Rayevskiy
> Senior Manager
> ivi.ru online movies
> tel.: +7 495 276-06-31 (ext. 206)
> cell: +7 964 551 12 43
> e-mail: ra...@ivi.ru
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
