-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
We've been using nfdump with nfsen for years. Thanks for supporting
such a great product.
Recently, we've been trying to implement IPFIX with a couple of Cisco
4500X's and have been seeing an odd problem. The dumps come out with
the wrong timestamp and INVALID as the event.
$ nfdump -r nfcapd.201507081630-sample
Date first seen Event XEvent Proto Src IP Addr:Port
Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP
Addr:Port In Byte Out Byte
1969-12-31 19:00:00.000 INVALID Ignore TCP 157.55.39.187:32086
- -> 172.16.52.154:80 0.0.0.0:0 -> 0.0.0.0:0
70 0
1969-12-31 19:00:00.000 INVALID Ignore TCP 172.16.48.51:62584
- -> 172.16.19.20:443 0.0.0.0:0 -> 0.0.0.0:0
3168 0
1969-12-31 19:00:00.000 INVALID Ignore TCP 157.55.39.187:32086
- -> 172.16.52.154:80 0.0.0.0:0 -> 0.0.0.0:0
5552 0
Summary: total flows: 3, total bytes: 8790, total packets: 106, avg
bps: 0, avg pps: 0, avg bpp: 0
Time window: <unknown>
Total flows processed: 3, Blocks skipped: 0, Bytes read: 312
Sys: 0.003s flows/second: 961.8 Wall: 0.000s flows/second: 5639.1
I thought this might be due to the template not being sent enough, so
I manually added the "template data timeout 30" to the flow exporter.
This does show the template being sent every 30 seconds now in the
packet captures, but the date/time and event is still incorrect.
Originally I was running 1.6.11 that comes with EL6, but then I
compiled and installed 1.6.13 to see if it was fixed there. I'm still
seeing the same behavior.
Attached is a packet capture with three packets. Two have a template,
and one does not. Also, is an nfcapd file that shows some of those
flows that were included in the packet capture.
Let me know if there is anything else I can do to help troubleshoot.
Thanks,
Brian
- --
Brian Epstein <bepst...@ias.edu> +1 609-734-8179
Manager, Network and Security Institute for Advanced Study
Key fingerprint = 128A 38F4 4CFA 5EDB 99CE 4734 6117 4C25 0371 C12A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlWfz1YACgkQYRdMJQNxwSr0vQCbBGiVo5pBbortqx+JBCHI67jA
3eMAn11OcoWSDBfqytBQYivPxdxSpzAh
=RDHl
-----END PGP SIGNATURE-----
netflow.201507081630.pcap
Description: application/vnd.tcpdump.pcap
nfcapd.201507081630-sample
Description: Binary data
netflow.201507081630.pcap.sig
Description: PGP signature
nfcapd.201507081630-sample.sig
Description: PGP signature
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
