Hello, Back in April this year, there was the following question and reply but nothing further...
On 09.02.15 17:14, Maxim Rayevskiy wrote: > I am trying to set up nfdump / nfcapd to work with Cisco Flexible Netflow > (Sup2T). From what I see, there is some alignment problem with the data > collected. Here's what I have: > > ... > When I run nfdump I get: > > [mrayevskiy@adm2 ~]$ nfdump -M /storage/nfsen/profiles-data/live/gw-linx-1 > -T -R 2015/02/09/nfcapd.201502091750:2015/02/09/nfcapd.201502091850 -o raw > -c 1 > > Flow Record: > ... > ip next hop = 219.254.195.34 > ip router = 0.0.91.233 > engine type = 130 > engine ID = 136 > received at = 2814749788827345 [91165-11-14 16:20:27.345] > > ... > > This seems to be OK, except: > Router IP is in fact 91.233.219.254 > NEXTHOP IP is 195.34.36.218 (so it would seem that part of the router address > moved into nexthop IP) > SRC AS is in fact a DST AS for the destination IP > DST AS is probably temperature on Venus since it's not even our AS (57629) > And the 'received at' timestamp is totally from the far-away future. :) > > Finally, both nfcapd and nfdump are at version 1.6.13. On 3 Apr 2015, at 11:40, Peter Haag <ph...@users.sourceforge.net> wrote: > I would need a pcap trace in oder to see, what's wrong. next hop, router ip > and time received are tested on many > platforms and work as expected. > Would you mind to collect a few minutes pcap traffic to the collector and > send it to me off list. I'm experiencing the same thing on a Catalyst 6880-X running IOS 15.2(1)SY1 (which is ED [Early Deployment] but the router shipped with 15.2(1)SY0a, so I thought it better to upgrade rather than downgrade to 15.1, which is the MD): my router IP address is aligning incorrectly and showing up usually shifted two bytes - things like 0.6.192.84, when it's actually 192.84.5.243. The rest of our routers are Catalyst 6500s running IOS 15.1 and have been running fine with nfdump for years. We're exporting in NetFlow v9 format. Interestingly, if I change the export format to IPFIX, the router IP comes out correctly, but the timestamps of the flows are broken (when listing with nfdump). When looking at the packet source data in Wireshark, the start and end times for the flow are wildly different (resulting in excessively long or negative durations) - suggesting either nfdump AND Wireshark are broken, or the Cisco is! Did this problem get resolved (or, at least, pointed at Cisco)? I can't find anything in the release notes for IOS regarding it. I'm happy to provide a trace of the source packets (sent to Peter directly, if he wants) - both IPFIX and NetFlow v9. Out of interest, where does this information come from? In Wireshark, I can't see the address expressed anywhere (I was looking to see if it was corrupted in there) - is it just the source address of the NetFlow packet itself? Thanks in advance, - Bob -- Bob Franklin rc...@cam.ac.uk / +44 1223 748479 Networks, University Information Services, University of Cambridge ------------------------------------------------------------------------------ _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
