On 10 Jul 2015, at 14:57, Brian Epstein <bepst...@ias.edu> wrote: > Recently, we've been trying to implement IPFIX with a couple of Cisco > 4500X's and have been seeing an odd problem. The dumps come out with > the wrong timestamp and INVALID as the event. > > $ nfdump -r nfcapd.201507081630-sample > Date first seen Event XEvent Proto Src IP Addr:Port > Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP > Addr:Port In Byte Out Byte > > 1969-12-31 19:00:00.000 INVALID Ignore TCP 157.55.39.187:32086 > - -> 172.16.52.154:80 0.0.0.0:0 -> 0.0.0.0:0 > 70 0
Are you doing NSEL (or, at least, compiled with with --enable-nsel)? I think those fields are only used for NSEL flows - such as those generated by a Cisco ASA. The 'Event' column records things like 'CREATE' and 'DELETE' when flows are set up and removed on an ASA. For regular flows (such as the ones we get from our Catalysts) we get the same 'INVALID' and 'Ignore' values, just as you do. [In our case, we only use our ASA for NAT and so the NSEL flows also have X-Src and X-Dst to log the translated addresses.] I must admit I'm not sure what the X-Event column means - in our case, it only shows up with a number around 2000 when a flow is DELETEd. The value doesn't match the translation rule on the ASA. Hope that helps, - Bob -- Bob Franklin rc...@cam.ac.uk / +44 1223 748479 Networks, University Information Services, University of Cambridge ------------------------------------------------------------------------------ _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
