-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert,
Thank you so much for getting back to me. We are using the EPEL6
package for nfdump. It's spec file has the following flags for configur
e.
%configure \
--enable-nel \
--enable-nsel \
--enable-nfprofile \
--enable-nftrack \
--enable-sflow \
--enable-readpcap \
--enable-nfpcapd
I did replace the nfdump-1.6.11.tar.gz file with the
nfdump-1.6.13.tar.gz tarball and updated the spec to use it instead in
the hopes that 1.6.13 fixed something broken in 1.6.11, but have the
same results in both.
Any other ideas?
Thanks,
ep
On 07/27/2015 10:49 AM, Robert Franklin wrote:
> On 10 Jul 2015, at 14:57, Brian Epstein <bepst...@ias.edu> wrote:
>
>> Recently, we've been trying to implement IPFIX with a couple of
>> Cisco 4500X's and have been seeing an odd problem. The dumps
>> come out with the wrong timestamp and INVALID as the event.
>>
>> $ nfdump -r nfcapd.201507081630-sample Date first seen Event
>> XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP
>> Addr:Port X-Dst IP Addr:Port In Byte Out Byte
>>
>> 1969-12-31 19:00:00.000 INVALID Ignore TCP 157.55.39.187:32086 -
>> -> 172.16.52.154:80 0.0.0.0:0 ->
>> 0.0.0.0:0 70 0
>
> Are you doing NSEL (or, at least, compiled with with
> --enable-nsel)? I think those fields are only used for NSEL flows -
> such as those generated by a Cisco ASA.
>
> The 'Event' column records things like 'CREATE' and 'DELETE' when
> flows are set up and removed on an ASA. For regular flows (such
> as the ones we get from our Catalysts) we get the same 'INVALID'
> and 'Ignore' values, just as you do.
>
> [In our case, we only use our ASA for NAT and so the NSEL flows
> also have X-Src and X-Dst to log the translated addresses.]
>
> I must admit I'm not sure what the X-Event column means - in our
> case, it only shows up with a number around 2000 when a flow is
> DELETEd. The value doesn't match the translation rule on the ASA.
>
> Hope that helps,
>
> - Bob
>
>
- --
Brian Epstein <bepst...@ias.edu> +1 609-734-8179
Manager, Network and Security Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED C34C C0E5 244A 55CA 2B78
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVt9DwAAoJEMDlJEpVyit46vkQAJRf7FJgEFbWscXQRS3OZMAY
c2AZzQhGoX1zJ/eMwc8/eaZQdt0pXY/rSybRvX9ZnwGLwe1WtUuus9p/IALyNEkp
f04xK3n7BZNGRznb1YlD1fKbWS0b+drUhcf6CxUlk5o47SWekXnemrJ6I1QLs33z
0mhH23iYLrm8mQ3SnmDmG134iJOe8QPv5q3XKLNLbnI9W84w3dxgwZaL7aTVnt+R
vbxLZDT7mKq0fww3L1m77HTsczM5Txre6d3xmkIsuPJRUllIhVybzZ1W1LeJIT8N
0+K+5DuGY3+qdgil9Lzp91+aG6i2TzdoOCuZAyszQXt/ygNrsZhyprm4WM5jwoRk
+ehvQccH99PRmsftIQmdIN1EmoHJGga2CbBITleEBIudE2VFXzhuVAahzGqhyoaa
d/OVE0LK/xg93wrdmTQQxMVkGHxtyhW6IYihJqiKHhOE7BPRY9j00kIgPKlNCTPT
MA1HvzJ4gvjhkEQq9fYiDtLevOIxHB4uKYNJX0Cu53SRglooJqjSBmpR4yfR/ysj
n4nD+UaPGqqgVsby6j3TQ7mYko+D+3C9qfrsINyZXuOzmA6munN57OhmODbSAYOQ
nxrU2BMIcakiUZLm7FFmAeOTjtVuBWXanjvOwsAiDGS4PJlpE4JLua/vLyovIPAo
t8Xi/sO5YZMEMza0yhkR
=gVqv
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
