Hi all,

I think i have come across a bug in nfdump, unless I'm not using it right.
I have an ASR1002 that has the Flexible Netflow feature. I'm exporting 
v9 netflow custom records that I collect with nfcapd and view with nfdump.
It seems to be that nfcapd/nfdump does not understand correctly the size 
of some attributes and it outputs misaligned attributes (or that's what 
i understand). Here is the output:

# there should be both 4octet source AS and dest AS
# nfdump -r nfcapd.201510032220 -o "fmt: %sas,%das" | head -5
  Src AS Dst AS
  81330176,     0
  81330179,     0
  81330179,     0
  81330176,     0

# the correct IP of the exporter is 31.177.56.2
# nfdump -r nfcapd.201510032220 -o "fmt: %ra" | head -5
         Router IP
        0.0.31.177
        0.0.31.177
        0.0.31.177
        0.0.31.177

Here is the cache output from the router (how it should be):
R2#sh flow monitor flm-sa-da cache format table
   Cache type:                               Normal (Platform cache)
   Cache size:                               200000
   Current entries:                            2138

   Flows added:                               35022
   Flows aged:                                32884
     - Active timeout      (   600 secs)       2188
     - Inactive timeout    (    60 secs)      30696

IPV4 SRC ADDR    IPV4 DST ADDR    IP PROT  ip src as 4-octet  ip dst as 
4-octet  ipv4 next hop addr  ipv4 src mask  ipv4 dst mask  tcp flags  
intf output           flow sampler id       bytes pkts    time first     
time last
===============  ===============  =======  ================= 
=================  ==================  =============  ============= 
=========  ====================  ===============  ========== ==========  
============  ============
93.xx.yy.168    193.xx.yy.105         6 4xy21               1241  
62.1.16.241 /21            /17  0x1B       Gi0/0/3 0     4722937        
3454  22:20:42.004  22:20:54.100
93.xx.yy.31     193.xx.ff.122         6 4xy21               1241  
62.1.16.241 /21            /17  0x1B       Gi0/0/3 0       
30681          55  22:20:36.979  22:20:38.068
93.xx.tt.203     62.xx.gg.98          6 4xy21               1241  
62.1.16.241 /21            /17  0x18       Gi0/0/3 0         
927           3  22:20:15.284  22:20:57.268
31.xx.zz.70      91.xx.dd.40         17 3.xy86              35432  
62.1.16.241 /27            /19  0x00       Gi0/0/3 0       
52676          98  22:14:16.659  22:20:51.731
31.177.ww.vv     77.xx.ee.69          6 0               1241  
62.1.16.241                   /29 /17  0x1A       
Gi0/0/3                             0 2535314        2027  22:18:09.555  
22:21:06.036
31.177.xx.ww    188.xx.yy.211         6 0               1241  
62.1.16.241                   /25 /17  0x1B       
Gi0/0/3                             0 3040          20  22:18:35.156  
22:21:03.955
185.xx.gg.68    213.xx.zz.0           6 3.xy81               1241  
62.1.16.241 /22            /18  0x1B       Gi0/0/3 0     1388405        
1971  22:14:56.435  22:21:05.875


The ASR outputs the template every 1min. The netflow record on ASR is:
R2#sh flow record flr-sa-da2
flow record flr-sa-da2:
   Description:        User defined
   No. of users:       1
   Total field space:  48 bytes
   Fields:
     match ipv4 protocol
     match ipv4 source address
     match ipv4 destination address
     collect routing source as 4-octet
     collect routing destination as 4-octet
     collect routing next-hop address ipv4
     collect ipv4 source mask
     collect ipv4 destination mask
     collect transport tcp flags
     collect interface output
     collect flow sampler
     collect counter bytes
     collect counter packets
     collect timestamp sys-uptime first
     collect timestamp sys-uptime last

The way nfdump sees the capture is:
nfdump -x nfcapd.201510032220

Dump all extension maps:
========================
Extension Map:
   Map ID   = 0
   Map Size = 24
   Ext Size = 40
   ID   1, ext   5 = 4 byte input/output interface index
   ID   2, ext   7 = 4 byte src/dst AS number
   ID   3, ext   8 = dst tos, direction, src/dst mask
   ID   4, ext   9 = IPv4 next hop
   ID  13, ext  23 = IPv4 router IP addr
   ID  14, ext  25 = router ID
   ID  16, ext  27 = time packet received

  I am capturing with :
/usr/local/bin/nfcapd -w -D -p 9994 -u netflow -g apache -B 200000 -S 1 
-P /var/run/p9994.pid -z -T all -I R2v9-sada -l 
/mnt/netflowdata/profiles-data/live/R2v9-sada

# nfdump -V
nfdump: Version: 1.6.13
# nfcapd -V
nfcapd: Version: 1.6.13

Does anyone have seen something like that? Am i missing an nfcapd/nfdump 
option or something?

Thanx
Spiros

PS: I have captures of netflow packets and the nfdump files, if needed.


------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to