Hi all, I think i have come across a bug in nfdump, unless I'm not using it right. I have an ASR1002 that has the Flexible Netflow feature. I'm exporting v9 netflow custom records that I collect with nfcapd and view with nfdump. It seems to be that nfcapd/nfdump does not understand correctly the size of some attributes and it outputs misaligned attributes (or that's what i understand). Here is the output:
# there should be both 4octet source AS and dest AS # nfdump -r nfcapd.201510032220 -o "fmt: %sas,%das" | head -5 Src AS Dst AS 81330176, 0 81330179, 0 81330179, 0 81330176, 0 # the correct IP of the exporter is 31.177.56.2 # nfdump -r nfcapd.201510032220 -o "fmt: %ra" | head -5 Router IP 0.0.31.177 0.0.31.177 0.0.31.177 0.0.31.177 Here is the cache output from the router (how it should be): R2#sh flow monitor flm-sa-da cache format table Cache type: Normal (Platform cache) Cache size: 200000 Current entries: 2138 Flows added: 35022 Flows aged: 32884 - Active timeout ( 600 secs) 2188 - Inactive timeout ( 60 secs) 30696 IPV4 SRC ADDR IPV4 DST ADDR IP PROT ip src as 4-octet ip dst as 4-octet ipv4 next hop addr ipv4 src mask ipv4 dst mask tcp flags intf output flow sampler id bytes pkts time first time last =============== =============== ======= ================= ================= ================== ============= ============= ========= ==================== =============== ========== ========== ============ ============ 93.xx.yy.168 193.xx.yy.105 6 4xy21 1241 62.1.16.241 /21 /17 0x1B Gi0/0/3 0 4722937 3454 22:20:42.004 22:20:54.100 93.xx.yy.31 193.xx.ff.122 6 4xy21 1241 62.1.16.241 /21 /17 0x1B Gi0/0/3 0 30681 55 22:20:36.979 22:20:38.068 93.xx.tt.203 62.xx.gg.98 6 4xy21 1241 62.1.16.241 /21 /17 0x18 Gi0/0/3 0 927 3 22:20:15.284 22:20:57.268 31.xx.zz.70 91.xx.dd.40 17 3.xy86 35432 62.1.16.241 /27 /19 0x00 Gi0/0/3 0 52676 98 22:14:16.659 22:20:51.731 31.177.ww.vv 77.xx.ee.69 6 0 1241 62.1.16.241 /29 /17 0x1A Gi0/0/3 0 2535314 2027 22:18:09.555 22:21:06.036 31.177.xx.ww 188.xx.yy.211 6 0 1241 62.1.16.241 /25 /17 0x1B Gi0/0/3 0 3040 20 22:18:35.156 22:21:03.955 185.xx.gg.68 213.xx.zz.0 6 3.xy81 1241 62.1.16.241 /22 /18 0x1B Gi0/0/3 0 1388405 1971 22:14:56.435 22:21:05.875 The ASR outputs the template every 1min. The netflow record on ASR is: R2#sh flow record flr-sa-da2 flow record flr-sa-da2: Description: User defined No. of users: 1 Total field space: 48 bytes Fields: match ipv4 protocol match ipv4 source address match ipv4 destination address collect routing source as 4-octet collect routing destination as 4-octet collect routing next-hop address ipv4 collect ipv4 source mask collect ipv4 destination mask collect transport tcp flags collect interface output collect flow sampler collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last The way nfdump sees the capture is: nfdump -x nfcapd.201510032220 Dump all extension maps: ======================== Extension Map: Map ID = 0 Map Size = 24 Ext Size = 40 ID 1, ext 5 = 4 byte input/output interface index ID 2, ext 7 = 4 byte src/dst AS number ID 3, ext 8 = dst tos, direction, src/dst mask ID 4, ext 9 = IPv4 next hop ID 13, ext 23 = IPv4 router IP addr ID 14, ext 25 = router ID ID 16, ext 27 = time packet received I am capturing with : /usr/local/bin/nfcapd -w -D -p 9994 -u netflow -g apache -B 200000 -S 1 -P /var/run/p9994.pid -z -T all -I R2v9-sada -l /mnt/netflowdata/profiles-data/live/R2v9-sada # nfdump -V nfdump: Version: 1.6.13 # nfcapd -V nfcapd: Version: 1.6.13 Does anyone have seen something like that? Am i missing an nfcapd/nfdump option or something? Thanx Spiros PS: I have captures of netflow packets and the nfdump files, if needed. ------------------------------------------------------------------------------ _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss