Thanks for the reply, Gaspard.

-----------------------------------------------------

I have been running nfcapd with -Tall

Example:

       PS E:\netflow> nfcapd -h
       usage /home/xxxxxx/nfdump-1.6.13/bin/nfcapd [options]
       -h              this text you see right here
       -u userid       Change user to username
       -g groupid      Change group to groupname
       -w              Sync file rotation with next 5min (default) interval
       -t interval     set the interval to rotate nfcapd files
       -b host         bind socket to host/IP addr
       -j mcastgroup   Join multicast group <mcastgroup>
       -p portnum      listen on port portnum
       -l basdir       set the output directory. (no default)
       -S subdir       Sub directory format. see nfcapd(1) for format
       -I Ident        set the ident string for stat file. (default 'none')
       -H Add port histogram data to flow file.(default 'no')
       -n Ident,IP,logdir      Add this flow source - multiple streams
       -P pidfile      set the PID file
       -R IP[/port]    Repeat incoming packets to IP address/port
       -s rate set default sampling rate (default 1)
       -x process      launch process after a new file becomes available
       -z              Compress flows in output file.
       -B bufflen      Set socket buffer to bufflen bytes
       -e              Expire data at each cycle.
       -D              Fork to background
       -E              Print extended format of netflow data. for
       debugging purpose only.
       -T              Include extension tags in records.
       -4              Listen on IPv4 (default).
       -6              Listen on IPv6.
       -V              Print version and exit.

       PS E:\netflow> nfcapd.exe -Tall -t 1500 -p 9996 -l 9996 ==> 15
       minute rotation - which should be enough to capture any V9/IPFIX
       templates
       Add extension: 2 byte input/output interface index
       Add extension: 4 byte input/output interface index
       Add extension: 2 byte src/dst AS number
       Add extension: 4 byte src/dst AS number
       Add extension: dst tos, direction, src/dst mask
       Add extension: IPv4 next hop
       Add extension: IPv6 next hop
       Add extension: IPv4 BGP next IP
       Add extension: IPv6 BGP next IP
       Add extension: src/dst vlan id
       Add extension: 4 byte output packets
       Add extension: 8 byte output packets
       Add extension: 4 byte output bytes
       Add extension: 8 byte output bytes
       Add extension: 4 byte aggregated flows
       Add extension: 8 byte aggregated flows
       Add extension: in src/out dst mac address
       Add extension: in dst/out src mac address
       Add extension: MPLS Labels
       Add extension: IPv4 router IP addr
       Add extension: IPv6 router IP addr
       Add extension: router ID
       Add extension: BGP adjacent prev/next AS
       Add extension: time packet received
       Add extension: NSEL Common block
       Add extension: NSEL xlate ports
       Add extension: NSEL xlate IPv4 addr
       Add extension: NSEL xlate IPv6 addr
       Add extension: NSEL ACL ingress/egress acl ID
       Add extension: NSEL username
       Add extension: NSEL max username
       Add extension: nprobe latency
       Add extension: NEL Common block
       Add extension: Compat NEL IPv4
       Add extension: NAT Port Block Allocation
       Bound to IPv4 host/IP: any, Port: 9996
       Startup.


---------------------------------------------------

Resulting file:

       -rw-r--r--+ 1 xxxx xxxxx 11477602 Oct 30 16:01
       nfcapd.201610301536  ==> collected with above options ( 15
       minutes )
       -rw-r--r--+ 1 xxxx xxxxx    276xxxx Oct 30 16:01 nfcapd.current.4064


--------------------------------------------------

nfdump results:


       E:\netflow>nfdump -r 9996/nfcapd.201610301536 -s if
       Top 10 In/Out If ordered by -:
       Date first seen          Duration Proto         In/Out If
       Flows(%)         Packets(%)       Bytes(%)           pps bps   bpp
       1969-12-31 18:00:00.000     0.000 any     0 98204(70.2)    2.2
       M(90.6)     341.8 M(91.0)    0        0 154
       1969-12-31 18:00:00.000     0.000 any     9 98204(70.2)    2.2
       M(90.6)     341.8 M(91.0)    0        0 154
1969-12-31 18:00:00.000 0.000 any 589824 41759(29.8) 230996( 9.4) 34.0 M( 9.0) 0 0 147 ===> invalid
       interface index
       1969-12-31 18:00:00.000     0.000 any     16777216
       41759(29.8)    230996( 9.4)   34.0 M( 9.0)       0        0
       147    ===> invalid interface index

       Summary: total flows: 139963, total bytes: 375807249, total
       packets: 2445509, avg bps: 0, avg pps: 0, avg bpp: 0
       Time window: 2016-10-30 15:36:16 - 2016-10-30 16:01:16
       Total flows processed: 139963, Blocks skipped: 0, Bytes read:
       11477326
       Sys: 0.031s flows/second: 4514935.5  Wall: 0.031s flows/second:
       4485993.6


-------------------------------------------------

For another listener (this one on 2055) with same nfcapd parms.....


       E:\netflow>nfdump -R 2055/nfcapd.201610301544 -s if
       Top 10 In/Out If ordered by -:
       Date first seen          Duration Proto         In/Out If
       Flows(%)         Packets(%)    Bytes(%)              pps bps   bpp
       1969-12-31 18:00:00.000     0.000 any     0 93686(63.7)    1.7
       M(62.2)  496.5 M(77.9)        0        0   291
       1969-12-31 18:00:00.000     0.000 any     5 93686(63.7)    1.7
       M(62.2)  496.5 M(77.9)        0        0   291
1969-12-31 18:00:00.000 0.000 any 327680 53348(36.3) 1.0 M(37.8) 140.6 M(22.1) 0 0 135 ==> invalid
       interfaae index
       1969-12-31 18:00:00.000     0.000 any     16777216
53348(36.3) 1.0 M(37.8) 140.6 M(22.1) 0 0 135 ==> invalid interface index

       Summary: total flows: 147034, total bytes: 637115010, total
       packets: 2742899, avg bps: 0, avg pps: 0, avg bpp: 0
       Time window: 2016-10-30 15:44:56 - 2016-10-30 15:49:56
       Total flows processed: 147034, Blocks skipped: 0, Bytes read:
       12057160
       Sys: 0.061s flows/second: 2410393.4  Wall: 0.015s flows/second:
       9425256.4



-----------------------------------------------------------

Above behavior - given the values for those invalid interface numbers - does seem like what is discussed at:
/
From: https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2014-June/000002.html/

I'll be checking my compilation next to see if this is somehow a self-inflicted wound.. ;-)

If not I will have to look for another collector, although I would much prefer to use nfcapd/nfdump for my work.


--------------------------------------------------------------






On 10/30/2016 01:05 PM, Gaspard Laurent wrote:
Hello,

Which option are you using to launch your nfcapd process? Maybe try to start it with -Tall if it is not the case yet.

Best
Gaspard



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to