Hi James, Could you please send me off-list a tcpdump, sent to the collector in order to debug this issue and implement the 4 bytes if fields?
Many thanks - Peter On 29.10.16 19:39, James A. Klun wrote: > > I am successfully running nfdump compiled via gcc/cygwin. > > Basic functionality is there: > > > > E:\netflow>nfdump -r 2055/nfcapd.201610281538 | more > > > Date first seen Duration Proto Src IP > Addr:Port Dst IP Addr:Port Packets Bytes Flows > > 1969-12-31 18:00:00.000 0.000 UDP xxx.xxx.xxx.xxx:xxxx -> > xxx.xxx.xxx.xxx:49962 20 15642 1 > > 1969-12-31 18:00:00.000 0.000 TCP xxx.xxx.xxx.xxx:7800 -> > xxx.xxx.xxx.xxx:30488 2 104 1 > > <continues - note the date oddity> > > > The netflow source is Cisco gear running V9 netflow > > SNMP interface numbers are important to me for analysis. > > What I am finding is that they are not captured correctly > > > E:\netflow>nfdump -r 2055/nfcapd.201610281538 -s if > > Top 10 In/Out If ordered by -: > > Date first seen Duration Proto In/Out > If Flows(%) Packets(%) Bytes(%) pps > bps bpp > > 1969-12-31 18:00:00.000 0.000 any 0 > 16214(50.3) 1.1 M(79.5) 476.2 > M(92.5) 0 0 452 > > 1969-12-31 18:00:00.000 0.000 any 5 > 16214(50.3) 1.1 M(79.5) 476.2 M(92.5) > 0 0 452 > > 1969-12-31 18:00:00.000 0.000 any 327680 > 16015(49.7) 272336(20.5) 38.7 M( 7.5) > 0 0 142 > > 1969-12-31 18:00:00.000 0.000 any 16777216 > 16015(49.7) 272336(20.5) 38.7 M( 7.5) 0 > 0 142 > > > Summary: total flows: 32229, total bytes: 514879163, total > packets: 1325511, avg bps: 0, avg pps: 0, avg bpp: 0 > > Time window: 2016-10-28 15:38:29 - 2016-10-28 15:43:29 > > Total flows processed: 32229, Blocks skipped: 0, Bytes read: > 2642986 > > Sys: 0.000s flows/second: 0.0 Wall: 0.031s > flows/second: 1032980.8 > > and.... > > > nfdump -r 2055/nfcapd.201610281538 -o csv | cut -d, -f16,17 | > sort | uniq -c > > 16 and 17 are the produces: > > in, out > 24243 327680 16777216 > 80632 5 0 > > I know the actual snmp index values from the router in question from > running: snmp mib ifmib ifindex > They range from 1-95. A number of them have activity. In the above, 5 (and > 0) are legitimate, 327680 and 16777216 are > not. > 9 - an active interface shown in the wireshark excerpt below - simply does > not appear all. Most active interfaces are > absent > > I ran wireshark to capture netflow data directly...... > I waited long enough for the V9 flow template to be delivered as discussed in > https://www.wireshark.org/lists/wireshark-users/200905/msg00119.html > > Meaningful interface numbers ARE being delivered to nfcapd ( wireshark > excerpt below ) See: ==> > > >>No. Time Source Destination > Protocol Length OutputInt InputInt Info > >> 24949 2016-10-28 21:20:01.990125000 xx.xx.xx.xx > xx.xx.xx.xx CFLOW > 1340 64,66,68,70,72,74,11,13,15,17,18,76 total: 13 > (v9) records > >> > >>Frame 24949: 1340 bytes on wire (10720 bits), 1340 bytes > captured (10720 bits) > >> Arrival Time: Oct 28, 2016 21:20:01.990125000 EDT > >> Epoch Time: 1477704001.990125000 seconds > >> [Time delta from previous captured frame: 0.000021000 > seconds] > >> [Time delta from previous displayed frame: > 0.000091000 seconds] > >> [Time since reference or first frame: 459.323921000 > seconds] > >> Frame Number: 24949 > >> Frame Length: 1340 bytes (10720 bits) > >> Capture Length: 1340 bytes (10720 bits) > >> [Frame is marked: False] > >> [Frame is ignored: False] > >> [Protocols in frame: eth:ip:udp:cflow] > >> [Coloring Rule Name: UDP] > >> [Coloring Rule String: udp] > >>Ethernet II, Src: Cisco_22: (), Dst: Vmware () > >> > >>Cisco NetFlow/IPFIX ==> Note > >> Version: 9 ==> Note > >> Count: 13 > >> SysUptime: 1113116230 > >> Timestamp: Oct 28, 2016 21:20:02.000000000 EDT > >> CurrentSecs: 1477704002 > >> FlowSequence: 808 > >> SourceId: 6 > >> FlowSet 1 > >> FlowSet Id: Options Template(V9) (1) > >> FlowSet Length: 26 > >> Options Template (Id = 256) (Scope Count = 1; > Data Count = 3) > >> Template Id: 256 > >> Option Scope Length: 4 > >> Option Length: 12 > >> Field (1/1) [Scope]: System > >> Scope Type: System (1) > >> Length: 4 > >> Field (1/3): INPUT_SNMP > >> Type: INPUT_SNMP (10) > >> Length: 4 > >> Field (2/3): IF_NAME > >> Type: IF_NAME (82) > >> Length: 32 > >> Field (3/3): IF_DESC > >> Type: IF_DESC (83) > >> Length: 64 > >> FlowSet 2 > >> FlowSet Id: (Data) (256) > >> FlowSet Length: 1252 > >> Flow 1 > >> ScopeSystem: 0a65fef0 > >> InputInt: 64 ==> interface number is appearing > >> IfName: Se0/2/0/23:0 ==> correct > association > >> IfDescr: Serial0/2/0/23:0 > >> Flow 2 > >> ScopeSystem: 0a65fef0 > >> InputInt: 66 > >> IfName: Se0/2/0/24:0 > >> IfDescr: Serial0/2/0/24:0 > >> Flow 3 > >> ScopeSystem: 0a65fef0 > >> InputInt: 68 > >> IfName: Se0/2/0/25:0 > >> IfDescr: Serial0/2/0/25:0 > > and > > >>Cisco NetFlow/IPFIX > >> Version: 9 > >> Count: 38 > >> SysUptime: 261103507 > >> Timestamp: Oct 28, 2016 21:12:22.000000000 EDT > >> CurrentSecs: 1477703542 > >> FlowSequence: 159997 > >> SourceId: 2304 > >> FlowSet 1 > >> FlowSet Id: (Data) (264) > >> FlowSet Length: 1336 > >> Flow 1 > >> SrcAddr: 122.x.x.x.(122.x.x.x) > >> DstAddr: 122.x.x.x (122.x.x.x) > >> IP ToS: 0x68 > >> Protocol: 17 > >> SrcPort: 20903 > >> DstPort: 53 > >> OutputInt: 9 ===> interface > number appears (and interface is in fact active ) > >> Direction: Egress (1) > >> Octets: 79 > >> Packets: 1 > > > > > The interface number information is clearly being delivered, the interfaces > have activity, and yet my nfdump reporting > runs fail to reveal them. > > Nfdump (1.6.13) has V9 has support ( my understanding ). I would expect the > correct interface numbers to be there. > > Any help appreciated ... assumption is there is something I am simply doing > wrong. > > > > > > > > > > ------------------------------------------------------------------------------ > The Command Line: Reinvented for Modern Developers > Did the resurgence of CLI tooling catch you by surprise? > Reconnect with the command line and become more productive. > Learn the new .NET and ASP.NET CLI. Get your free copy! > http://sdm.link/telerik > > > > _______________________________________________ > Nfdump-discuss mailing list > Nfdump-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :) ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss