Hi James,
Could you please send me off-list a tcpdump, sent to the collector in order to 
debug this issue
and implement the 4 bytes if fields?

Many thanks

        - Peter


On 29.10.16 19:39, James A. Klun wrote:
> 
> I am successfully running nfdump compiled via gcc/cygwin.
> 
> Basic functionality is there:
> 
> 
>         > E:\netflow>nfdump -r 2055/nfcapd.201610281538 | more
> 
>     > Date first seen          Duration Proto      Src IP
>    Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
>     > 1969-12-31 18:00:00.000     0.000 UDP xxx.xxx.xxx.xxx:xxxx     ->     
> xxx.xxx.xxx.xxx:49962       20 15642     1
>     > 1969-12-31 18:00:00.000     0.000 TCP xxx.xxx.xxx.xxx:7800    ->       
> xxx.xxx.xxx.xxx:30488 2      104     1
> 
>      <continues - note the date oddity>
> 
> 
> The netflow source is Cisco gear running V9 netflow
> 
>  SNMP interface numbers are important to me for analysis.
> 
>  What I am finding is that they are not captured correctly
> 
>         > E:\netflow>nfdump -r 2055/nfcapd.201610281538 -s if
>         > Top 10 In/Out If ordered by -:
>         > Date first seen                      Duration Proto In/Out
>        If       Flows(%)        Packets(%)       Bytes(%)              pps    
>  bps   bpp
>         > 1969-12-31 18:00:00.000     0.000     any            0              
>       16214(50.3)    1.1 M(79.5)     476.2
> M(92.5) 0        0            452
>         > 1969-12-31 18:00:00.000     0.000     any            5
>                    16214(50.3)    1.1 M(79.5)     476.2 M(92.5)
>        0        0     452
>         > 1969-12-31 18:00:00.000     0.000     any 327680             
> 16015(49.7)    272336(20.5)  38.7 M( 7.5)
> 0        0     142
>         > 1969-12-31 18:00:00.000     0.000     any 16777216         
> 16015(49.7)    272336(20.5)  38.7 M( 7.5) 0       
> 0     142
> 
>         > Summary: total flows: 32229, total bytes: 514879163, total
>        packets: 1325511, avg bps: 0, avg pps: 0, avg bpp: 0
>         > Time window: 2016-10-28 15:38:29 - 2016-10-28 15:43:29
>         > Total flows processed: 32229, Blocks skipped: 0, Bytes read:
>        2642986
>         > Sys: 0.000s flows/second: 0.0        Wall: 0.031s
>        flows/second: 1032980.8
> 
>    and....
> 
> 
>        nfdump -r 2055/nfcapd.201610281538 -o csv |  cut -d, -f16,17 |
>        sort  | uniq -c
> 
>        16 and 17 are the produces:
> 
>                      in,         out
>           24243 327680 16777216
>           80632 5         0
> 
>  I know the actual snmp index values from the router in question from 
> running: snmp mib ifmib ifindex
>  They range from 1-95.  A number of them have activity. In the above, 5 (and 
> 0) are legitimate, 327680 and 16777216 are
> not.
>  9 - an active interface shown in the wireshark excerpt below - simply does 
> not appear all. Most active interfaces are
> absent
> 
> I ran wireshark to capture netflow data directly......
> I waited long enough for the V9 flow template to be delivered as discussed in
> https://www.wireshark.org/lists/wireshark-users/200905/msg00119.html
> 
> Meaningful interface numbers ARE being delivered to nfcapd ( wireshark 
> excerpt below ) See: ==>
> 
>             >>No.     Time Source                Destination                  
>    Protocol Length OutputInt  InputInt   Info
>             >>  24949 2016-10-28 21:20:01.990125000 xx.xx.xx.xx               
>     xx.xx.xx.xx          CFLOW
> 1340                        64,66,68,70,72,74,11,13,15,17,18,76 total: 13 
> (v9) records
>             >>
>             >>Frame 24949: 1340 bytes on wire (10720 bits), 1340 bytes
>            captured (10720 bits)
>             >>    Arrival Time: Oct 28, 2016 21:20:01.990125000 EDT
>             >>    Epoch Time: 1477704001.990125000 seconds
>             >>    [Time delta from previous captured frame: 0.000021000
>            seconds]
>             >>    [Time delta from previous displayed frame:
>            0.000091000 seconds]
>             >>    [Time since reference or first frame: 459.323921000
>            seconds]
>             >>    Frame Number: 24949
>             >>    Frame Length: 1340 bytes (10720 bits)
>             >>    Capture Length: 1340 bytes (10720 bits)
>             >>    [Frame is marked: False]
>             >>    [Frame is ignored: False]
>             >>    [Protocols in frame: eth:ip:udp:cflow]
>             >>    [Coloring Rule Name: UDP]
>             >>    [Coloring Rule String: udp]
>             >>Ethernet II, Src: Cisco_22: (), Dst: Vmware ()
>             >>
>             >>Cisco NetFlow/IPFIX   ==> Note
>             >>    Version: 9              ==> Note
>             >>    Count: 13
>             >>    SysUptime: 1113116230
>             >>    Timestamp: Oct 28, 2016 21:20:02.000000000 EDT
>             >>        CurrentSecs: 1477704002
>             >>    FlowSequence: 808
>             >>    SourceId: 6
>             >>    FlowSet 1
>             >>        FlowSet Id: Options Template(V9) (1)
>             >>        FlowSet Length: 26
>             >>        Options Template (Id = 256) (Scope Count = 1;
>            Data Count = 3)
>             >>            Template Id: 256
>             >>            Option Scope Length: 4
>             >>            Option Length: 12
>             >>            Field (1/1) [Scope]: System
>             >>                Scope Type: System (1)
>             >>                Length: 4
>             >>            Field (1/3): INPUT_SNMP
>             >>                Type: INPUT_SNMP (10)
>             >>                Length: 4
>             >>            Field (2/3): IF_NAME
>             >>                Type: IF_NAME (82)
>             >>                Length: 32
>             >>            Field (3/3): IF_DESC
>             >>                Type: IF_DESC (83)
>             >>                Length: 64
>             >>    FlowSet 2
>             >>        FlowSet Id: (Data) (256)
>             >>        FlowSet Length: 1252
>             >>        Flow 1
>             >>            ScopeSystem: 0a65fef0
>             >>            InputInt: 64 ==> interface number is appearing
>             >>            IfName: Se0/2/0/23:0           ==> correct
>            association
>             >>            IfDescr: Serial0/2/0/23:0
>             >>        Flow 2
>             >>            ScopeSystem: 0a65fef0
>             >>            InputInt: 66
>             >>            IfName: Se0/2/0/24:0
>             >>            IfDescr: Serial0/2/0/24:0
>             >>        Flow 3
>             >>            ScopeSystem: 0a65fef0
>             >>            InputInt: 68
>             >>            IfName: Se0/2/0/25:0
>             >>            IfDescr: Serial0/2/0/25:0
> 
>            and
> 
>             >>Cisco NetFlow/IPFIX
>             >>    Version: 9
>             >>    Count: 38
>             >>    SysUptime: 261103507
>             >>    Timestamp: Oct 28, 2016 21:12:22.000000000 EDT
>             >>        CurrentSecs: 1477703542
>             >>    FlowSequence: 159997
>             >>    SourceId: 2304
>             >>    FlowSet 1
>             >>        FlowSet Id: (Data) (264)
>             >>        FlowSet Length: 1336
>             >>        Flow 1
>             >>            SrcAddr: 122.x.x.x.(122.x.x.x)
>             >>            DstAddr: 122.x.x.x (122.x.x.x)
>             >>            IP ToS: 0x68
>             >>            Protocol: 17
>             >>            SrcPort: 20903
>             >>            DstPort: 53
>             >>            OutputInt: 9                  ===> interface
>            number appears (and interface is in fact active )
>             >>            Direction: Egress (1)
>             >>            Octets: 79
>             >>            Packets: 1
> 
> 
> 
> 
> The interface number information is clearly being delivered, the interfaces 
> have activity, and yet my nfdump reporting
> runs fail to reveal them.
> 
>  Nfdump (1.6.13) has V9 has support ( my understanding ). I would expect the 
> correct interface numbers to be there.
> 
>  Any help appreciated ... assumption is there is something I am simply doing 
> wrong.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> The Command Line: Reinvented for Modern Developers
> Did the resurgence of CLI tooling catch you by surprise?
> Reconnect with the command line and become more productive. 
> Learn the new .NET and ASP.NET CLI. Get your free copy!
> http://sdm.link/telerik
> 
> 
> 
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
Be nice to your netflow data. Use NfSen and nfdump :)

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to