I'm trying to use nfdump-1.6.13 to decode IPfix flow records exported
from a Huawei NE40E-M2F router (running VRP 8.120 V800R008C10SPC300).
The problem is that flow field first / last times (exported as 4 byte
field in units of milliseconds) is shown as 0 [1970-01-01 01:00:00]
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 64
first = 0 [1970-01-01 01:00:00]
last = 0 [1970-01-01 01:00:00]
msec_first = 0
msec_last = 0
src addr = 172.17.151.2
dst addr = 172.17.150.2
src port = 38677
dst port = 5201
fwd status = 0
tcp flags = 0x00 ......
proto = 17
(src)tos = 0
(in)packets = 25398
(in)bytes = 38554164
input = 46
output = 45
src as = 0
dst as = 0
ip router = 172.16.1.22
I have looked at the field in Wireshark, and they clearly have a
reasonable value (e.g. 64529000 for 64529 seconds).
If I change the export format to v9, nfdump decodes the first / last
fields just fine - but Wireshark shows that in both cases the fields
have sensible values (4 byte milliseconds).
If anybody could help me look at this, I have made pcap of both v9
and ipfix exports, and the nfcapd file for the ipfix export, available
at
http://www.nethelp.no/nfdump-info.tgz
This contains
-rw-r--r-- 0 sthaug sthaug 758 Nov 9 09:35 nfcapd.201611090930
-rw-r--r-- 0 sthaug sthaug 8472 Nov 9 09:52 ipfix.pcap
-rw-r--r-- 0 sthaug sthaug 7420 Nov 9 09:24 v9.pcap
nfdump output above is from "nfdump -o raw -r nfcapd.201611090930".
Steinar Haug, AS 2116
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
