Hi James,
Could you please send me off-list a tcpdump, sent to the collector in order to
debug this issue
and implement the 4 bytes if fields?
Many thanks
- Peter
On 29.10.16 19:39, James A. Klun wrote:
>
> I am successfully running nfdump compiled via gcc/cygwin.
>
> Basic functionality is there:
>
>
> > E:\netflow>nfdump -r 2055/nfcapd.201610281538 | more
>
> > Date first seen Duration Proto Src IP
> Addr:Port Dst IP Addr:Port Packets Bytes Flows
> > 1969-12-31 18:00:00.000 0.000 UDP xxx.xxx.xxx.xxx:xxxx ->
> xxx.xxx.xxx.xxx:49962 20 15642 1
> > 1969-12-31 18:00:00.000 0.000 TCP xxx.xxx.xxx.xxx:7800 ->
> xxx.xxx.xxx.xxx:30488 2 104 1
>
> <continues - note the date oddity>
>
>
> The netflow source is Cisco gear running V9 netflow
>
> SNMP interface numbers are important to me for analysis.
>
> What I am finding is that they are not captured correctly
>
> > E:\netflow>nfdump -r 2055/nfcapd.201610281538 -s if
> > Top 10 In/Out If ordered by -:
> > Date first seen Duration Proto In/Out
> If Flows(%) Packets(%) Bytes(%) pps
> bps bpp
> > 1969-12-31 18:00:00.000 0.000 any 0
> 16214(50.3) 1.1 M(79.5) 476.2
> M(92.5) 0 0 452
> > 1969-12-31 18:00:00.000 0.000 any 5
> 16214(50.3) 1.1 M(79.5) 476.2 M(92.5)
> 0 0 452
> > 1969-12-31 18:00:00.000 0.000 any 327680
> 16015(49.7) 272336(20.5) 38.7 M( 7.5)
> 0 0 142
> > 1969-12-31 18:00:00.000 0.000 any 16777216
> 16015(49.7) 272336(20.5) 38.7 M( 7.5) 0
> 0 142
>
> > Summary: total flows: 32229, total bytes: 514879163, total
> packets: 1325511, avg bps: 0, avg pps: 0, avg bpp: 0
> > Time window: 2016-10-28 15:38:29 - 2016-10-28 15:43:29
> > Total flows processed: 32229, Blocks skipped: 0, Bytes read:
> 2642986
> > Sys: 0.000s flows/second: 0.0 Wall: 0.031s
> flows/second: 1032980.8
>
> and....
>
>
> nfdump -r 2055/nfcapd.201610281538 -o csv | cut -d, -f16,17 |
> sort | uniq -c
>
> 16 and 17 are the produces:
>
> in, out
> 24243 327680 16777216
> 80632 5 0
>
> I know the actual snmp index values from the router in question from
> running: snmp mib ifmib ifindex
> They range from 1-95. A number of them have activity. In the above, 5 (and
> 0) are legitimate, 327680 and 16777216 are
> not.
> 9 - an active interface shown in the wireshark excerpt below - simply does
> not appear all. Most active interfaces are
> absent
>
> I ran wireshark to capture netflow data directly......
> I waited long enough for the V9 flow template to be delivered as discussed in
> https://www.wireshark.org/lists/wireshark-users/200905/msg00119.html
>
> Meaningful interface numbers ARE being delivered to nfcapd ( wireshark
> excerpt below ) See: ==>
>
> >>No. Time Source Destination
> Protocol Length OutputInt InputInt Info
> >> 24949 2016-10-28 21:20:01.990125000 xx.xx.xx.xx
> xx.xx.xx.xx CFLOW
> 1340 64,66,68,70,72,74,11,13,15,17,18,76 total: 13
> (v9) records
> >>
> >>Frame 24949: 1340 bytes on wire (10720 bits), 1340 bytes
> captured (10720 bits)
> >> Arrival Time: Oct 28, 2016 21:20:01.990125000 EDT
> >> Epoch Time: 1477704001.990125000 seconds
> >> [Time delta from previous captured frame: 0.000021000
> seconds]
> >> [Time delta from previous displayed frame:
> 0.000091000 seconds]
> >> [Time since reference or first frame: 459.323921000
> seconds]
> >> Frame Number: 24949
> >> Frame Length: 1340 bytes (10720 bits)
> >> Capture Length: 1340 bytes (10720 bits)
> >> [Frame is marked: False]
> >> [Frame is ignored: False]
> >> [Protocols in frame: eth:ip:udp:cflow]
> >> [Coloring Rule Name: UDP]
> >> [Coloring Rule String: udp]
> >>Ethernet II, Src: Cisco_22: (), Dst: Vmware ()
> >>
> >>Cisco NetFlow/IPFIX ==> Note
> >> Version: 9 ==> Note
> >> Count: 13
> >> SysUptime: 1113116230
> >> Timestamp: Oct 28, 2016 21:20:02.000000000 EDT
> >> CurrentSecs: 1477704002
> >> FlowSequence: 808
> >> SourceId: 6
> >> FlowSet 1
> >> FlowSet Id: Options Template(V9) (1)
> >> FlowSet Length: 26
> >> Options Template (Id = 256) (Scope Count = 1;
> Data Count = 3)
> >> Template Id: 256
> >> Option Scope Length: 4
> >> Option Length: 12
> >> Field (1/1) [Scope]: System
> >> Scope Type: System (1)
> >> Length: 4
> >> Field (1/3): INPUT_SNMP
> >> Type: INPUT_SNMP (10)
> >> Length: 4
> >> Field (2/3): IF_NAME
> >> Type: IF_NAME (82)
> >> Length: 32
> >> Field (3/3): IF_DESC
> >> Type: IF_DESC (83)
> >> Length: 64
> >> FlowSet 2
> >> FlowSet Id: (Data) (256)
> >> FlowSet Length: 1252
> >> Flow 1
> >> ScopeSystem: 0a65fef0
> >> InputInt: 64 ==> interface number is appearing
> >> IfName: Se0/2/0/23:0 ==> correct
> association
> >> IfDescr: Serial0/2/0/23:0
> >> Flow 2
> >> ScopeSystem: 0a65fef0
> >> InputInt: 66
> >> IfName: Se0/2/0/24:0
> >> IfDescr: Serial0/2/0/24:0
> >> Flow 3
> >> ScopeSystem: 0a65fef0
> >> InputInt: 68
> >> IfName: Se0/2/0/25:0
> >> IfDescr: Serial0/2/0/25:0
>
> and
>
> >>Cisco NetFlow/IPFIX
> >> Version: 9
> >> Count: 38
> >> SysUptime: 261103507
> >> Timestamp: Oct 28, 2016 21:12:22.000000000 EDT
> >> CurrentSecs: 1477703542
> >> FlowSequence: 159997
> >> SourceId: 2304
> >> FlowSet 1
> >> FlowSet Id: (Data) (264)
> >> FlowSet Length: 1336
> >> Flow 1
> >> SrcAddr: 122.x.x.x.(122.x.x.x)
> >> DstAddr: 122.x.x.x (122.x.x.x)
> >> IP ToS: 0x68
> >> Protocol: 17
> >> SrcPort: 20903
> >> DstPort: 53
> >> OutputInt: 9 ===> interface
> number appears (and interface is in fact active )
> >> Direction: Egress (1)
> >> Octets: 79
> >> Packets: 1
>
>
>
>
> The interface number information is clearly being delivered, the interfaces
> have activity, and yet my nfdump reporting
> runs fail to reveal them.
>
> Nfdump (1.6.13) has V9 has support ( my understanding ). I would expect the
> correct interface numbers to be there.
>
> Any help appreciated ... assumption is there is something I am simply doing
> wrong.
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Command Line: Reinvented for Modern Developers
> Did the resurgence of CLI tooling catch you by surprise?
> Reconnect with the command line and become more productive.
> Learn the new .NET and ASP.NET CLI. Get your free copy!
> http://sdm.link/telerik
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
