I might be missing something, but I dunno..
I've attached a wireshark capture, a nfcapd -E dump and a nfdump -o cap to try
to illustrate my question. The wireshark capture, nfcapd capture and nfdump
capture are not from the same flow. I'm just using them as examples..
My XR box is exporting SrcAS and DstAS and nfcapd and nfdump see this AS data
but writes it as "prev as" and/or "next as".
In nfsen (or even in nfdump, for that matter), I'm not able to actually use
this data in any way. I'd like to be able to use it the same way one would use
SrcAS or DstAS; search keys for statistics, mainly.
Is SrcAS/DstAS not supported or something?
Frame 1: 1494 bytes on wire (11952 bits), 1494 bytes captured (11952 bits)
Ethernet II, Src: Cisco_ba:ba:40 (f4:ac:c1:ba:ba:40), Dst: Vmware_a5:70:ae
(00:0c:29:a5:70:ae)
Internet Protocol Version 4, Src: 10.219.49.11 (10.219.49.11), Dst:
10.219.51.130 (10.219.51.130)
User Datagram Protocol, Src Port: 20762 (20762), Dst Port: 4911 (4911)
Cisco NetFlow/IPFIX
Version: 9
Count: 25
SysUptime: 842465796
Timestamp: Dec 21, 2012 18:26:17.000000000 EST
FlowSequence: 999480
SourceId: 2049
FlowSet 1
FlowSet Id: (Data) (324)
FlowSet Length: 1432
Flow 1
Packets: 1
Octets: 551
SrcAddr: mail.bosworthfieldassoc.com (64.40.179.2)
DstAddr: 146.66.153.174 (146.66.153.174)
InputInt: 36
OutputInt: 18
[Duration: 0.000000000 seconds]
SrcPort: 28961
DstPort: 37956
PeerSrcAS: 32900
PeerDstAS: 3356
BGPNextHop: ae5-269.edge3.newyork1.level3.net (4.28.132.85)
SrcMask: 20
DstMask: 23
Protocol: 17
TCP Flags: 0x00
IP ToS: 0x00
Direction: Egress (1)
Forwarding Status: Forward: Forwarded (Unknown)
SamplerID: 1
Flow 2
Packets: 1
Octets: 60
SrcAddr: lb2.readingrockets.org (144.202.247.111)
DstAddr: informativodigital.info (72.15.54.212)
InputInt: 18
OutputInt: 42
[Duration: 0.000000000 seconds]
SrcPort: 42613
DstPort: 4506
PeerSrcAS: 3356
PeerDstAS: 0
BGPNextHop: lo0.pe01.23fraserav01.yyz.beanfield.com (72.15.50.34)
SrcMask: 16
DstMask: 26
Protocol: 6
TCP Flags: 0x02
IP ToS: 0x00
Direction: Ingress (0)
Forwarding Status: Forward: Forwarded (Unknown)
SamplerID: 1
nfcapd -E:
Flow Record:
Flags = 0x06 Unsampled
export sysid = 1
size = 92
first = 1356130756 [2012-12-21 17:59:16]
last = 1356130757 [2012-12-21 17:59:17]
msec_first = 985
msec_last = 823
src addr = 94.97.7.228
dst addr = 66.207.211.183
src port = 52177
dst port = 80
fwd status = 64
tcp flags = 0x1a .AP.S.
proto = 6
(src)tos = 0
(in)packets = 4
(in)bytes = 817
input = 15
output = 36
src mask = 18 94.97.0.0/18
dst mask = 28 66.207.211.176/28
dst tos = 0
direction = 0
bgp next hop = 72.15.50.96
ip router = 10.219.49.11
engine type = 0
engine ID = 0
next as = 0
prev as = 1273
received at = 1356130768076 [2012-12-21 17:59:28.076]
nfdump:
Flow Record:
Flags = 0x06 Unsampled
export sysid = 1
size = 92
first = 1356127220 [2012-12-21 17:00:20]
last = 1356127220 [2012-12-21 17:00:20]
msec_first = 613
msec_last = 656
src addr = 66.207.201.186
dst addr = 74.125.174.6
src port = 39217
dst port = 80
fwd status = 64
tcp flags = 0x10 .A....
proto = 6
(src)tos = 0
(in)packets = 3
(in)bytes = 138
input = 15
output = 67
src mask = 30 66.207.201.184/30
dst mask = 16 74.125.0.0/16
dst tos = 0
direction = 1
bgp next hop = 206.108.34.6
ip router = 10.219.49.2
engine type = 8
engine ID = 1
next as = 15169
prev as = 0
received at = 1356127236954 [2012-12-21 17:00:36.954]
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
