It's probably not related to your issue - but make sure you are running the
latest nfdump release, because the v9 flows exported by IOSXR have 4 byte
AS numbers, not 2 byte like regular IOS exports. This was an issue for me
(AS numbers not saved correctly) when running older nfdump versions...
On Sat, Dec 22, 2012 at 1:41 AM, Jason Lixfeld <
jason-nfsen-disc...@lixfeld.ca> wrote:
> I might be missing something, but I dunno..
>
> I've attached a wireshark capture, a nfcapd -E dump and a nfdump -o cap to
> try to illustrate my question. The wireshark capture, nfcapd capture and
> nfdump capture are not from the same flow. I'm just using them as
> examples..
>
> My XR box is exporting SrcAS and DstAS and nfcapd and nfdump see this AS
> data but writes it as "prev as" and/or "next as".
>
> In nfsen (or even in nfdump, for that matter), I'm not able to actually
> use this data in any way. I'd like to be able to use it the same way one
> would use SrcAS or DstAS; search keys for statistics, mainly.
>
> Is SrcAS/DstAS not supported or something?
>
> Frame 1: 1494 bytes on wire (11952 bits), 1494 bytes captured (11952 bits)
> Ethernet II, Src: Cisco_ba:ba:40 (f4:ac:c1:ba:ba:40), Dst: Vmware_a5:70:ae
> (00:0c:29:a5:70:ae)
> Internet Protocol Version 4, Src: 10.219.49.11 (10.219.49.11), Dst:
> 10.219.51.130 (10.219.51.130)
> User Datagram Protocol, Src Port: 20762 (20762), Dst Port: 4911 (4911)
> Cisco NetFlow/IPFIX
> Version: 9
> Count: 25
> SysUptime: 842465796
> Timestamp: Dec 21, 2012 18:26:17.000000000 EST
> FlowSequence: 999480
> SourceId: 2049
> FlowSet 1
> FlowSet Id: (Data) (324)
> FlowSet Length: 1432
> Flow 1
> Packets: 1
> Octets: 551
> SrcAddr: mail.bosworthfieldassoc.com (64.40.179.2)
> DstAddr: 146.66.153.174 (146.66.153.174)
> InputInt: 36
> OutputInt: 18
> [Duration: 0.000000000 seconds]
> SrcPort: 28961
> DstPort: 37956
> PeerSrcAS: 32900
> PeerDstAS: 3356
> BGPNextHop: ae5-269.edge3.newyork1.level3.net (4.28.132.85)
> SrcMask: 20
> DstMask: 23
> Protocol: 17
> TCP Flags: 0x00
> IP ToS: 0x00
> Direction: Egress (1)
> Forwarding Status: Forward: Forwarded (Unknown)
> SamplerID: 1
> Flow 2
> Packets: 1
> Octets: 60
> SrcAddr: lb2.readingrockets.org (144.202.247.111)
> DstAddr: informativodigital.info (72.15.54.212)
> InputInt: 18
> OutputInt: 42
> [Duration: 0.000000000 seconds]
> SrcPort: 42613
> DstPort: 4506
> PeerSrcAS: 3356
> PeerDstAS: 0
> BGPNextHop: lo0.pe01.23fraserav01.yyz.beanfield.com(72.15.50.34)
> SrcMask: 16
> DstMask: 26
> Protocol: 6
> TCP Flags: 0x02
> IP ToS: 0x00
> Direction: Ingress (0)
> Forwarding Status: Forward: Forwarded (Unknown)
> SamplerID: 1
>
>
> nfcapd -E:
>
> Flow Record:
> Flags = 0x06 Unsampled
> export sysid = 1
> size = 92
> first = 1356130756 [2012-12-21 17:59:16]
> last = 1356130757 [2012-12-21 17:59:17]
> msec_first = 985
> msec_last = 823
> src addr = 94.97.7.228
> dst addr = 66.207.211.183
> src port = 52177
> dst port = 80
> fwd status = 64
> tcp flags = 0x1a .AP.S.
> proto = 6
> (src)tos = 0
> (in)packets = 4
> (in)bytes = 817
> input = 15
> output = 36
> src mask = 18 94.97.0.0/18
> dst mask = 28 66.207.211.176/28
> dst tos = 0
> direction = 0
> bgp next hop = 72.15.50.96
> ip router = 10.219.49.11
> engine type = 0
> engine ID = 0
> next as = 0
> prev as = 1273
> received at = 1356130768076 [2012-12-21 17:59:28.076]
>
> nfdump:
>
> Flow Record:
> Flags = 0x06 Unsampled
> export sysid = 1
> size = 92
> first = 1356127220 [2012-12-21 17:00:20]
> last = 1356127220 [2012-12-21 17:00:20]
> msec_first = 613
> msec_last = 656
> src addr = 66.207.201.186
> dst addr = 74.125.174.6
> src port = 39217
> dst port = 80
> fwd status = 64
> tcp flags = 0x10 .A....
> proto = 6
> (src)tos = 0
> (in)packets = 3
> (in)bytes = 138
> input = 15
> output = 67
> src mask = 30 66.207.201.184/30
> dst mask = 16 74.125.0.0/16
> dst tos = 0
> direction = 1
> bgp next hop = 206.108.34.6
> ip router = 10.219.49.2
> engine type = 8
> engine ID = 1
> next as = 15169
> prev as = 0
> received at = 1356127236954 [2012-12-21 17:00:36.954]
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
