The issue is actually simple: There are two type of as information: These are the original and in netflow v9 specified AS elements as defined in Cisco IOS NetFlow Version 9 Flow-Record Format - Last updated: May 2011
SRC_AS ID 16 Source BGP autonomous system number 2 or 4 bytes DST_AS ID 17 Destination BGP autonomous system number 2 or 4 bytes Or as defined in http://www.iana.org/assignments/ipfix/ipfix.xml bgpSourceAsNumber ID 16 The autonomous system (AS) number of the source IP address. If AS path information for this Flow is only available as an unordered AS set (and not as an ordered AS sequence), then the value of this Information Element is 0. bgpDestinationAsNumber ID 17 The autonomous system (AS) number of the destination IP address. If AS path information for this Flow is only available as an unordered AS set (and not as an ordered AS sequence), then the value of this Information Element is 0. They where used almost everywhare in the past. For the XR boxes CISCO seemed to implement additional ( or as a replacement IDs 128 and 129. Although only specified as IPFIX elements (ID > 127 ) they use it for XR in netflow v9 As defined in http://www.iana.org/assignments/ipfix/ipfix.xml bgpNextAdjacentAsNumber ID 128: The autonomous system (AS) number of the first AS in the AS path to the destination IP address. The path is deduced by looking up the destination IP address of the Flow in the BGP routing information base. If AS path information for this Flow is only available as an unordered AS set (and not as an ordered AS sequence), then the value of this Information Element is 0. bgpPrevAdjacentAsNumber ID 129: The autonomous system (AS) number of the last AS in the AS path from the source IP address. The path is deduced by looking up the source IP address of the Flow in the BGP routing information base. If AS path information for this Flow is only available as an unordered AS set (and not as an ordered AS sequence), then the value of this Information Element is 0. In case of BGP asymmetry, the bgpPrevAdjacentAsNumber might not be able to report the correct value. Both values are 4 bytes numbers. nfdump supports both type of AS numbers. The first pair as src/dst AS the second as next/prev AS, however they are not the same. It depends, what tags your nox exports. ASes are suppoerted as 2 or 4 bytes. Hope, this helps - Peter On 22/12/12 12:41 AM, Jason Lixfeld wrote: > I might be missing something, but I dunno.. > > I've attached a wireshark capture, a nfcapd -E dump and a nfdump -o cap to > try to illustrate my question. The wireshark capture, nfcapd capture and > nfdump capture are not from the same flow. I'm just using them as examples.. > > My XR box is exporting SrcAS and DstAS and nfcapd and nfdump see this AS data > but writes it as "prev as" and/or "next as". > > In nfsen (or even in nfdump, for that matter), I'm not able to actually use > this data in any way. I'd like to be able to use it the same way one would > use SrcAS or DstAS; search keys for statistics, mainly. > > Is SrcAS/DstAS not supported or something? > > Frame 1: 1494 bytes on wire (11952 bits), 1494 bytes captured (11952 bits) > Ethernet II, Src: Cisco_ba:ba:40 (f4:ac:c1:ba:ba:40), Dst: Vmware_a5:70:ae > (00:0c:29:a5:70:ae) > Internet Protocol Version 4, Src: 10.219.49.11 (10.219.49.11), Dst: > 10.219.51.130 (10.219.51.130) > User Datagram Protocol, Src Port: 20762 (20762), Dst Port: 4911 (4911) > Cisco NetFlow/IPFIX > Version: 9 > Count: 25 > SysUptime: 842465796 > Timestamp: Dec 21, 2012 18:26:17.000000000 EST > FlowSequence: 999480 > SourceId: 2049 > FlowSet 1 > FlowSet Id: (Data) (324) > FlowSet Length: 1432 > Flow 1 > Packets: 1 > Octets: 551 > SrcAddr: mail.bosworthfieldassoc.com (64.40.179.2) > DstAddr: 146.66.153.174 (146.66.153.174) > InputInt: 36 > OutputInt: 18 > [Duration: 0.000000000 seconds] > SrcPort: 28961 > DstPort: 37956 > PeerSrcAS: 32900 > PeerDstAS: 3356 > BGPNextHop: ae5-269.edge3.newyork1.level3.net (4.28.132.85) > SrcMask: 20 > DstMask: 23 > Protocol: 17 > TCP Flags: 0x00 > IP ToS: 0x00 > Direction: Egress (1) > Forwarding Status: Forward: Forwarded (Unknown) > SamplerID: 1 > Flow 2 > Packets: 1 > Octets: 60 > SrcAddr: lb2.readingrockets.org (144.202.247.111) > DstAddr: informativodigital.info (72.15.54.212) > InputInt: 18 > OutputInt: 42 > [Duration: 0.000000000 seconds] > SrcPort: 42613 > DstPort: 4506 > PeerSrcAS: 3356 > PeerDstAS: 0 > BGPNextHop: lo0.pe01.23fraserav01.yyz.beanfield.com (72.15.50.34) > SrcMask: 16 > DstMask: 26 > Protocol: 6 > TCP Flags: 0x02 > IP ToS: 0x00 > Direction: Ingress (0) > Forwarding Status: Forward: Forwarded (Unknown) > SamplerID: 1 > > > nfcapd -E: > > Flow Record: > Flags = 0x06 Unsampled > export sysid = 1 > size = 92 > first = 1356130756 [2012-12-21 17:59:16] > last = 1356130757 [2012-12-21 17:59:17] > msec_first = 985 > msec_last = 823 > src addr = 94.97.7.228 > dst addr = 66.207.211.183 > src port = 52177 > dst port = 80 > fwd status = 64 > tcp flags = 0x1a .AP.S. > proto = 6 > (src)tos = 0 > (in)packets = 4 > (in)bytes = 817 > input = 15 > output = 36 > src mask = 18 94.97.0.0/18 > dst mask = 28 66.207.211.176/28 > dst tos = 0 > direction = 0 > bgp next hop = 72.15.50.96 > ip router = 10.219.49.11 > engine type = 0 > engine ID = 0 > next as = 0 > prev as = 1273 > received at = 1356130768076 [2012-12-21 17:59:28.076] > > nfdump: > > Flow Record: > Flags = 0x06 Unsampled > export sysid = 1 > size = 92 > first = 1356127220 [2012-12-21 17:00:20] > last = 1356127220 [2012-12-21 17:00:20] > msec_first = 613 > msec_last = 656 > src addr = 66.207.201.186 > dst addr = 74.125.174.6 > src port = 39217 > dst port = 80 > fwd status = 64 > tcp flags = 0x10 .A.... > proto = 6 > (src)tos = 0 > (in)packets = 3 > (in)bytes = 138 > input = 15 > output = 67 > src mask = 30 66.207.201.184/30 > dst mask = 16 74.125.0.0/16 > dst tos = 0 > direction = 1 > bgp next hop = 206.108.34.6 > ip router = 10.219.49.2 > engine type = 8 > engine ID = 1 > next as = 15169 > prev as = 0 > received at = 1356127236954 [2012-12-21 17:00:36.954] > > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :) ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
