I have tested with nfdump from git head, built with "./configure
--enable-nfprofile --enable-nftrack --enable-nsel", and it all looks
correct to me (see example below). I don't get the "0.0.0.0" entries
that you got.
Make sure you did "make install" and updated all the binaries, both
nfdump and nfcapd; you restarted nfcapd; and that you are using nfdump
on files which were created by nfcapd after it was recompiled.
You can ignore Event "INVALID" and XEvent "Ignore"; these are just ASA
security event types which aren't generated by the Mikrotik. (It might
be better for nfdump to display these as just a dash?)
HTH,
Brian.
/ip traffic-flow
set enabled=yes interfaces=vlan254,vlan255
/ip traffic-flow target
add dst-address=10.12.255.33 port=9995
# nfcapd -E -p 9995 -l /tmp/nfcap-test
...
Flow Record:
Flags = 0x06 FLOW, Unsampled
label = <none>
export sysid = 1
size = 76
first = 1527020841 [2018-05-22 20:27:21]
last = 1527020843 [2018-05-22 20:27:23]
msec_first = 510
msec_last = 560
src addr = 10.12.255.243
dst addr = 147.28.0.62
src port = 63175
dst port = 80
fwd status = 0
tcp flags = 0x02 ....S.
proto = 6 TCP
(src)tos = 16
(in)packets = 4
(in)bytes = 220
input = 9
output = 17
src xlt port = 63175
dst xlt port = 80
src xlt ip = XX.XX.XX.XXX
dst xlt ip = 147.28.0.62
Flow Record:
Flags = 0x06 FLOW, Unsampled
label = <none>
export sysid = 1
size = 76
first = 1527020841 [2018-05-22 20:27:21]
last = 1527020843 [2018-05-22 20:27:23]
msec_first = 650
msec_last = 710
src addr = 147.28.0.62
dst addr = XX.XX.XX.XXX
src port = 80
dst port = 63175
fwd status = 0
tcp flags = 0x12 .A..S.
proto = 6 TCP
(src)tos = 0
(in)packets = 4
(in)bytes = 216
input = 17
output = 9
src xlt port = 80
dst xlt port = 63175
src xlt ip = 147.28.0.62
dst xlt ip = 10.12.255.243
...
# nfdump -r /tmp/nfcap-test/nfcapd.201805222026 'host 147.28.0.62'
Date first seen Event XEvent Proto Src IP
Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst
IP Addr:Port In Byte Out Byte
2018-05-22 20:27:21.510 INVALID Ignore TCP 10.12.255.243:63175 ->
147.28.0.62:80 XX.XX.XX.XXX:63175 -> 147.28.0.62:80 220 0
2018-05-22 20:27:21.650 INVALID Ignore TCP 147.28.0.62:80 ->
XX.XX.XX.XXX:63175 147.28.0.62:80 -> 10.12.255.243:63175
216 0
Summary: total flows: 2, total bytes: 436, total packets: 8, avg bps:
1585, avg pps: 3, avg bpp: 54
Time window: 2018-05-22 20:26:21 - 2018-05-22 20:27:32
Total flows processed: 100, Blocks skipped: 0, Bytes read: 7884
Sys: 0.008s flows/second: 12500.0 Wall: 0.004s flows/second: 21372.1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
