On May 15, "Emmanuel Stavroulakis" wrote: > I am getting the above error, when trying to collect Netflow Records > from an Extreme Alpine 3804 L3 Switch. > It looks like the Extreme only support V1 Flows - so I have changed the > version to 1 for flow-capute but I am still getting the error. > > Anyone had any experience with Extreme Alpine's and flow-capture ? > > Any help would he appreciated.
I got a discouraging response from their tech support when I looked into this. I have a sinking feeling that they're basically masking their internal counters with the filters they make you use and sending you the results...in other words, you have to know what you're looking for before you can start measuring. This could be useful in some limited contexts, but it's not the cool netflow experience the kidz love. They say explicitly that flow-tools doesn't work...I have a feeling that their V1 packet is missing some obvious / crucial piece of data and that flow-tools is discarding it as invalid. Even if it could be made to work, I decided it was too limited to pursue for my purposes. Mike ----------------------------------------------------------------------- You cannot use the well known "flow-tools" to examine the data! You can use: * tEthereal: tethereal -n udp port 2055 -w <filename.cap> * Bare-bones Netflow collector (http://www.gadgets.co.nz/gadgets/software/bbnfc.shtml): ./bbnfc The only fields that will update are dPkts and SysUptime. The size of a Netflow v1 packet is always the same. A customer might think the packet is empty because the rest of the packet is filled with zeros. A Netflow packet does not show source and destination IP's/ports. That's why flow-capture doesn't work. The source and destination IP will always be 0.0.0.0 because the filter is set to match-all-flows. If you would like to capture host or ip range specific Netflow data, just narrow the filter. If you want to see how many packets are coming from IP 10.1.1.1 send to 10.1.1.2 on port 1:1, adjust the filter to: "conf flowstats filter-ingress 1 ports 1:1 export 1 aggregation destination 10.1.1.2/32 ip-port any source 10.1.1.1/32 ip-port any" Now you will see 10.1.1.1 as srcIP and 10.1.1.2 as dstIP. If you use 10.1.1.0/24 as a filter, you will see 10.1.1.0 as srcIP or dstIP. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
