If you can get a packet format from Extreme I'm sure it wouldn't be
much work to add. It's certainly not NetFlow v1 as defined by Cisco.
NetFlow v1 really should be considered historical. There are no
sequence numbers so you have no idea how well the exporter to collector
path is working.
--
mark
On May 16, 2005, at 1:27 PM, Mike Hunter wrote:
On May 15, "Emmanuel Stavroulakis" wrote:
I am getting the above error, when trying to collect Netflow Records
from an Extreme Alpine 3804 L3 Switch.
It looks like the Extreme only support V1 Flows - so I have changed
the
version to 1 for flow-capute but I am still getting the error.
Anyone had any experience with Extreme Alpine's and flow-capture ?
Any help would he appreciated.
I got a discouraging response from their tech support when I looked
into
this. I have a sinking feeling that they're basically masking their
internal
counters with the filters they make you use and sending you the
results...in other words, you have to know what you're looking for
before
you can start measuring. This could be useful in some limited
contexts,
but it's not the cool netflow experience the kidz love.
They say explicitly that flow-tools doesn't work...I have a feeling
that
their V1 packet is missing some obvious / crucial piece of data and
that
flow-tools is discarding it as invalid. Even if it could be made to
work,
I decided it was too limited to pursue for my purposes.
Mike
-----------------------------------------------------------------------
You cannot use the well known "flow-tools" to examine the data!
You can use:
* tEthereal:
tethereal -n udp port 2055 -w <filename.cap>
* Bare-bones Netflow collector
(http://www.gadgets.co.nz/gadgets/software/bbnfc.shtml):
./bbnfc
The only fields that will update are dPkts and SysUptime. The size of a
Netflow v1 packet is always the same. A customer might think the
packet is
empty because the rest of the packet is filled with zeros. A Netflow
packet
does not show source and destination IP's/ports. That's why
flow-capture
doesn't work.
The source and destination IP will always be 0.0.0.0 because the
filter is
set to match-all-flows. If you would like to capture host or ip range
specific Netflow data, just narrow the filter. If you want to see how
many
packets are coming from IP 10.1.1.1 send to 10.1.1.2 on port 1:1,
adjust the
filter to:
"conf flowstats filter-ingress 1 ports 1:1 export 1 aggregation
destination
10.1.1.2/32 ip-port any source 10.1.1.1/32 ip-port any"
Now you will see 10.1.1.1 as srcIP and 10.1.1.2 as dstIP.
If you use 10.1.1.0/24 as a filter, you will see 10.1.1.0 as srcIP or
dstIP.
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
