Hi,
I got to the bottom of this - in case anyone else runs into the problem (or I
forget) here's what I've found:
The cats producing the malformed PDUs were running catos 6.6.1.d. An upgrade
to 7.5 fixed the problem.
Regards,
Rob
-----Original Message-----
From: Rob Collins [mailto:[EMAIL PROTECTED]
Sent: Thu 11/08/05 18:21
To: [email protected]
Cc:
Subject: ftpdu_verify isnt recognising v8.6 exports
Hi,
We've setup some 6509s to export v8 flows to a box running flow-tools
v0.67. The flow exports look properly formed to me, but ftpdu_verify is
complaining about them. Does anyone have any ideas on what to do next?
Some details:
1. ftpdu_verify complaining:
$ flow-receive -V 8.6 0/0/9800 | flow-print
flow-receive: setsockopt(size=4194304)
dstIP router_sc Dif ToS mToS xpackets octets packets
flow-receive: ftpdu_verify(): src_ip=172.16.0.238 failed.
flow-receive: ftpdu_verify(): src_ip=172.16.0.238 failed.
flow-receive: ftpdu_verify(): src_ip=172.21.0.254 failed.
flow-receive: ftpdu_verify(): src_ip= 172.16.0.230 failed.
flow-receive: ftpdu_verify(): src_ip=172.16.0.230 failed.
flow-receive: ftpdu_verify(): src_ip=172.21.0.246 failed.
flow-receive: Cleaning up
flow-receive: flows stored/dropped by filter 0/0
2. example flow export, decoded by ethereal:
No. Time Source Destination Protocol Info
1 0.000000 pg-0b-ec1.orange.co.uk bris-tb-srv2.orange.co.uk CFLOW
total: 45 (v8) flows
Frame 1 (1510 bytes on wire, 96 bytes captured)
Ethernet II, Src: 00:09:e9:20:67:fc, Dst: 00:02:a5:fb:e8:7f
Internet Protocol, Src Addr: pg-0b-ec1.orange.co.uk ( 172.16.0.238
<http://172.16.0.238> ), Dst Addr: bris-tb-srv2.orange.co.uk (172.21.18.13)
User Datagram Protocol, Src Port: 1480 (1480), Dst Port: 9800 (9800)
Cisco NetFlow
Version: 8
Count: 45
SysUptime: 140248668
Timestamp: Mar 18, 2005 16:19:19.000000000
CurrentSecs: 1111162759
CurrentNSecs: 0
FlowSequence: 35672940
EngineType: 2
EngineId: 0
AggMethod: V8 Destination aggregation (Cisco Catalyst) (6)
AggVersion: 2
reserved
and the hex for the datagram payload above
Data (54 bytes)
0000 00 08 00 2d 08 5c 06 5c 42 3a ff 87 00 00 00 00 ...-.\.\B:......
0010 02 20 53 6c 02 00 06 02 00 00 00 00 0a 22 7e 3d . Sl........."~=
0020 00 00 00 05 00 00 00 f0 08 56 c3 30 08 58 00 bb .........V.0.X..
0030 00 48 00 00 00 00 .H....
Thankyou in advance for any help you can give me.
Regards,
Rob
********************************************************************
Important.
Confidentiality: This communication is intended for the above-named
person(s) and may be confidential and/or legally privileged.
Any opinions expressed in this communication are not necessarily
those of the company. If it has come to you in error you must
take no action based on it, nor must you copy or show it to anyone;
please delete/destroy and inform the sender immediately.
Monitoring/Viruses.
Orange may monitor all incoming and outgoing emails in line with
current legislation. Although we have taken steps to ensure that
this email and attachments are free from any virus, we advise that
in keeping with good computing practice the recipient should ensure
they are actually virus free.
Orange Personal Communications Services Limited is a subsidiary of
Orange SA and is registered in England No 2178917,
with its address at St James Court, Great Park Road,
Almondsbury Park, Bradley Stoke, Bristol BS32 4QJ.
Orange Retail Limited is a subsidiary of Orange SA and is registered
in England No 2439104, with its address at St James Court,
Great Park Road, Almondsbury Park, Bradley Stoke, Bristol BS32 4QJ.
********************************************************************
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
