Hi Mike,
Many thanks for your response.
Mike Hunter wrote:
1. I've noticed bugs on some 6500 routers that lead to "corrupt" netflow
with extra 0-bits. I ended up giving up on netflow from some 6500s a few
years ago, but I don't have the configuration details. Check your raw
netflow with flow-print or flow-export, see whether the netflows with the
0 ASes also have lots of other fields as 0.
Yes, when i make a flow-export i see strange netflow who seems corrupted
whit extra 0-bits :
#:unix_secs,unix_nsecs,sysuptime,exaddr,dpkts,doctets,first,last,engine_type,engine_id,srcaddr,dstaddr,nexthop,input,output,srcport,dstport,prot,tos,tcp_fla
gs,src_mask,dst_mask,src_as,dst_as
1143550816,822726618,3104093780,1.1.1.1,1,48,3104078560,3104078560,0,0,2.2.2.171,86.194.72.125,3.3.3.3,75,52,80,2327,6,0,18,24,16,0,3215
1143550816,822726618,3104093780,1.1.1.1,1,48,3104078560,3104078560,0,0,2.2.2.172,82.126.130.243,3.3.3.3,75,52,80,2571,6,0,18,24,17,0,3215
1143550816,822726618,3104093780,1.1.1.1,1,48,3104078572,3104078572,0,0,2.2.2.172,86.206.249.231,3.3.3.3,75,52,80,4799,6,0,18,24,16,0,3215
1143550813,596099544,3104090556,1.1.1.1,1,241,3104058729,3104058745,0,0,192.93.0.4,2.2.2.2,0.0.0.0,52,0,53,32772,17,128,0,0,0,0,0
1143550813,596099544,3104090556,1.1.1.1,1,40,3104057321,3104057686,0,0,86.216.103.53,2.2.2.167,0.0.0.0,52,0,63345,554,6,128,0,0,0,0,0
1143550813,596099544,3104090556,1.1.1.1,1,613,3104058217,3104058512,0,0,2.2.2.170,83.192.54.49,0.0.0.0,56,52,80,3138,6,128,0,0,0,0,0
[.....]
1143550817,598098342,3104094556,1.1.1.1,1,132,3104063209,3104063267,0,0,132.208.148.254,2.2.2.2,0.0.0.0,52,0,53,32772,17,128,0,0,0,0,0
1143550817,598098342,3104094556,1.1.1.1,1,119,3104062569,3104062603,0,0,2.2.2.1,212.27.32.2,0.0.0.0,56,3,53,51366,17,128,0,0,0,0,0
1143550817,598098342,3104094556,1.1.1.1,1,132,3104063145,3104063165,0,0,204.152.184.64,2.2.2.2,0.0.0.0,52,0,53,32772,17,128,0,0,0,0,0
1143550816,822726618,3104093780,1.1.1.1,1,48,3104078616,3104078616,0,0,2.2.2.171,62.34.244.237,3.3.3.3,75,52,80,1134,6,0,18,24,15,0,5410
1143550816,822726618,3104093780,1.1.1.1,1,64,3104078620,3104078620,0,0,2.2.2.164,203.23.22.169,3.3.3.3,75,52,80,25374,6,0,18,24,24,0,4739
In "bogus" flow, nexthop address is set to : 0.0.0.0 and theses fields
too : tcp_flags, src_mask, dst_mask
In the flow-export the times fileds does seem correct, i have
synchronised the time of the router and the netflow collector host on
the same ntp server, but nothings change.
I noticed that when bogus flow appaers, they apears often by sequences
of 459, 486, 513 and 540 fields, very strange ...
3. For a flow with dest-as of 0, what happens when you traceroute the IP?
If you have boxes that are scanning and run into unallocated IP blocks,
their traffic would be null-routed and thus 0 would be the correct
destination AS.
The destination IP of the flows appears in my routing table.
Good luck!
Thanks ;)
Regards,
--
Nicolas
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
