I will check with the network guys feeding me the data to make sure of exactly where it comes from and then collect a stream of it for you.
Thx steve -----Original Message----- From: Peter Haag [mailto:[EMAIL PROTECTED] Sent: Monday, April 30, 2007 10:29 AM To: Stephen W. Bradley; nfdump-discuss@lists.sourceforge.net Subject: Re: [Nfdump-discuss] Logfile question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On April 30, 2007 10:13:01 -0400 "Stephen W. Bradley" <[EMAIL PROTECTED]> wrote: | It comes directly from the Cisco switches. Up to now all data from Cisco equipment worked. Anyway, If you can capture exported netflow traffic using tcpdump, which includes v9 template and data packets, I'll have a look into that. - Peter | | -----Original Message----- | From: Peter Haag [mailto:[EMAIL PROTECTED] | Sent: Monday, April 30, 2007 8:50 AM | To: Stephen W. Bradley; nfdump-discuss@lists.sourceforge.net | Subject: Re: [Nfdump-discuss] Logfile question | | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | | | - --On April 30, 2007 8:03:36 -0400 "Stephen W. Bradley" | <[EMAIL PROTECTED]> wrote: | | | Are these log entries normal or do I have something screwed up in my | | install? | | No - they are not normal. For any reason your exporter sends more data in a | UDP | packet, than your data flow set requires. It does not harm record | processing, as it | re-syncs with the next packet. What type of exporter are you using? | | - Peter | | | | | | | | | | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 44 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 7 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 34 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 16 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 44 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 10 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 29 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 32 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 39 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 13 | | | | | | | | | | | | | | | | Thanks | | | | Steve | | | | | | | | | | | | Stephen W. Bradley GCIH CISSP | | | | Network Security Specialist | | | | Miami University | | | | Information Security Office | | | | 513-529-8129 | | | | [EMAIL PROTECTED] | | | | | | | | Quis custodiet ipsos custodes? | | | | | | | | | | - -- | _______ SWITCH - The Swiss Education and Research Network ______ | Peter Haag, Security Engineer, Member of SWITCH CERT | PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 | SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland | E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/ | -----BEGIN PGP SIGNATURE----- | Version: GnuPG v1.4.3 (Darwin) | | iQCVAwUBRjXl6v5AbZRALNr/AQLucgP9H+wTIg0jTbex52/y84TTAYzwo0Zirwne | T5CiItFfJAYxAF9E63Cg6ZraHAlfcAmmfzu6N3UJP5ciblatBwqW5Q5uqYxjMGFP | U2P/bY34ooxr9Rv4aXwPSIYBjNo1gTIuELSfX7cOiAHbhVyNAc3oITLUn3yu4oKW | 97Il+98j/D4= | =orR5 | -----END PGP SIGNATURE----- | | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfdump-discuss@lists.sourceforge.net | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRjX9KP5AbZRALNr/AQKWGwP/R0l14TuXRGZlfbACu8eoGYUL/AV2536d JcyNURiE3q3ptGIdxIZHsYe4vCf595X3wmeuwX01/CyabRe3irLiRmspkH0DAUbS ugw0cAHvVE49f0OdSP0eqK4tjCfqeQuYkmSzC8ZRIlcQ6o9VO8Fss2fp3HNUYPh2 Rj1QRXR4cEg= =ULuF -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
