I've just started using nfdump to capture and analyse some traffic
flows, and I'm seeing a few... strange lines of output when I nfdump.
My cisco config is:
ip flow-export version 9
int fa0/1
ip flow ingress
My nfcapd line is:
./nfcapd -p 64512 -l ../capture/64512/ -P ../var/run/64512.pid -D
When I nfdump the capture files, I see numerous lines like the following:
57.044 4174393.760 VMTP 0.7.0.0:21123 ->
23.508 520097.792 146 0.0.0.1:33195 ->
41.300 3774869.504 HOP6 0.0.0.79:0 ->
38.214 1079619.153 CBT 0.0.0.0:59180
02.260 4294508.545 MFESP 0.161.0.0:4096
etc
The dates/times on some of these are less than plausible (next month)
while others seem OK. The duration/protocol/src are invariable
impossible.
The problem is that these flows often look like this in totality:
2007-07-16 23:58:02.260 4294508.545 MFESP 0.161.0.0:4096 ->
0.0.0.0:0 1.3 G 2.3 G 1
Which throws off visualisation of my real traffic somewhat, as we
appear to have in the 100s of gigabits flowing over a 2M E1 line :)
Has anyone seen the above before? Is there a workaround beyond
manually filtering out 'impossible' source/destinations?
Thanks,
Ras
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
