Cisco 6509.
ip flow-export source <nuked>
ip flow-export version 5
ip flow-export destination <nuked> 9995
ip flow-aggregation cache as
ip flow-aggregation cache protocol-port
ip flow-aggregation cache source-prefix
ip flow-aggregation cache destination-prefix
ip flow-aggregation cache prefix
ip flow-aggregation cache prefix-port
This same configuration was working with 'pfcapd', a nfdump-like
clone used by "Psyche", another NetFlow analyzer.
So...despite getting that error over and over again consistently, I
do seem to be importing some netflow data right now. I am seeing
flows/packets/bits graphed now.
I don't see any method for breaking it down into traffic types like
ICMP/TCP/UDP, though.
Also, when I try to 'process' details, I get:
** nfdump -M /usr/local/nfsen/profiles-data/live/rt01-ott -T -r
2008/10/21/nfcapd.200810211201 -n 10 -s ip/flows
nfdump filter:
any
stat() error '/usr/local/nfsen/profiles-data/live/rt01-ott/2008/10/21/
nfcapd.200810211201': File not found!
monitor# ls -al /usr/local/nfsen/profiles-data/live/rt01-ott/
2008/10/21/nfcapd.*
-rw-r--r-- 1 www www 1575120 Oct 21 12:35 /usr/local/nfsen/
profiles-data/live/rt01-ott/2008/10/21/nfcapd.200810211230
-rw-r--r-- 1 www www 9462912 Oct 21 12:40 /usr/local/nfsen/
profiles-data/live/rt01-ott/2008/10/21/nfcapd.200810211235
-rw-r--r-- 1 www www 13820884 Oct 21 12:45 /usr/local/nfsen/
profiles-data/live/rt01-ott/2008/10/21/nfcapd.200810211240
-rw-r--r-- 1 www www 14017652 Oct 21 12:50 /usr/local/nfsen/
profiles-data/live/rt01-ott/2008/10/21/nfcapd.200810211245
-rw-r--r-- 1 www www 14103088 Oct 21 12:55 /usr/local/nfsen/
profiles-data/live/rt01-ott/2008/10/21/nfcapd.200810211250
-rw-r--r-- 1 www www 14030704 Oct 21 13:00 /usr/local/nfsen/
profiles-data/live/rt01-ott/2008/10/21/nfcapd.200810211255
...so my question on this one is...why is it looking for 200810211201?
On 21-Oct-08, at 12:52 PM, Jose Manuel Agudo Cuesta wrote:
Seems that router sends malformed netflow packets.
If you post the brand/model and configuration, I'll try to help.
Best Regards,
Jose Manuel
El Tuesday 21 October 2008 18:15:51 Jake Zack escribió:
Installed today:
nfdump-1.5.7
-rwxr-xr-x 1 root bin 235308 Oct 21 11:34 /usr/local/bin/nfdump
Oct 21 12:10:15 monitor /usr/local/bin/nfcapd[51182]: Error reading
netflow header: Unexpected netflow version 2048
Oct 21 12:10:46 monitor last message repeated 879 times
Oct 21 12:12:48 monitor last message repeated 3850 times
Appears to generate that message for every single flow packet
received.
On the router I'm specifying netflow version 5. nfdump documentation
says it supports versions 5,7,9 transparently, and there's nowhere in
the config file I can specify this anyways.
What am I missing?
Thanks all,
---------------------------------------------------------------------
----
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin
SDK & win
great prizes Grand prize is a trip for two to an Open Source event
anywhere
in the world http://moblin-contest.org/redirect.php?
banner_id=100&url=/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
<signature.asc><ATT00001.txt><ATT00002.txt>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
