[Nfdump-discuss] IPv6 aggregation woes in current nfdump snapshot

Wed, 18 Nov 2009 16:30:35 -0800 

Hi,

I've recently upgraded a testbox to the latest nfdump snapshot
(1.6b-20090930) and I've noticed a few oddities in my statistics scripts
that look like bugs to me.

For example, I had a daily stat of the top 20 conversations (by
srcip/dstip) with nfdump 1.5.8 like this (SOURCESPEC and READSPEC just
point to the correct profile directories and date specifications):

${NFDUMP} ${SOURCESPEC} ${READSPEC} -6 -A srcip6,dstip6  -s record/bytes
"net 2001:4ca0::/32" -n 20 -o "fmt:%sa -> %da   %pkt %byt %fl"

nfdump 1.6 says:
'srcip6' needs subnet bits too aggregate

changing that to srcip,dstip I get the full source host, but the
destination host seems to be aggregated on a /64 level.

Top 20 flows ordered by bytes:
                            Src IP Addr
Dst IP Addr    Packets    Bytes Flows
                      2a01:xxx:1:63::33 ->
2001:4ca0:0:fe00::      10551   13.2 M    21
                     2001:xxxx:a003::5b ->
2001:4ca0:0:fe00::      11099   12.2 M    41
              2002:xxxx:9635::ce15:9635 ->
2001:4ca0:0:fe00::       9544   12.2 M     1

hm, okay, quick doublecheck, srcip6/128,dstip6/128 should do the trick
as well according to the manpage

Top 20 flows ordered by bytes:
                            Src IP Addr
Dst IP Addr    Packets    Bytes Flows
                                   ::33 ->
::      10551   13.2 M    21
                                   ::5b ->
::      11114   12.2 M    42
                        ::xxx.xx.150.53 ->
::       9544   12.2 M     1

Uh? That doesn't look quite right. Up to /64 aggregation it does pretty
much the right thing

Top 20 flows ordered by bytes:
                            Src IP Addr
Dst IP Addr    Packets    Bytes Flows
                       2001:xxxx:a003:: ->
2001:4ca0:0:fe00::      31748   33.4 M   725
                        2a01:xxx:1:63:: ->
2001:4ca0:0:fe00::      10551   13.2 M    21
                       2002:xxxx:9635:: ->
2001:4ca0:0:fe00::       9544   12.2 M     1

but with a mask/prefixlen of 65+ it's pretty much broken (e.g. /65):

Aggregated flows 2
Top 20 flows ordered by bytes:
                            Src IP Addr
Dst IP Addr    Packets    Bytes Flows
                                     :: ->
::     402180  109.0 M  6243
                           ::8000:0:0:0 ->
::       6571   505840    62

Known issues? Or am I doing it wrong? :-)

Bernhard

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to