Re: [Nfdump-discuss] IP_PROTOCOL_VERSION field in Netflow v9

Wed, 28 Jul 2010 11:35:30 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 22/7/10 2:53 PM, InterNetX - Carsten Schoene wrote:
> Hello,
> 
> i saw, that nfcapd/nfdump is missing the implementation for 
> IP_PROTOCOL_VERSION (60) field
> for netflow version 9.
> 
> This is really bad because we can't decide which IP address to show in  
> nfdump output.
> 

This field is not really needed. Different templates should be used for IPv4 
and IPv6. Using IP_PROTOCOL_VERSION (60) is
ambiguous is therefore not really needed.
nfdump automatically detects v4/v6 flows and processes them accordingly. Have 
both protocols mixed in the same template
is not a good idea amd inefficient anyway. Furthermore nfdump optimises space 
and packs addresses in the same slots.
This also produces collisions.

Therefore I would strongly recommend to separate template for v4/v6, where 
nfdump is designed for.

        - Peter

> I'm using nprobe to send the netflow data with the following template:
> "%IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV4_SRC_ADDR %IPV4_DST_ADDR %LAST_SWITCHED 
> %FIRST_SWITCHED
> %IN_BYTES %OUT_BYTES %IN_PKTS %OUT_PKTS %L4_SRC_PORT %L4_DST_PORT %PROTOCOL 
> %TCP_FLAGS
> %IP_PROTOCOL_VERSION %INPUT_SRC_TOS %SRC_AS %DST_AS %IPV6_SRC_MASK 
> %IPV6_DST_MASK %SRC_MASK %DST_MASK"
> 
> nfdump output, for e.g. ICMP6, only displays 0.0.0.0 as IP addresses instead 
> of the real IPv6
> adresses. The decission which IP SRC/DST address to display could be done by 
> using the
> IP_PROTOCOL_VERSION field.
> 
> Can you please implement this field for that purpose ?
> 
> Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBTFB4Tf5AbZRALNr/AQIRiwP9GzBdM/LVg/L39d99kXMpelxjMsPknkyR
W05UNn75jS0ngsAHKrgxIBGyYgJ5M0/upR/K9OKj5w4UYFHlMtffErQohDfdprQM
9lLhsp1w56z+6qGuKDOCkruWj6agaumju7PQebjZGJteboMumugDRorMTHPwLsRI
V/9fDBUICK0=
=gJcn
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to