Re: [Nfdump-discuss] nfdump direction of flows

Peter Haag Mon, 06 Jun 2011 22:30:21 -0700

Hoi Dani,


On 6/3/11 16:20, Daniel Aschwanden wrote:
> Hi all,
> 
> Currently, I'm struggling a bit with the direction indication of nfdump,
> which marks all my flows as incoming.

This all depends on your exporting device. netflow originally by design is 
unidirectional only. Depending on your router
software and configuration, routers can recognise the direction of a flow. 
However, on lots of devices this bit is
unused and set to zero, which is equal to 'incoming'.

Maybe someone else knows exactly which devices/software releases are capable of 
handling this bit correctly. Devices,
which support FNF ( flexible netflow ) from CISCO should be able to handle 
directions correctly.

Regards

        - Peter

> 
> I'm exporting the flows in netflow v9 with the direction field correctly
> set (verified with tcpdump/wireshark). However, nfdump yields all the
> flows as incoming:
> 
> nfdump -r /tmp/nfcapd.201106031150 -o "fmt: %dir %out %in"
>  Dir Output  Input
>    I      0      0
>    I      0      0
>    I      0      0
>    I      0      1
>    I      0      1
>    I      0      1
>    I      0      2
>    I      0      2
>    I      0      1
>    I      2      0
>    I      1      0
>    I      1      0
>    I      1      0
>    I      2      0
>    I      2      0
>    I      1      0
> 
> Frankly, I'm not perfectly sure about what I'm doing wrong, so any
> comment is highly appreciated.
> 
> Cheers,
> Dani Aschwanden
> 

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today.
http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: [Nfdump-discuss] nfdump direction of flows

Reply via email to