Re: [Nfdump-discuss] nfdump direction of flows

Peter Haag Tue, 07 Jun 2011 09:12:30 -0700

Hoi Dani,
Your pcap decodes to the output below. As you can see tag #61 is decoded as 
expected.
Have you told the collector to add extension 8? => nfcapd(1) => extensions or 
use -Tall for all extension in the stream.


If you have any questions free free to contact me.

        - Peter

pegasus% nfdump -r tmp/nfcapd.201106071805  -o "fmt: %dir %out %in"
 Dir Output  Input
   I      0      2
   I      0      2
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
   E      2      0
Summary: total flows: 26, total bytes: 1720, total packets: 32, avg bps: 132, 
avg pps: 0, avg bpp: 53
Time window: 2011-06-03 16:15:50 - 2011-06-03 16:17:34
Total flows processed: 26, Blocks skipped: 0, Bytes read: 1860
Sys: 0.002s flows/second: 11299.4    Wall: 0.000s flows/second: 158536.6




On 7/6/11 8:46 AM, Daniel Aschwanden wrote:
> Hi Peter, Hi Ed
> 
> Thanks for pointing me to Nfseight.
> 
> In my eyes, it looks like the direction bit is set correctly in the
> netflow packages. So I've attached a small pcap file with some netflow
> packets in it.
> 
> Any feedback or recommendation is highly appreciated.
> 
> Cheers,
> Dani
> 
> 
>> This all depends on your exporting device. netflow originally by design is 
>> unidirectional only. Depending on your router
>> software and configuration, routers can recognise the direction of a flow. 
>> However, on lots of devices this bit is
>> unused and set to zero, which is equal to 'incoming'.
> 
>> Maybe someone else knows exactly which devices/software releases are capable 
>> of handling this bit correctly. Devices,
>> which support FNF ( flexible netflow ) from CISCO should be able to handle 
>> directions correctly.
> 
>> Regards
> 
>>      - Peter
> 

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev



_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

-- 
Be nice to your netflow data. Use NfSen and nfdump :)

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: [Nfdump-discuss] nfdump direction of flows

Reply via email to