Re: [Nfdump-discuss] nfcapd/nfdump and v9 w/ Palo Alto Extensions

Wed, 29 Jan 2014 10:57:05 -0800 

Hi Randal,

On 23/1/14 4:28 AM, Randal T. Rioux wrote:
> Is there confirmation that nfdump can process these flows correctly? We
> have some weird activity reported that I haven't verified.

As of now, Palo Alto Extensions are not processed. It's on the todo list - 
obviously more users seem to be interessted
in Palo Alto.

> 
> Also, when testing specialty flow types (vendor extensions), what is the
> best way to collect and replay (for example, I don't have PA machines)?

At best nfcapd can decode store and display vendor specific flows, if nfcapd 
was trained to do so. Usually replaying
sticks to standard v9 and these specific extensions are dropped. In order to 
keep all information immediately forward
the flows using nfcapd -R, or samplicator to forward raw UDP flow to another 
collector.


Regards

        - Peter

> 
> Does nfreplay, when set to v9, move them w/ extensions or is something
> lost in translation? I need a way to do the same w/ IPFIX.
> 
> Thank you!
> 
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today. 
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
Be nice to your netflow data. Use NfSen and nfdump :)

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to