I am collecting netflow data that has both AS information (ext.2) and
next-hop information(ext 4)
I can verify that this data is being send by launching a tshark session
> tshark -i eth1 host 192.168.1.9 -d udp.port==2591,cflow -s0 -V
Would output something like this:
> Flow 7
> [Duration: 0.001000000 seconds]
> StartTime: 64609.881000000 seconds
> EndTime: 64609.882000000 seconds
> Octets: 60
> Packets: 1
> IPVersion: 04
> InputInt: 0
> OutputInt: 0
> Direction: Ingress (0)
> SrcAddr: 123.123.123.1 (123.123.123.1)
> DstAddr: 37.139.120.55 (37.139.120.55)
> BGPNextHop: 125.5.5.5 (125.5.5.5)
> SrcPort: 10960
> DstPort: 17500
> IP ToS: 0x00
> TCP Flags: 0x00
> Protocol: 17
> SrcAS: 4808
> DstAS: 7629
The capture daemon is like this (launched by nfsen)
> /usr/bin/nfcapd -w -D -p 2591 -u netflow -g www-data -B 200000 -P
/var/lib/netflow/var/run/p2591.pid -z -T +4 -n flow_host 192.168.1.9
/var/lib/netflow/profiles-data/live/flow_host
With this nfdump command:
> nfdump -r
/var/lib/netflow/profiles-data/live/flow_grn_es/nfcapd.current.* -o
'fmt:%sa %dap %fl %byt %nhb %pkt %sas %das' 'host 125.5.5.5'
Prints this out
> Src IP Addr Dst IP Addr:Port Flows Bytes BGP next-hop IP
Packets Src AS Dst AS
> 123.123.123.1 125.5.5.5:0.0 1 84 0.0.0.0
1 4808 7629
> 125.5.5.5 123.123.123.1:0.0 1 84 0.0.0.0
1 7629 4808
> 123.123.123.1 125.5.5.5:0.0 1 84 0.0.0.0
1 4808 7629
> 125.5.5.5 123.123.123.1:0.0 1 84 0.0.0.0
1 7629 4808
So at some point the nexthop information is lost, and apparently not stored
into the flow data.
Can someoen give me some light?
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
