Re: [Nfdump-discuss] Next hop IP addr isn't stored

Tue, 08 Apr 2014 02:33:07 -0700 

I am using the version 1.6.6-1 (debian wheezy), and just saw in the
changelogs for 1.6.8 P1 a comment like this:
- Fix v9/ipfix cache initialisation with no templates > 1 in same packet

Might it be something related to my issue?


2014-04-08 10:34 GMT+02:00 Joan <aseq...@gmail.com>:

> I am collecting netflow data that has both AS information (ext.2) and
> next-hop information(ext 4)
> I can verify that this data is being send by launching a tshark session
> > tshark -i eth1 host 192.168.1.9 -d udp.port==2591,cflow  -s0 -V
> Would output something like this:
>
> >        Flow 7
> >            [Duration: 0.001000000 seconds]
> >                StartTime: 64609.881000000 seconds
> >                EndTime: 64609.882000000 seconds
> >            Octets: 60
> >            Packets: 1
> >            IPVersion: 04
> >            InputInt: 0
> >            OutputInt: 0
> >            Direction: Ingress (0)
> >            SrcAddr: 123.123.123.1 (123.123.123.1)
> >            DstAddr: 37.139.120.55 (37.139.120.55)
> >            BGPNextHop: 125.5.5.5 (125.5.5.5)
> >            SrcPort: 10960
> >            DstPort: 17500
> >            IP ToS: 0x00
> >            TCP Flags: 0x00
> >            Protocol: 17
> >            SrcAS: 4808
> >            DstAS: 7629
>
> The capture daemon is like this (launched by nfsen)
> > /usr/bin/nfcapd -w -D -p 2591 -u netflow -g www-data -B 200000 -P
> /var/lib/netflow/var/run/p2591.pid -z -T +4 -n flow_host 192.168.1.9
> /var/lib/netflow/profiles-data/live/flow_host
>
> With this nfdump command:
> > nfdump -r
> /var/lib/netflow/profiles-data/live/flow_grn_es/nfcapd.current.* -o
> 'fmt:%sa %dap %fl %byt %nhb %pkt %sas %das' 'host 125.5.5.5'
>
> Prints this out
> >     Src IP Addr      Dst IP Addr:Port  Flows    Bytes  BGP next-hop IP
>  Packets Src AS Dst AS
> >     123.123.123.1        125.5.5.5:0.0       1       84
>  0.0.0.0        1  4808   7629
> >       125.5.5.5      123.123.123.1:0.0       1       84
>  0.0.0.0        1   7629  4808
> >     123.123.123.1        125.5.5.5:0.0       1       84
>  0.0.0.0        1  4808   7629
> >       125.5.5.5      123.123.123.1:0.0       1       84
>  0.0.0.0        1   7629  4808
>
>
> So at some point the nexthop information is lost, and apparently not
> stored into the flow data.
> Can someoen give me some light?
>

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to