Ok, answering to myself, I overlook the extension 5 (5 BGP next hop IP
addr), found about this while looking in the archives for this mailing list.
For the curious, look here:
http://sourceforge.net/p/nfdump/mailman/nfdump-discuss/thread/5208801f.5000...@users.sourceforge.net/
2014-04-08 11:31 GMT+02:00 Joan <aseq...@gmail.com>:
> I am using the version 1.6.6-1 (debian wheezy), and just saw in the
> changelogs for 1.6.8 P1 a comment like this:
> - Fix v9/ipfix cache initialisation with no templates > 1 in same packet
>
> Might it be something related to my issue?
>
>
> 2014-04-08 10:34 GMT+02:00 Joan <aseq...@gmail.com>:
>
> I am collecting netflow data that has both AS information (ext.2) and
>> next-hop information(ext 4)
>> I can verify that this data is being send by launching a tshark session
>> > tshark -i eth1 host 192.168.1.9 -d udp.port==2591,cflow -s0 -V
>> Would output something like this:
>>
>> > Flow 7
>> > [Duration: 0.001000000 seconds]
>> > StartTime: 64609.881000000 seconds
>> > EndTime: 64609.882000000 seconds
>> > Octets: 60
>> > Packets: 1
>> > IPVersion: 04
>> > InputInt: 0
>> > OutputInt: 0
>> > Direction: Ingress (0)
>> > SrcAddr: 123.123.123.1 (123.123.123.1)
>> > DstAddr: 37.139.120.55 (37.139.120.55)
>> > BGPNextHop: 125.5.5.5 (125.5.5.5)
>> > SrcPort: 10960
>> > DstPort: 17500
>> > IP ToS: 0x00
>> > TCP Flags: 0x00
>> > Protocol: 17
>> > SrcAS: 4808
>> > DstAS: 7629
>>
>> The capture daemon is like this (launched by nfsen)
>> > /usr/bin/nfcapd -w -D -p 2591 -u netflow -g www-data -B 200000 -P
>> /var/lib/netflow/var/run/p2591.pid -z -T +4 -n flow_host 192.168.1.9
>> /var/lib/netflow/profiles-data/live/flow_host
>>
>> With this nfdump command:
>> > nfdump -r
>> /var/lib/netflow/profiles-data/live/flow_grn_es/nfcapd.current.* -o
>> 'fmt:%sa %dap %fl %byt %nhb %pkt %sas %das' 'host 125.5.5.5'
>>
>> Prints this out
>> > Src IP Addr Dst IP Addr:Port Flows Bytes BGP next-hop IP
>> Packets Src AS Dst AS
>> > 123.123.123.1 125.5.5.5:0.0 1 84
>> 0.0.0.0 1 4808 7629
>> > 125.5.5.5 123.123.123.1:0.0 1 84
>> 0.0.0.0 1 7629 4808
>> > 123.123.123.1 125.5.5.5:0.0 1 84
>> 0.0.0.0 1 4808 7629
>> > 125.5.5.5 123.123.123.1:0.0 1 84
>> 0.0.0.0 1 7629 4808
>>
>>
>> So at some point the nexthop information is lost, and apparently not
>> stored into the flow data.
>> Can someoen give me some light?
>>
>
>
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
