[Nfdump-discuss] Unable to decode this netflow packets‏

[laalaa]

I am now trying to use nfdump to replace a propriety product which is 
currently monitoring dozens of network equipments of other users.  I 
found that nfcapd is unable to store capture packets with these 
equipments, which can be done from the propriety product.

The 
netflow packet header is "00 00 00 04 ..." (highlighted in red).  If 
interpreted directly with it's definition will mean "netflow version 0 
with 4 flows exported in this packet", which is obviously incorrect.

The
 packets are captured by "tcpdump".  I can capture the valid packets 
from other equipments, so I am sure the capture process is no problem.

Please advice if you have any idea what netflow version or variant is it?  And 
if nfcapd/nfdump can capture/decode it?

Packet dump (packet #3):

0000   08 00 27 39 52 3e 08 00 27 71 39 ca 08 00 45 00  ..'9R>..'q9...E.
0010   00 cc ee bd 00 00 40 11 70 fa 0a 63 e0 52 0a 63  ......@.p..c.R.c
0020   25 51 04 02 08 07 00 b8 36 c1 00 00 00 04 00 00  %Q......6.......
0030   00 01 0a 63 e0 52 00 a8 89 08 9f 0c 5d 34 00 00  ...c.R......]4..
0040   00 01 00 00 00 01 00 8b d7 47 00 00 00 04 00 00  .........G......
0050   03 e8 72 73 df 69 00 00 00 00 00 00 00 00 00 00  ..rs.i..........
0060   00 04 00 00 00 01 00 00 00 01 00 00 00 40 00 00  .............@..
0070   00 3c 00 1a f0 13 89 41 00 23 89 4f 4b cd 08 00  .<.....A.#.OK...
0080   45 00 00 28 3e f0 40 00 7d 06 7f e6 0a 0e 02 76  E..(>.@.}......v
0090   0a 75 28 01 00 50 0c 62 57 e0 ee 48 73 f1 e4 63  .u(..P.bW..Hs..c
00a0   50 10 ff 70 c6 39 00 00 00 00 00 00 00 00 00 00  P..p.9..........
00b0   00 02 00 00 00 02 00 00 00 01 0a 63 e0 51 00 00  ...........c.Q..
00c0   00 18 00 00 00 10 00 00 00 01 00 00 00 00 00 00  ................
00d0   00 00 00 00 00 00 00 00 00 00                    ..........


                                          

tcpdump-20140730.pcap
Description: Binary data

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss