Re: [Nfdump-discuss] nfdump and 32bit ASNs with Cisco FNF /w user template

Fri, 09 Jan 2015 03:20:06 -0800 

Hi all,
I was just looking at nfcapd code and It seems that while it supports srcas/dstas, it doen't support srcpeeras/dstpeeras which have different ID numbers in netflow v9. 

Sp
On 08-Jan-15 2:52 PM, Spiros Papageorgiou wrote:

Hi Peter and all,


I sent you a private message with an nfcapd file. The cisco surely 
exports 32bit ASes and I'm using nfdump/nfcapd Version: 1.6.8.


What nfdump options can I use to produce the AS matrix?
I tried the following and many other options:

*nfdump -M /usr/local/nfsen/profiles-data/live/R2v9as  -T -r 
2015/01/08/nfcapd.201501081355 -A dstas,srcas*
Date flow start          Duration  Dst AS Src AS Packets    Bytes      
bps    Bpp Flows
2015-01-08 13:25:15.593  2068.185       0      0    30.5 M 16.2 G   
62.5 M    529   326
Summary: total flows: 326, total bytes: 16.2 G, total packets: 30.5 M, 
avg bps: 62.5 M, avg pps: 14770, avg bpp: 529

Time window: 2015-01-08 13:25:15 - 2015-01-08 13:59:43
Total flows processed: 326, Blocks skipped: 0, Bytes read: 19660
Sys: 0.000s flows/second: 326326.3   Wall: 0.000s flows/second: 438761.8
-------------------------


The output of the cisco is like that (cmd: *sh flow monitor flm-4 
cache format table *):
IP SRC PEER AS 4-OCTET  IP DST PEER AS 4-OCTET  INTF INPUT            
INTF OUTPUT           FLOW DIRN bytes        pkts    time first     
time last
======================  ====================== ====================  
====================  ========= ==========  ==========  ============  
============
                     0                    3329 Gi0/0/1.111           
Po6.98                Output 160102120     2550243  14:30:04.996  
14:46:33.956
                     0                    6799 Gi0/0/1.136           
Po6.98                Output 2858          36  14:42:33.797  14:46:25.029
                     0                    1241 Gi0/0/1.802           
Gi0/0/3               Output 1057612        8637  14:37:12.133  
14:46:33.924
                3.3520                    5408 Gi0/0/1.136           
Po6.98                Output 194247342      147685  14:34:24.069  
14:46:33.956
                     0                       0 Gi0/0/1.136           
Po6.98                Output 586912        6493  14:30:16.421  
14:46:33.828
                   174                  3.1869 Gi0/0/3               
Gi0/1/0 Output             68           1  14:46:28.485 14:46:28.485
                 42817                    3329 Gi0/0/1.104           
Po6.98                Output 635302        2750  14:40:31.653  
14:46:22.916



Thanx,
Sp


PS: The "peer AS" that shows as "3.3520" above means that it is a 
32bit AS and it is AS: 3*65536+3520=200128.



On 03-Jan-15 2:54 PM, Peter Haag wrote:

Spiros Papageorgiou wrote:

Hi all,

I'm trying to produce an AS matrix with nfdump/nfsen and I'm using the
following config on Cisco ASR1002 (03.10.02.S.153-3.S2) for FNF v9:
flow record flr-4:
    Description:        User defined
    No. of users:       1
    Total field space:  33 bytes
    Fields:
      match routing source as peer 4-octet
      match routing destination as peer 4-octet
      match interface input
      match interface output
      match flow direction
      collect counter bytes
      collect counter packets
      collect timestamp sys-uptime first
      collect timestamp sys-uptime last

which is based on the predefined record "netflow ipv4 as peer" but with
4byte ASNs.

While nfcapd collects the packets, nfdump doesn't seem to be able to
understand the format and doesn't show anything.

Anyone can help me on this? Am I doing something wrong?

Well - if packets are written to the file, then nfdump understands it,
otherwise they are discarded. 32bit ASes are supported already for a
long time, so I can not imaging what went wrong. It maybe best, you
collect some traffice to the collector and send it to me.

        - Peter


Thanx,
Spiros



------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now.http://goparallel.sourceforge.net
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss




------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net


_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss



------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss






















					Reply via email to