Hi Spiros,
Sorry for being (too) late.
You need to tell nfcapd, to collect this information. Checking your file, if
see the following extensions:
bin/nfdump -x nfcapd.201501080600
Dump all extension maps:
========================
Extension Map:
Map ID = 0
Map Size = 12
Ext Size = 8
ID 1, ext 5 = 4 byte input/output interface index
No AS extensions are enabled, therefore AS information is 0. You may want to
add them
while starting nfcapd:
Src/Dst AS ist extension 2, adj next/prev AS ist extension 15. Dpeneding what
you want add
-T 2
-T2,15
in nfsen.con optarg => '-T 2,15'
or simply add -Tall collects all your exportes send.
Hope, this helps
- Peter
On 08.01.15 13:52, Spiros Papageorgiou wrote:
> Hi Peter and all,
>
> I sent you a private message with an nfcapd file. The cisco surely exports
> 32bit ASes and I'm using nfdump/nfcapd
> Version: 1.6.8.
>
> What nfdump options can I use to produce the AS matrix?
> I tried the following and many other options:
> *nfdump -M /usr/local/nfsen/profiles-data/live/R2v9as -T -r
> 2015/01/08/nfcapd.201501081355 -A dstas,srcas*
> Date flow start Duration Dst AS Src AS Packets Bytes bps
> Bpp Flows
> 2015-01-08 13:25:15.593 2068.185 0 0 30.5 M 16.2 G 62.5 M
> 529 326
> Summary: total flows: 326, total bytes: 16.2 G, total packets: 30.5 M, avg
> bps: 62.5 M, avg pps: 14770, avg bpp: 529
> Time window: 2015-01-08 13:25:15 - 2015-01-08 13:59:43
> Total flows processed: 326, Blocks skipped: 0, Bytes read: 19660
> Sys: 0.000s flows/second: 326326.3 Wall: 0.000s flows/second: 438761.8
> -------------------------
>
> The output of the cisco is like that (cmd: *sh flow monitor flm-4 cache
> format table *):
> IP SRC PEER AS 4-OCTET IP DST PEER AS 4-OCTET INTF INPUT INTF
> OUTPUT FLOW DIRN bytes
> pkts time first time last
> ====================== ====================== ====================
> ==================== ========= ==========
> ========== ============ ============
> 0 3329 Gi0/0/1.111 Po6.98
> Output 160102120 2550243
> 14:30:04.996 14:46:33.956
> 0 6799 Gi0/0/1.136 Po6.98
> Output 2858 36
> 14:42:33.797 14:46:25.029
> 0 1241 Gi0/0/1.802 Gi0/0/3
> Output 1057612 8637
> 14:37:12.133 14:46:33.924
> 3.3520 5408 Gi0/0/1.136 Po6.98
> Output 194247342 147685
> 14:34:24.069 14:46:33.956
> 0 0 Gi0/0/1.136 Po6.98
> Output 586912 6493
> 14:30:16.421 14:46:33.828
> 174 3.1869 Gi0/0/3 Gi0/1/0
> Output 68 1
> 14:46:28.485 14:46:28.485
> 42817 3329 Gi0/0/1.104 Po6.98
> Output 635302 2750
> 14:40:31.653 14:46:22.916
>
>
> Thanx,
> Sp
>
> PS: The "peer AS" that shows as "3.3520" above means that it is a 32bit AS
> and it is AS: 3*65536+3520=200128.
>
>
> On 03-Jan-15 2:54 PM, Peter Haag wrote:
>> Spiros Papageorgiou wrote:
>>> Hi all,
>>>
>>> I'm trying to produce an AS matrix with nfdump/nfsen and I'm using the
>>> following config on Cisco ASR1002 (03.10.02.S.153-3.S2) for FNF v9:
>>> flow record flr-4:
>>> Description: User defined
>>> No. of users: 1
>>> Total field space: 33 bytes
>>> Fields:
>>> match routing source as peer 4-octet
>>> match routing destination as peer 4-octet
>>> match interface input
>>> match interface output
>>> match flow direction
>>> collect counter bytes
>>> collect counter packets
>>> collect timestamp sys-uptime first
>>> collect timestamp sys-uptime last
>>>
>>> which is based on the predefined record "netflow ipv4 as peer" but with
>>> 4byte ASNs.
>>>
>>> While nfcapd collects the packets, nfdump doesn't seem to be able to
>>> understand the format and doesn't show anything.
>>>
>>> Anyone can help me on this? Am I doing something wrong?
>> Well - if packets are written to the file, then nfdump understands it,
>> otherwise they are discarded. 32bit ASes are supported already for a
>> long time, so I can not imaging what went wrong. It maybe best, you
>> collect some traffice to the collector and send it to me.
>>
>> - Peter
>>
>>> Thanx,
>>> Spiros
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming! The Go Parallel Website,
>>> sponsored by Intel and developed in partnership with Slashdot Media, is your
>>> hub for all things parallel software development, from weekly thought
>>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>>> look and join the conversation now. http://goparallel.sourceforge.net
>>> _______________________________________________
>>> Nfdump-discuss mailing list
>>> Nfdump-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
