Hi,
/Looks like my last message was unreadable, sorry.//
//Have a new try :/
Same problem here with our new pair of L2 switch 4500-x (VSS) (No routing)
When I download an iso file across 2 equipment netflow equipped, I've
got a regular duration on our openbsd/pf router but not on L2 cisco 4500-x :
It looks like that last two flows don't have good start time value.
No sampling, ntp configured on each hardware and on collector.
I'm not sure which value to configure for :
cache timeout active (actual 60s)
cache timeout inactive (actual 15s = default)
cache timeout update (actual 1800s = default)
I'm not sure too what they are used for ?
Does anybody use 4500-x's machines with nfsen ?
What configuration did you deploy ?
Any idea on what I could have a look ?
Here is some examples of results for wget as seen by PF, 4500 table mode
and raw mode) :
Netflow from Openbsd/Pf
nfdump -M /data/nfsen/profiles-data/live/PF -T -R
2016-06-16/nfcapd.201606161045:2016-06-16/nfcapd.201606161055 -o "fmt:%ts %td %pr %sap
-> %dap %dir %in -> %out %flg %pkt %ibyt %obyt %fl %bps %pps %bpp" 'ip my.host.195
and ip 91.189.88.160'
Date first seen Duration Proto Src IP Addr:Port Dst IP
Addr:Port Dir Input Output Flags Packets In Byte Out Byte Flows
bps pps Bpp
2016-06-16 10:48:56.937 89.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 0 -> 0 ...... 226439 11.9 M 0 1
1.1 M 2544 52
2016-06-16 10:48:56.937 89.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 0 -> 0 ...... 474431 711.6 M 0 1
64.0 M 5330 1499
Summary: total flows: 2, total bytes: 723513226, total packets: 700870, avg
bps: 65034896, avg pps: 7874, avg bpp: 1032
Time window: 2016-06-06 17:12:26 - 2016-06-16 10:59:59
Total flows processed: 1566300, Blocks skipped: 0, Bytes read: 81448884
Sys: 0.314s flows/second: 4973154.6 Wall: 0.312s flows/second: 5004777.0
Same from c4500x (filter "if 5" because trafic cross 2 times the 4500)
nfdump -M /data/nfsen/profiles-data/live/cs4500x32 -T -R
2016-06-16/nfcapd.201606161045:2016-06-16/nfcapd.201606161055 -o "fmt:%ts %td %pr %sap
-> %dap %dir %in -> %out %flg %pkt %ibyt %obyt %fl %bps %pps %bpp" 'ip my.host.195
and ip 91.189.88.160 and if 5'
Date first seen Duration Proto Src IP Addr:Port Dst IP
Addr:Port Dir Input Output Flags Packets In Byte Out Byte Flows
bps pps Bpp
2016-06-16 10:48:56.952 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 ....S. 1 82 0 1
0 0 82
2016-06-16 10:48:57.944 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .A.... 550 837100 0 1
0 0 1522
2016-06-16 10:48:56.956 3.996 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .AP.S. 15419 1.2 M 0 1
2.3 M 3858 75
2016-06-16 10:49:01.948 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 3956 297400 0 1
0 0 75
2016-06-16 10:48:57.936 4.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 31879 48.5 M 0 1
97.0 M 7969 1522
2016-06-16 10:49:02.912 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 8104 12.3 M 0 1
0 0 1522
2016-06-16 10:49:06.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 19678 1.5 M 0 1
0 0 74
2016-06-16 10:49:07.944 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 32542 49.5 M 0 1
0 0 1522
2016-06-16 10:49:11.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 15970 1.2 M 0 1
0 0 75
2016-06-16 10:49:12.952 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 39851 60.7 M 0 1
0 0 1522
2016-06-16 10:49:16.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 19902 1.5 M 0 1
0 0 74
2016-06-16 10:49:17.920 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 40270 61.3 M 0 1
0 0 1522
2016-06-16 10:49:21.960 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 11587 880462 0 1
0 0 75
2016-06-16 10:49:22.948 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 18043 27.5 M 0 1
0 0 1522
2016-06-16 10:49:26.944 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 7548 559644 0 1
0 0 74
2016-06-16 10:49:27.956 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 19078 29.0 M 0 1
0 0 1522
2016-06-16 10:49:31.960 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 13757 1.0 M 0 1
0 0 74
2016-06-16 10:49:32.896 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 30097 45.8 M 0 1
0 0 1522
2016-06-16 10:49:36.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 15770 1.2 M 0 1
0 0 74
2016-06-16 10:49:37.948 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 32909 50.1 M 0 1
0 0 1522
2016-06-16 10:49:41.948 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 11608 861704 0 1
0 0 74
2016-06-16 10:49:42.952 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 24945 38.0 M 0 1
0 0 1522
2016-06-16 10:49:46.944 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 13422 997800 0 1
0 0 74
2016-06-16 10:49:47.892 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 27225 41.4 M 0 1
0 0 1522
2016-06-16 10:49:51.948 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 10477 780046 0 1
0 0 74
2016-06-16 10:49:52.932 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 21037 32.0 M 0 1
0 0 1522
2016-06-16 10:49:56.952 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 9887 731638 0 1
0 0 74
2016-06-16 10:49:57.944 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 23807 36.2 M 0 1
0 0 1522
2016-06-16 10:50:01.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 10201 760538 0 1
0 0 74
2016-06-16 10:50:02.900 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 19205 29.2 M 0 1
0 0 1522
2016-06-16 10:50:06.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 9298 688052 0 1
0 0 74
2016-06-16 10:50:07.948 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 22688 34.5 M 0 1
0 0 1522
2016-06-16 10:50:11.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 12359 918354 0 1
0 0 74
2016-06-16 10:50:12.948 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 25185 38.3 M 0 1
0 0 1522
2016-06-16 10:50:16.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 8002 596844 0 1
0 0 74
2016-06-16 10:50:17.892 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 15099 23.0 M 0 1
0 0 1522
2016-06-16 10:50:21.956 0.000 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..S. 8354 618196 0 1
0 0 74
2016-06-16 10:50:22.948 0.000 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 20959 31.9 M 0 1
0 0 1522
2016-04-27 17:47:39.660 4294966.296 TCP � my.host.195:48356 -> �
91.189.88.160:80 I 77 -> 5 .A..SF 9243 683982 0 1
1 0 74
2016-04-27 17:47:40.652 4294965.296 TCP � 91.189.88.160:80 -> �
my.host.195:48356 I 5 -> 77 .AP... 14079 21.4 M 0 1
39 0 1522
Summary: total flows: 40, total bytes: 728470422, total packets: 693991, avg
bps: 1356, avg pps: 0, avg bpp: 1049
Time window: 2016-04-27 17:42:10 - 2016-06-16 10:59:58
Total flows processed: 4601155, Blocks skipped: 0, Bytes read: 276073128
Sys: 1.197s flows/second: 3841283.8 Wall: 1.195s flows/second: 3849279.2
in raw mode :
nfdump -M /data/nfsen/profiles-data/live/cs4500x32 -T -R
2016-06-16/nfcapd.201606161045:2016-06-16/nfcapd.201606161055 -o "fmt:%ts %td %pr %sap
-> %dap %dir %in -> %out %flg %pkt %ibyt %obyt %fl %bps %pps %bpp" 'ip my.host.195
and ip 91.189.88.160 and if 77' -o raw -O tstart | head -80
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 60
first = 1461772059 [2016-04-27 17:47:39]
last = 1466067025 [2016-06-16 10:50:25]
msec_first = 660
msec_last = 956
src addr = my.host.195
dst addr = 91.189.88.160
src port = 48356
dst port = 80
fwd status = 0
tcp flags = 0x13 .A..SF
proto = 6 TCP
(src)tos = 0
(in)packets = 9243
(in)bytes = 683982
input = 77
output = 5
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 60
first = 1461772060 [2016-04-27 17:47:40]
last = 1466067025 [2016-06-16 10:50:25]
msec_first = 652
msec_last = 948
src addr = 91.189.88.160
dst addr = my.host.195
src port = 80
dst port = 48356
fwd status = 0
tcp flags = 0x18 .AP...
proto = 6 TCP
(src)tos = 0
(in)packets = 14079
(in)bytes = 21428238
input = 5
output = 77
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 60
first = 1466066936 [2016-06-16 10:48:56]
last = 1466066936 [2016-06-16 10:48:56]
msec_first = 952
msec_last = 952
src addr = my.host.195
dst addr = 91.189.88.160
src port = 48356
dst port = 80
fwd status = 0
tcp flags = 0x02 ....S.
proto = 6 TCP
(src)tos = 0
(in)packets = 1
(in)bytes = 82
input = 77
output = 5
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 60
first = 1466066936 [2016-06-16 10:48:56]
last = 1466066940 [2016-06-16 10:49:00]
msec_first = 956
msec_last = 952
src addr = my.host.195
dst addr = 91.189.88.160
src port = 48356
dst port = 80
fwd status = 0
Thanks very much
Cédric
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
