Re: [Nfdump-discuss] IPv6 netflow v9 traffic is misinterpreted as IPv4

[Nikolaos Milas]

On 31/7/2016 1:48 μμ, Phil Mayers wrote: The template frame is relevant too. Could you show the wireshark of that? Of course. Here it is: No.     Time                          Source                Destination           Protocol Length Info     877 2016-07-31 00:23:44.691830    195.251.204.254       195.251.204.212       CFLOW    163    total: 2 (v9) records Obs-Domain-ID=    0 [Data:257] [Data-Template:257] Frame 877: 163 bytes on wire (1304 bits), 163 bytes captured (1304 bits)     Encapsulation type: Ethernet (1)     Arrival Time: Jul 31, 2016 00:23:44.691830000 GTB Daylight Time     [Time shift for this packet: 0.000000000 seconds]     Epoch Time: 1469913824.691830000 seconds     [Time delta from previous captured frame: 0.126154000 seconds]     [Time delta from previous displayed frame: 0.126154000 seconds]     [Time since reference or first frame: 401.126018000 seconds]     Frame Number: 877     Frame Length: 163 bytes (1304 bits)     Capture Length: 163 bytes (1304 bits)     [Frame is marked: True]     [Frame is ignored: False]     [Protocols in frame: eth:ethertype:ip:udp:cflow]     [Coloring Rule Name: UDP]     [Coloring Rule String: udp] Ethernet II, Src: CiscoInc_52:38:11 (f4:0f:1b:52:38:11), Dst: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)     Destination: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)         Address: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)         .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)     Source: CiscoInc_52:38:11 (f4:0f:1b:52:38:11)         Address: CiscoInc_52:38:11 (f4:0f:1b:52:38:11)         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)     Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 195.251.204.254, Dst: 195.251.204.212     0100 .... = Version: 4     .... 0101 = Header Length: 20 bytes (5)     Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)         0000 00.. = Differentiated Services Codepoint: Default (0)         .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)     Total Length: 149     Identification: 0x6ebf (28351)     Flags: 0x00         0... .... = Reserved bit: Not set         .0.. .... = Don't fragment: Not set         ..0. .... = More fragments: Not set     Fragment offset: 0     Time to live: 255     Protocol: UDP (17)     Header checksum: 0x2ace [validation disabled]         [Good: False]         [Bad: False]     Source: 195.251.204.254     Destination: 195.251.204.212     [Source GeoIP: Unknown]     [Destination GeoIP: Unknown] User Datagram Protocol, Src Port: 57095 (57095), Dst Port: 9995 (9995)     Source Port: 57095     Destination Port: 9995     Length: 129     Checksum: 0x9d37 [validation disabled]         [Good Checksum: False]         [Bad Checksum: False]     [Stream index: 1] Cisco NetFlow/IPFIX     Version: 9     Count: 2     SysUptime: 146664.635723936 seconds     Timestamp: Jul 31, 2016 00:23:44.000000000 GTB Daylight Time         CurrentSecs: 1469913824     FlowSequence: 59948 (expected 271514)         [Expert Info (Warn/Sequence): Unexpected flow sequence for domain ID 0 (expected 271514, got 59948)]             [Unexpected flow sequence for domain ID 0 (expected 271514, got 59948)]             [Severity level: Warn]             [Group: Sequence]     SourceId: 0     FlowSet 1 [id=257] (1 flows)         FlowSet Id: (Data) (257)         FlowSet Length: 57         [Template Frame: 877]         Flow 1             DstAddr: 2001:648:2011:10::234             Protocol: TCP (6)             SrcPort: 46042 (46042)             DstPort: 80 (80)             Octets: 495             Packets: 5             [Duration: 0.012000000 seconds (switched)]                 StartTime: 146647.752000000 seconds                 EndTime: 146647.764000000 seconds             SrcAddr: 2001:648:2011:8010::211     FlowSet 2 [id=0] (Data Template): 257         FlowSet Id: Data Template (V9) (0)         FlowSet Length: 44         Template (Id = 257, Count = 9)             Template Id: 257             Field Count: 9             Field (1/9): IPV6_DST_ADDR                 Type: IPV6_DST_ADDR (28)                 Length: 16             Field (2/9): PROTOCOL                 Type: PROTOCOL (4)                 Length: 1             Field (3/9): L4_SRC_PORT                 Type: L4_SRC_PORT (7)                 Length: 2             Field (4/9): L4_DST_PORT                 Type: L4_DST_PORT (11)                 Length: 2             Field (5/9): BYTES                 Type: BYTES (1)                 Length: 4             Field (6/9): PKTS                 Type: PKTS (2)                 Length: 4             Field (7/9): FIRST_SWITCHED                 Type: FIRST_SWITCHED (22)                 Length: 4             Field (8/9): LAST_SWITCHED                 Type: LAST_SWITCHED (21)                 Length: 4             Field (9/9): IPV6_SRC_ADDR                 Type: IPV6_SRC_ADDR (27)                 Length: 16     [Expected Sequence Number: 271514]     [Previous Frame in Sequence: 876] Thanks for the help! Nick

------------------------------------------------------------------------------

_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss