Gaspard, Matěj, Peter, Ivan, thanks a lot for your help once again, guys. It's working as expected. I noticed that I didn't install neither nel nor nsel extensions, so I reinstalled nfdump the following way:
".\configure --enable-nel --enable-nsel --enable-nfprofile --enable-nftrack --enable-sflow --enable-readpcap --enable-nfpcapd" Now, with "T -nel" I get what I wanted. Thank you very much indeed for your help Octavio On Wed, Oct 12, 2016 at 1:31 PM, Octavio Alfageme <octavio.alfag...@gmail.com> wrote: > Gaspard, Matěj, Peter, Ivan, thanks a lot for your help, guys. I'm a > newbie with nfdump and I overlooked that option in the man page. Sorry > about that. Tomorrow I'll be back in my lab and I'll try -T option > once I carefully review the man page. As soon as it works I'll be back > to you. > > One again, thank you for your so valuable assist. > > Regards > > Octavio > > On Wed, Oct 12, 2016 at 12:40 PM, Gaspard Laurent <glaur...@guyacom.fr> wrote: >> Try to launch it with -Tall or select the extensions you want (-T NEL for >> sure). >> >> G. >> >> On 12 October 2016 at 07:19, Octavio Alfageme <octavio.alfag...@gmail.com> >> wrote: >>> >>> Great, Gaspard!!! That's what I'm looking for. Thanks a lot for your help. >>> >>> I launch it this way. >>> >>> nfcapd -w -D -l /netflow/spool/allflows -p 9996 >>> >>> If you see my output I don't get the "create" and "delete" events >>> either, so there's something I'm doing wrong. >>> >>> Thanks a lot for your help >>> >>> Kind regards >>> >>> Octavio >>> >>> On Wed, Oct 12, 2016 at 11:57 AM, Gaspard Laurent <glaur...@guyacom.fr> >>> wrote: >>> > Hello Octavio, >>> > >>> > Thanks to the great set of tools provided by NFDump, I am succesfuly >>> > logging >>> > ASR 1000 NEL records with nfcapd 1.6.13, see attached. >>> > >>> > Which arguments do you use to launch your nfcapd daemon? >>> > >>> > Best >>> > Gaspard >>> > >>> > On 12 October 2016 at 05:56, Octavio Alfageme >>> > <octavio.alfag...@gmail.com> >>> > wrote: >>> >> >>> >> Sorry, by mistake, I sent the previous message as html. >>> >> >>> >> Thanks a lot, Peter. Unfortunately, I think that's not the case. Here >>> >> you >>> >> have an snapshot of a packet capture at the collector. As you can see >>> >> there >>> >> is a 'Timestamp' Jun 30, 2016 13:16:43.000000000 CEST. It's as nfdump >>> >> had >>> >> problems storing that information. >>> >> >>> >> Thank you >>> >> >>> >> Octavio >>> >> >>> >> On Wed, Oct 12, 2016 at 9:16 AM, Peter Haag >>> >> <ph...@users.sourceforge.net> >>> >> wrote: >>> >>> >>> >>> So it seems your device does not export any timestamps at all. >>> >>> >>> >>> 1970-01-01 means timestamp '0' >>> >>> >>> >>> - Peter >>> >>> >>> >>> On 12/10/16 09:09, Octavio Alfageme wrote: >>> >>> > Dear all, >>> >>> > >>> >>> > I'm working with nfcapd version 1.6.13 and collecting Netflowv9 >>> >>> > based >>> >>> > CGNAT logs from a Cisco ASR1000. My linux machine running as a >>> >>> > virtual-machine on vmware is properly synchronized by NTP. The >>> >>> > ASR1000 is >>> >>> > synchronized to the same reference and the >>> >>> > sent Netflowv9 records have the right timestamps. I properly collect >>> >>> > the Netflowv9 traffic coming from the router, but ,when I review the >>> >>> > records, the date first seen and the duration are all "0s" and don't >>> >>> > represent the timestamp of the received >>> >>> > Netflowv9 based CGNAT records. >>> >>> > >>> >>> > [root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240 >>> >>> > Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port >>> >>> > Packets Bytes Flows >>> >>> > 1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651 >>> >>> > <http://100.64.32.46:62651/> -> 17.146.1.72:443 >>> >>> > <http://17.146.1.72:443/> 0 >>> >>> > 0 1 >>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702 >>> >>> > <http://100.64.48.86:36702/> -> 172.31.205.3:123 >>> >>> > <http://172.31.205.3:123/> >>> >>> > 0 0 1 >>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848 >>> >>> > <http://172.30.41.5:62848/> -> 4.2.2.3:53 <http://4.2.2.3:53/> 0 0 1 >>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216 >>> >>> > <http://172.30.41.4:58216/> -> 8.8.4.4:53 <http://8.8.4.4:53/> 0 0 1 >>> >>> > >>> >>> > I would be grateful if anyone could give me a hint about what is >>> >>> > happening. >>> >>> > >>> >>> > Thanks in advance >>> >>> > >>> >>> > Kind regards >>> >>> > >>> >>> > Octavio >>> >>> > >>> >>> > >>> >>> > >>> >>> > >>> >>> > >>> >>> > ------------------------------------------------------------------------------ >>> >>> > Check out the vibrant tech community on one of the world's most >>> >>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> >>> > >>> >>> > >>> >>> > >>> >>> > _______________________________________________ >>> >>> > Nfdump-discuss mailing list >>> >>> > Nfdump-discuss@lists.sourceforge.net >>> >>> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss >>> >>> > >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> ------------------------------------------------------------------------------ >>> >> Check out the vibrant tech community on one of the world's most >>> >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> >> _______________________________________________ >>> >> Nfdump-discuss mailing list >>> >> Nfdump-discuss@lists.sourceforge.net >>> >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss >>> >> >>> > >> >> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
