Thanks for the reply, Gaspard.
-----------------------------------------------------
I have been running nfcapd with -Tall
Example:
PS E:\netflow> nfcapd -h
usage /home/xxxxxx/nfdump-1.6.13/bin/nfcapd [options]
-h this text you see right here
-u userid Change user to username
-g groupid Change group to groupname
-w Sync file rotation with next 5min (default) interval
-t interval set the interval to rotate nfcapd files
-b host bind socket to host/IP addr
-j mcastgroup Join multicast group <mcastgroup>
-p portnum listen on port portnum
-l basdir set the output directory. (no default)
-S subdir Sub directory format. see nfcapd(1) for format
-I Ident set the ident string for stat file. (default 'none')
-H Add port histogram data to flow file.(default 'no')
-n Ident,IP,logdir Add this flow source - multiple streams
-P pidfile set the PID file
-R IP[/port] Repeat incoming packets to IP address/port
-s rate set default sampling rate (default 1)
-x process launch process after a new file becomes available
-z Compress flows in output file.
-B bufflen Set socket buffer to bufflen bytes
-e Expire data at each cycle.
-D Fork to background
-E Print extended format of netflow data. for
debugging purpose only.
-T Include extension tags in records.
-4 Listen on IPv4 (default).
-6 Listen on IPv6.
-V Print version and exit.
PS E:\netflow> nfcapd.exe -Tall -t 1500 -p 9996 -l 9996 ==> 15
minute rotation - which should be enough to capture any V9/IPFIX
templates
Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
Add extension: dst tos, direction, src/dst mask
Add extension: IPv4 next hop
Add extension: IPv6 next hop
Add extension: IPv4 BGP next IP
Add extension: IPv6 BGP next IP
Add extension: src/dst vlan id
Add extension: 4 byte output packets
Add extension: 8 byte output packets
Add extension: 4 byte output bytes
Add extension: 8 byte output bytes
Add extension: 4 byte aggregated flows
Add extension: 8 byte aggregated flows
Add extension: in src/out dst mac address
Add extension: in dst/out src mac address
Add extension: MPLS Labels
Add extension: IPv4 router IP addr
Add extension: IPv6 router IP addr
Add extension: router ID
Add extension: BGP adjacent prev/next AS
Add extension: time packet received
Add extension: NSEL Common block
Add extension: NSEL xlate ports
Add extension: NSEL xlate IPv4 addr
Add extension: NSEL xlate IPv6 addr
Add extension: NSEL ACL ingress/egress acl ID
Add extension: NSEL username
Add extension: NSEL max username
Add extension: nprobe latency
Add extension: NEL Common block
Add extension: Compat NEL IPv4
Add extension: NAT Port Block Allocation
Bound to IPv4 host/IP: any, Port: 9996
Startup.
---------------------------------------------------
Resulting file:
-rw-r--r--+ 1 xxxx xxxxx 11477602 Oct 30 16:01
nfcapd.201610301536 ==> collected with above options ( 15
minutes )
-rw-r--r--+ 1 xxxx xxxxx 276xxxx Oct 30 16:01 nfcapd.current.4064
--------------------------------------------------
nfdump results:
E:\netflow>nfdump -r 9996/nfcapd.201610301536 -s if
Top 10 In/Out If ordered by -:
Date first seen Duration Proto In/Out If
Flows(%) Packets(%) Bytes(%) pps bps bpp
1969-12-31 18:00:00.000 0.000 any 0 98204(70.2) 2.2
M(90.6) 341.8 M(91.0) 0 0 154
1969-12-31 18:00:00.000 0.000 any 9 98204(70.2) 2.2
M(90.6) 341.8 M(91.0) 0 0 154
1969-12-31 18:00:00.000 0.000 any 589824 41759(29.8)
230996( 9.4) 34.0 M( 9.0) 0 0 147 ===> invalid
interface index
1969-12-31 18:00:00.000 0.000 any 16777216
41759(29.8) 230996( 9.4) 34.0 M( 9.0) 0 0
147 ===> invalid interface index
Summary: total flows: 139963, total bytes: 375807249, total
packets: 2445509, avg bps: 0, avg pps: 0, avg bpp: 0
Time window: 2016-10-30 15:36:16 - 2016-10-30 16:01:16
Total flows processed: 139963, Blocks skipped: 0, Bytes read:
11477326
Sys: 0.031s flows/second: 4514935.5 Wall: 0.031s flows/second:
4485993.6
-------------------------------------------------
For another listener (this one on 2055) with same nfcapd parms.....
E:\netflow>nfdump -R 2055/nfcapd.201610301544 -s if
Top 10 In/Out If ordered by -:
Date first seen Duration Proto In/Out If
Flows(%) Packets(%) Bytes(%) pps bps bpp
1969-12-31 18:00:00.000 0.000 any 0 93686(63.7) 1.7
M(62.2) 496.5 M(77.9) 0 0 291
1969-12-31 18:00:00.000 0.000 any 5 93686(63.7) 1.7
M(62.2) 496.5 M(77.9) 0 0 291
1969-12-31 18:00:00.000 0.000 any 327680 53348(36.3)
1.0 M(37.8) 140.6 M(22.1) 0 0 135 ==> invalid
interfaae index
1969-12-31 18:00:00.000 0.000 any 16777216
53348(36.3) 1.0 M(37.8) 140.6 M(22.1) 0 0
135 ==> invalid interface index
Summary: total flows: 147034, total bytes: 637115010, total
packets: 2742899, avg bps: 0, avg pps: 0, avg bpp: 0
Time window: 2016-10-30 15:44:56 - 2016-10-30 15:49:56
Total flows processed: 147034, Blocks skipped: 0, Bytes read:
12057160
Sys: 0.061s flows/second: 2410393.4 Wall: 0.015s flows/second:
9425256.4
-----------------------------------------------------------
Above behavior - given the values for those invalid interface numbers -
does seem like what is discussed at:
/From: https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2014-June/000002.html/
I'll be checking my compilation next to see if this is somehow a self-inflicted wound.. ;-)
If not I will have to look for another collector, although I would much prefer to use nfcapd/nfdump for my work.
-------------------------------------------------------------- On 10/30/2016 01:05 PM, Gaspard Laurent wrote:
Hello,Which option are you using to launch your nfcapd process? Maybe try to start it with -Tall if it is not the case yet.Best Gaspard
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik
_______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
