[Nfdump-discuss] Problem displaying port-blocks (nfcapd option 32) - Netflowv9 based log for CGN/PBA in Cisco ASR1K

Wed, 21 Dec 2016 14:57:49 -0800 

Dear all,

I'm working with nfcapd version 1.6.13 and collecting Netflowv9 based CGNAT
logs from a Cisco ASR1000. Netflowv9 traffic has the expected format. I
properly collect the Netflowv9 traffic coming from the router, but, when I
review the records with nfdump, there is no information about block
creation and deletion. I've started nfcapd both with "-T nel" and "-T all"
and "-T +26,+27,+28,+31,+32".

The output I get with nfdump has the following format (public address
hidden with XXX.XXX.XXX.XXX):

[root@GRA-VS01 allflows]# nfdump -r nfcapd.201612151300

Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src
IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte










*2016-12-15 12:59:57.154 CREATE Ignore UDP 100.64.80.81:0
<http://100.64.80.81:0> -> 0.0.0.0:0 <http://0.0.0.0:0> XXX.XXX.XXX.XXX:0
-> 0.0.0.0:0 <http://0.0.0.0:0> 0 02016-12-15 13:00:02.017 CREATE Ignore
UDP 100.64.16.54:0 <http://100.64.16.54:0> -> 0.0.0.0:0 <http://0.0.0.0:0>
XXX.XXX.XXX.XXX:0 -> 0.0.0.0:0 <http://0.0.0.0:0> 0 02016-12-15
13:00:05.036 DELETE Ignore UDP 100.64.32.153:0 <http://100.64.32.153:0> ->
0.0.0.0:0 <http://0.0.0.0:0> XXX.XXX.XXX.XXX::0 -> 0.0.0.0:0
<http://0.0.0.0:0> 0 02016-12-15 13:00:06.216 DELETE Ignore ICMP
100.64.48.16:0 <http://100.64.48.16:0> -> 0.0.0.0:0.0 XXX.XXX.XXX.XXX:0 ->
0.0.0.0:0 <http://0.0.0.0:0> 0 02016-12-15 13:00:14.181 CREATE Ignore ICMP
100.64.112.12:0 <http://100.64.112.12:0> -> 0.0.0.0:0.0 XXX.XXX.XXX.XXX:0
-> 0.0.0.0:0 <http://0.0.0.0:0> 0 0*
Port block allocation in option 32 is what I'm unable to see.

I would be grateful if anyone could give me a hint about what it might be
happening.

Thanks in advance

Kind regards

Octavio

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to