Am 21.06.2013 02:12, schrieb Peter Haag: > Hmm .. I'm not aware of a ICMP bug somewhere. What version of nfdump and OS?
nfdump is the bugfixed 1.6.10 and OS is CentOS release 5.9 (Final) Phenomenologically I see the following: a) Supervisor Engine 720 10GE (Active) VS-S720-10G ------------------------------------------------------ Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 15.1(1)SY1, RELEASE SOFTWARE (fc5) Config: ip flow-export version 5 peer-as proto ICMP and host 134.130.3.67 Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows Verify map id 0: ERROR: Expected 7 elements in map, but found 2! 2013-06-20 22:39:43.722 35.904 ICMP 134.130.3.67:0 -> 134.130.9.68:8.0 25 2100 1 2013-06-20 22:39:43.790 34.688 ICMP 134.130.3.67:0 -> 134.130.9.67:8.0 25 2100 1 2013-06-20 22:39:43.749 34.752 ICMP 134.130.9.67:0 -> 134.130.3.67:0.0 25 2100 1 2013-06-20 22:39:43.715 35.904 ICMP 134.130.9.68:0 -> 134.130.3.67:0.0 25 2100 1 2013-06-20 22:42:47.969 0.000 ICMP 134.130.9.68:0 -> 134.130.3.67:0.0 1 84 1 2013-06-20 22:42:47.977 0.000 ICMP 134.130.3.67:0 -> 134.130.9.68:8.0 1 84 1 2013-06-20 22:42:47.936 0.000 ICMP 134.130.9.67:0 -> 134.130.3.67:0.0 1 84 1 2013-06-20 22:42:47.988 0.000 ICMP 134.130.3.67:0 -> 134.130.9.67:8.0 1 84 1 2013-06-20 22:43:42.905 0.000 ICMP 134.130.3.67:0 -> 134.61.24.1:8.0 1 84 1 2013-06-20 22:43:42.910 0.000 ICMP 134.61.24.1:0 -> 134.130.3.67:0.0 1 84 1 2013-06-20 22:41:59.180 88.668 ICMP 134.130.3.67:0 -> 134.130.9.146:8.0 6 504 1 2013-06-20 22:39:54.369 4.000 ICMP 134.130.191.250:0 -> 134.130.3.67:0.0 5 420 1 2013-06-20 22:39:54.373 4.000 ICMP 134.130.127.121:0 -> 134.130.3.67:0.0 5 420 1 2013-06-20 22:39:49.374 9.000 ICMP 134.130.3.67:0 -> 134.130.77.254:0.0 10 840 1 2013-06-20 22:39:49.376 9.000 ICMP 134.130.3.67:0 -> 137.226.44.65:0.0 10 840 1 2013-06-20 22:39:48.376 10.000 ICMP 134.130.3.67:0 -> 137.226.42.1:0.0 11 924 1 2013-06-20 22:39:48.376 10.000 ICMP 134.130.3.67:0 -> 137.226.44.1:0.0 11 924 1 2013-06-20 22:39:54.384 4.000 ICMP 137.226.157.2:0 -> 134.130.3.67:0.0 5 420 1 2013-06-20 22:39:55.598 4.000 ICMP 134.130.3.67:0 -> 137.226.136.211:0.0 5 420 1 2013-06-20 22:39:55.598 4.000 ICMP 137.226.136.211:0 -> 134.130.3.67:0.0 5 420 1 Summary: total flows: 20, total bytes: 15036, total packets: 179, avg bps: 502, avg pps: 0, avg bpp: 84 Time window: 2013-06-20 22:34:55 - 2013-06-20 22:44:58 b) Supervisor Engine 720 10GE (Active) VS-S720-10G ------------------------------------------------------ Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXJ3, RELEASE SOFTWARE (fc1) Config: ip flow-export version 9 proto ICMP and host 134.130.3.67 Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2013-06-20 22:39:43.215 3.968 ICMP 134.130.3.67:0 -> 192.35.229.254:0.8 5 420 1 2013-06-20 22:39:47.286 22.592 ICMP 89.0.24.222:0 -> 134.130.3.67:0.0 7 588 1 2013-06-20 22:39:48.813 24.256 ICMP 195.71.11.67:0 -> 134.130.3.67:0.0 11 924 1 2013-06-20 22:40:00.217 16.128 ICMP 87.189.49.40:0 -> 134.130.3.67:0.0 7 588 1 2013-06-20 22:39:53.201 24.256 ICMP 193.99.160.10:0 -> 134.130.3.67:0.0 7 588 1 2013-06-20 22:39:52.603 22.656 ICMP 80.153.241.113:0 -> 134.130.3.67:0.0 8 672 1 2013-06-20 22:39:55.079 20.992 ICMP 87.79.34.228:0 -> 134.130.3.67:0.0 7 588 1 2013-06-20 22:39:51.488 25.920 ICMP 77.180.164.92:0 -> 134.130.3.67:0.0 7 588 1 2013-06-20 22:39:47.198 29.056 ICMP 84.14.122.53:0 -> 134.130.3.67:0.0 15 1260 1 2013-06-20 22:39:50.777 25.920 ICMP 84.14.4.242:0 -> 134.130.3.67:0.0 10 840 1 2013-06-20 22:39:43.107 34.688 ICMP 134.130.9.67:0 -> 134.130.3.67:0.0 25 2100 1 2013-06-20 22:39:53.474 24.256 ICMP 84.14.122.53:0 -> 134.130.3.67:0.0 5 420 1 2013-06-20 22:39:50.335 25.920 ICMP 87.79.75.111:0 -> 134.130.3.67:0.0 8 672 1 2013-06-20 22:39:47.599 30.720 ICMP 134.130.3.67:0 -> 89.0.24.222:0.8 20 1680 1 2013-06-20 22:39:47.726 30.656 ICMP 134.130.3.67:0 -> 109.90.2.118:0.8 20 1680 1 2013-06-20 22:39:46.866 30.656 ICMP 134.130.3.67:0 -> 80.153.241.113:0.8 20 1680 1 2013-06-20 22:39:46.930 30.720 ICMP 134.130.3.67:0 -> 87.79.75.111:0.8 20 1680 1 2013-06-20 22:39:47.057 30.720 ICMP 134.130.3.67:0 -> 195.71.11.67:0.8 20 1680 1 2013-06-20 22:39:47.790 30.720 ICMP 134.130.3.67:0 -> 67.217.34.232:0.8 20 1680 1 2013-06-20 22:39:47.439 30.720 ICMP 134.130.3.67:0 -> 188.1.238.57:0.8 20 1680 1 Summary: total flows: 20, total bytes: 22008, total packets: 262, avg bps: 4973, avg pps: 7, avg bpp: 84 Time window: 2013-06-20 22:34:50 - 2013-06-20 22:44:58 The host 134.130.3.67 is my Nagios machine and it ping around. You see that ICMP echo requests get decoded as "destinationport" 8.0 when I use netflow 5 and 0.8 when I use netflow 9. So type and code are somehow "swapped". The change came when I switched the netflow versions on router b) Maybe someone with a Cat65 can confirm that? Note: a nexus 7000 with nextflow version 5 does not give any codes or types as far as I see. -- Dipl.-Phys. Jens Hektor, Netzbetrieb RWTH Aachen University, Center for Computing and Communication Room 2.04, Wendlingweg 10, 52074 Aachen (Germany) Phone: +49 241 80 29206 - Fax: +49 241 80 22100 http://www.rz.rwth-aachen.de - hek...@rz.rwth-aachen.de
smime.p7s
Description: S/MIME Kryptografische Unterschrift
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
