Thanks Jens - I'll check that, when I'm back home. Stay tuned.
- Peter
On 6/21/13 W25 11:12, Jens Hektor wrote:
> Am 21.06.2013 02:12, schrieb Peter Haag:
>> Hmm .. I'm not aware of a ICMP bug somewhere. What version of nfdump and OS?
>
> nfdump is the bugfixed 1.6.10 and OS is CentOS release 5.9 (Final)
>
> Phenomenologically I see the following:
>
> a) Supervisor Engine 720 10GE (Active) VS-S720-10G
> ------------------------------------------------------
> Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version
> 15.1(1)SY1, RELEASE SOFTWARE (fc5)
>
> Config: ip flow-export version 5 peer-as
>
> proto ICMP
> and host 134.130.3.67
> Date first seen Duration Proto Src IP Addr:Port Dst IP
> Addr:Port Packets Bytes Flows
> Verify map id 0: ERROR: Expected 7 elements in map, but found 2!
> 2013-06-20 22:39:43.722 35.904 ICMP 134.130.3.67:0 ->
> 134.130.9.68:8.0 25 2100 1
> 2013-06-20 22:39:43.790 34.688 ICMP 134.130.3.67:0 ->
> 134.130.9.67:8.0 25 2100 1
> 2013-06-20 22:39:43.749 34.752 ICMP 134.130.9.67:0 ->
> 134.130.3.67:0.0 25 2100 1
> 2013-06-20 22:39:43.715 35.904 ICMP 134.130.9.68:0 ->
> 134.130.3.67:0.0 25 2100 1
> 2013-06-20 22:42:47.969 0.000 ICMP 134.130.9.68:0 ->
> 134.130.3.67:0.0 1 84 1
> 2013-06-20 22:42:47.977 0.000 ICMP 134.130.3.67:0 ->
> 134.130.9.68:8.0 1 84 1
> 2013-06-20 22:42:47.936 0.000 ICMP 134.130.9.67:0 ->
> 134.130.3.67:0.0 1 84 1
> 2013-06-20 22:42:47.988 0.000 ICMP 134.130.3.67:0 ->
> 134.130.9.67:8.0 1 84 1
> 2013-06-20 22:43:42.905 0.000 ICMP 134.130.3.67:0 ->
> 134.61.24.1:8.0 1 84 1
> 2013-06-20 22:43:42.910 0.000 ICMP 134.61.24.1:0 ->
> 134.130.3.67:0.0 1 84 1
> 2013-06-20 22:41:59.180 88.668 ICMP 134.130.3.67:0 ->
> 134.130.9.146:8.0 6 504 1
> 2013-06-20 22:39:54.369 4.000 ICMP 134.130.191.250:0 ->
> 134.130.3.67:0.0 5 420 1
> 2013-06-20 22:39:54.373 4.000 ICMP 134.130.127.121:0 ->
> 134.130.3.67:0.0 5 420 1
> 2013-06-20 22:39:49.374 9.000 ICMP 134.130.3.67:0 ->
> 134.130.77.254:0.0 10 840 1
> 2013-06-20 22:39:49.376 9.000 ICMP 134.130.3.67:0 ->
> 137.226.44.65:0.0 10 840 1
> 2013-06-20 22:39:48.376 10.000 ICMP 134.130.3.67:0 ->
> 137.226.42.1:0.0 11 924 1
> 2013-06-20 22:39:48.376 10.000 ICMP 134.130.3.67:0 ->
> 137.226.44.1:0.0 11 924 1
> 2013-06-20 22:39:54.384 4.000 ICMP 137.226.157.2:0 ->
> 134.130.3.67:0.0 5 420 1
> 2013-06-20 22:39:55.598 4.000 ICMP 134.130.3.67:0 ->
> 137.226.136.211:0.0 5 420 1
> 2013-06-20 22:39:55.598 4.000 ICMP 137.226.136.211:0 ->
> 134.130.3.67:0.0 5 420 1
> Summary: total flows: 20, total bytes: 15036, total packets: 179, avg bps:
> 502, avg pps: 0, avg bpp: 84
> Time window: 2013-06-20 22:34:55 - 2013-06-20 22:44:58
>
>
> b) Supervisor Engine 720 10GE (Active) VS-S720-10G
> ------------------------------------------------------
> Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version
> 12.2(33)SXJ3, RELEASE SOFTWARE (fc1)
>
> Config: ip flow-export version 9
>
> proto ICMP
> and host 134.130.3.67
> Date first seen Duration Proto Src IP Addr:Port Dst IP
> Addr:Port Packets Bytes Flows
> 2013-06-20 22:39:43.215 3.968 ICMP 134.130.3.67:0 ->
> 192.35.229.254:0.8 5 420 1
> 2013-06-20 22:39:47.286 22.592 ICMP 89.0.24.222:0 ->
> 134.130.3.67:0.0 7 588 1
> 2013-06-20 22:39:48.813 24.256 ICMP 195.71.11.67:0 ->
> 134.130.3.67:0.0 11 924 1
> 2013-06-20 22:40:00.217 16.128 ICMP 87.189.49.40:0 ->
> 134.130.3.67:0.0 7 588 1
> 2013-06-20 22:39:53.201 24.256 ICMP 193.99.160.10:0 ->
> 134.130.3.67:0.0 7 588 1
> 2013-06-20 22:39:52.603 22.656 ICMP 80.153.241.113:0 ->
> 134.130.3.67:0.0 8 672 1
> 2013-06-20 22:39:55.079 20.992 ICMP 87.79.34.228:0 ->
> 134.130.3.67:0.0 7 588 1
> 2013-06-20 22:39:51.488 25.920 ICMP 77.180.164.92:0 ->
> 134.130.3.67:0.0 7 588 1
> 2013-06-20 22:39:47.198 29.056 ICMP 84.14.122.53:0 ->
> 134.130.3.67:0.0 15 1260 1
> 2013-06-20 22:39:50.777 25.920 ICMP 84.14.4.242:0 ->
> 134.130.3.67:0.0 10 840 1
> 2013-06-20 22:39:43.107 34.688 ICMP 134.130.9.67:0 ->
> 134.130.3.67:0.0 25 2100 1
> 2013-06-20 22:39:53.474 24.256 ICMP 84.14.122.53:0 ->
> 134.130.3.67:0.0 5 420 1
> 2013-06-20 22:39:50.335 25.920 ICMP 87.79.75.111:0 ->
> 134.130.3.67:0.0 8 672 1
> 2013-06-20 22:39:47.599 30.720 ICMP 134.130.3.67:0 ->
> 89.0.24.222:0.8 20 1680 1
> 2013-06-20 22:39:47.726 30.656 ICMP 134.130.3.67:0 ->
> 109.90.2.118:0.8 20 1680 1
> 2013-06-20 22:39:46.866 30.656 ICMP 134.130.3.67:0 ->
> 80.153.241.113:0.8 20 1680 1
> 2013-06-20 22:39:46.930 30.720 ICMP 134.130.3.67:0 ->
> 87.79.75.111:0.8 20 1680 1
> 2013-06-20 22:39:47.057 30.720 ICMP 134.130.3.67:0 ->
> 195.71.11.67:0.8 20 1680 1
> 2013-06-20 22:39:47.790 30.720 ICMP 134.130.3.67:0 ->
> 67.217.34.232:0.8 20 1680 1
> 2013-06-20 22:39:47.439 30.720 ICMP 134.130.3.67:0 ->
> 188.1.238.57:0.8 20 1680 1
> Summary: total flows: 20, total bytes: 22008, total packets: 262, avg bps:
> 4973, avg pps: 7, avg bpp: 84
> Time window: 2013-06-20 22:34:50 - 2013-06-20 22:44:58
>
>
> The host 134.130.3.67 is my Nagios machine and it ping around.
>
> You see that ICMP echo requests get decoded as "destinationport"
> 8.0 when I use netflow 5 and 0.8 when I use netflow 9.
>
> So type and code are somehow "swapped".
>
> The change came when I switched the netflow versions on router b)
>
> Maybe someone with a Cat65 can confirm that?
>
> Note: a nexus 7000 with nextflow version 5 does not
> give any codes or types as far as I see.
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
>
>
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
--
Be nice to your netflow data
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
