Thanks Mark, solved! After I added the origin-as I was not querying the latest sample ! Hence I did not see the changes reflected.
Thanks again Mark :) On Tue, Aug 12, 2014 at 2:37 PM, geebs <gwe...@gmail.com> wrote: > Also I've read conflicting documentation as to what peer-as and origin-as > do. > > My understanding is; > If I want to know the origin of the packets destination, use origin-as. > If I want to see which BGP peer the traffic is going through, I use > peer-as. > > > > On Tue, Aug 12, 2014 at 2:33 PM, geebs <gwe...@gmail.com> wrote: > >> I've confirmed that the AS information is definitely in the packet. >> >> I added the origin-as command, still AS 0. >> Now I've added the peer-as command, again AS 0. >> >> root@ares:/storage/nfsen/profiles-data/live/edge1-syd# nfdump -M >> /storage/nfsen/profiles-data/live/edge1-syd -T -r >> 2014/08/12/nfcapd.201408120000 -n 10 -s prevas/flows >> Unknown stat: 'prevas/flows'! >> >> root@ares:/storage/nfsen/profiles-data/live/edge1-syd# nfdump -M >> /storage/nfsen/profiles-data/live/edge1-syd -T -r >> 2014/08/12/nfcapd.201408120000 -n 10 -s nextas/flows >> Unknown stat: 'nextas/flows'! >> >> root@ares:/storage/nfsen/profiles-data/live/edge1-syd# nfdump -M >> /storage/nfsen/profiles-data/live/edge1-syd -T -r >> 2014/08/12/nfcapd.201408120000 -n 10 -s srcas/flows >> Top 10 Src AS ordered by flows: >> Date first seen Duration Proto Src AS Flows(%) >> Packets(%) Bytes(%) pps bps bpp >> 2014-08-11 23:55:01.837 596.843 any 0 18660(100.0) >> 341444(100.0) 133.0 M(100.0) 572 1.8 M 389 >> >> Summary: total flows: 18660, total bytes: 133.0 M, total packets: 341444, >> avg bps: 1.8 M, avg pps: 572, avg bpp: 389 >> Time window: 2014-08-11 23:55:01 - 2014-08-12 00:04:58 >> Total flows processed: 18660, Blocks skipped: 0, Bytes read: 970360 >> Sys: 0.008s flows/second: 2332500.0 Wall: 0.008s flows/second: 2264838.0 >> >> root@ares:/storage/nfsen/profiles-data/live/edge1-syd# nfdump -M >> /storage/nfsen/profiles-data/live/edge1-syd -T -r >> 2014/08/12/nfcapd.201408120000 -n 10 -s dstas/flows >> Top 10 Dst AS ordered by flows: >> Date first seen Duration Proto Dst AS Flows(%) >> Packets(%) Bytes(%) pps bps bpp >> 2014-08-11 23:55:01.837 596.843 any 0 18660(100.0) >> 341444(100.0) 133.0 M(100.0) 572 1.8 M 389 >> >> Summary: total flows: 18660, total bytes: 133.0 M, total packets: 341444, >> avg bps: 1.8 M, avg pps: 572, avg bpp: 389 >> Time window: 2014-08-11 23:55:01 - 2014-08-12 00:04:58 >> Total flows processed: 18660, Blocks skipped: 0, Bytes read: 970360 >> Sys: 0.008s flows/second: 2332500.0 Wall: 0.008s flows/second: 2211162.5 >> >> Anything else you can think off I can check ? >> >> Cheers. >> >> >> >> >> >> On Tue, Aug 12, 2014 at 12:38 PM, geebs <gwe...@gmail.com> wrote: >> >>> Thanks for your response Mark, I only have ip flow-export version 5 >>> configured. >>> I'll check the flow data to confirm. >>> Thanks very much for your response. >>> >>> >>> >>> On Tue, Aug 12, 2014 at 12:31 PM, Mark van der Meulen < >>> m...@fivenynes.com> wrote: >>> >>>> Looks like your routers are not including the AS information in the >>>> Netflow packet. What is your router configuration? For some cisco you need >>>> 'ip flow-export version 5 origin-as’ I think it is – as opposed to peer-as. >>>> I’d be checking the flow data first to confirm you are actually seeing AS >>>> information in the packets and if not, work backwards from there; >>>> otherwise, if the data is in the packet you might need to be checking >>>> something different. Have you tried srcas, nextas , prevas for the >>>> sake of troubleshooting? >>>> >>>> Mark >>>> >>>> From: geebs <gwe...@gmail.com> >>>> Date: Tuesday, 12 August 2014 12:17 pm >>>> To: "nfsen-discuss@lists.sourceforge.net" < >>>> nfsen-discuss@lists.sourceforge.net> >>>> Subject: [Nfsen-discuss] DST AS 0 - no other AS listed >>>> >>>> Hello, >>>> >>>> I'm trying to get a list of my networks top destination AS's. >>>> However I'm not getting far, I'm sure it's something I'm not seeing. >>>> >>>> All my routers are exporting v5 netflow correctly. >>>> >>>> All I see is 100% of traffic to AS 0 ??? >>>> >>>> Here's the response I get; >>>> >>>> ** nfdump -M >>>> /storage/nfsen/profiles-data/live/core2-bri:edge1-syd:edge2-mel:core2-mel:edge1-mel:core1-bri:core1-mel:core1-per:edge2-syd:edge1-bri:core1-syd:core2-per:core2-syd:edge1-per >>>> -T -r 2014/08/12/nfcapd.201408120000 -n 10 -s dstas/flows >>>> nfdump filter: >>>> any >>>> Top 10 Dst AS ordered by flows: >>>> Date first seen Duration Proto Dst AS Flows(%) >>>> Packets(%) Bytes(%) pps bps bpp >>>> 2014-08-11 23:54:58.720 600.031 any 0 >>>> 270445(100.0) 6.0 M(100.0) 3.4 G(100.0) 9953 45.6 M 573 >>>> >>>> Summary: total flows: 270445, total bytes: 3.4 G, total packets: 6.0 M, >>>> avg bps: 45.6 M, avg pps: 9953, avg bpp: 573 >>>> Time window: 2014-08-11 23:54:58 - 2014-08-12 00:04:58 >>>> Total flows processed: 270445, Blocks skipped: 0, Bytes read: 14063784 >>>> Sys: 0.100s flows/second: 2704314.8 Wall: 0.099s flows/second: >>>> 2728460.5 >>>> >>>> Thanks for your time. >>>> >>>> >>> >> >
------------------------------------------------------------------------------
_______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
