Hello,
I am facing a strange problem. Data is output from a Cisco 2951 router
running IOS 15.5(1)T2.
I am getting logical data on other VLANs/Subinterfaces, but on a
particular one, it seems crazy; Here is sample output for a 10-minute
period:
# nfdump -M /data/nfsen/profiles-data/live/thi -R
2016/07/29/nfcapd.201607291600:2016/07/29/nfcapd.201607291605 -s record
-n 20 -o extended '(OUT IF 32)'
Aggregated flows 36
Top 20 flows ordered by -:
Date first seen Duration Proto Src IP Addr:Port
Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2016-06-10 14:40:30.888 8503167.515 0 5.6.235.243:0 ->
1.187.0.0:1 U..... 72 83.9 M 6.7 G 9 6333 80 5
2016-07-17 02:49:07.496 2103455.182 0 3.6.113.214:0 ->
1.187.0.0:1 U..... 61 0 4.0 G 0 15361 0 3
2016-08-06 07:29:37.960 3604220.443 0 14.6.183.167:0 ->
1.187.0.0:1 U..... 72 335.5 M 2.7 G 93 5976 8 2
2016-08-17 18:27:13.704 1052721.476 0 3.6.197.188:0 ->
1.187.0.0:2 U..... 185 167.8 M 2.7 G 159 20463 16 2
2016-08-01 20:18:21.992 1428778.913 IGMP 14.6.184.85:0 ->
1.187.0.0:6 U..... 37 285.2 M 1.3 G 199 7538 4 1
2016-08-01 20:18:21.992 1428778.913 0 4.6.195.243:0 ->
1.187.0.0:2 U..... 166 16.8 M 1.3 G 11 7538 80 1
2016-08-01 20:18:21.992 1428778.913 HMP 3.6.193.71:0 ->
1.187.0.0:26 U..... 18 0 1.3 G 0 7538 0 1
2016-08-28 01:27:06.152 327159.723 0 7.6.231.162:0 ->
1.187.0.0:2 U..... 190 352.3 M 1.3 G 1076 32922 3 1
2016-08-01 20:18:21.992 1428778.913 IGMP 4.6.195.243:0 ->
1.187.0.0:6 U..... 113 16.8 M 1.3 G 11 7538 80 1
2016-08-01 20:18:21.992 1428778.913 0 3.6.202.119:0 ->
1.187.0.0:3 U..... 181 50.3 M 1.3 G 35 7538 26 1
2016-07-27 19:08:14.376 473900.414 DDP 14.6.183.167:0 ->
1.187.0.0:97 U..... 98 167.8 M 1.3 G 354 22728 8 1
2016-08-01 20:18:21.992 1428778.913 0 14.6.184.85:0 ->
1.187.0.0:2 U..... 185 285.2 M 1.3 G 199 7538 4 1
2016-07-17 02:49:07.496 2103455.182 0 3.6.112.203:0 ->
1.187.0.0:1 U..... 61 0 1.3 G 0 5120 0 1
2016-08-01 20:18:21.992 1428778.913 ICMP 1.6.198.67:0 ->
1.187.0.0:0.7 U..... 222 16.8 M 1.3 G 11 7538 80 1
2016-08-01 20:11:49.884 1429171.021 0 3.6.202.110:0 ->
1.187.0.0:1 U..... 61 201.3 M 4.2 M 140 23 0 1
2016-07-30 07:43:18.184 4208255.493 ICMP 4.6.195.243:0 ->
1.187.0.0:0.3 U..... 141 16.8 M 1.3 G 3 2559 80 1
2016-06-28 01:59:48.220 2698771.352 0 3.6.202.110:0 ->
1.187.0.0:3 U..... 181 201.3 M 4.2 M 74 12 0 1
2016-08-01 20:18:21.992 1428778.913 ICMP 14.6.193.78:0 ->
1.187.0.0:0.6 U..... 106 50.3 M 1.3 G 35 7538 26 1
2016-07-27 19:08:14.376 473900.414 0 14.6.227.236:0 ->
1.187.0.0:1 U..... 61 385.9 M 1.3 G 814 22728 3 1
2016-08-28 01:27:06.152 327159.723 BBN 13.6.199.108:0 ->
1.187.0.0:14 U..... 163 83.9 M 1.3 G 256 32922 16 1
Summary: total flows: 44, total bytes: 56824511328, total packets:
4127195136, avg bps: 53249, avg pps: 483, avg bpp: 13
Time window: Time Window unknown
Total flows processed: 39913, Blocks skipped: 0, Bytes read: 2556096
Sys: 0.009s flows/second: 3992098.4 Wall: 0.012s flows/second: 3153183.8
This absurd data clutters all nfsen diagrams.
All these IP Addresses are totally irrelevant to our network and the
number of packets/bytes is unimaginable. It seems that nfdump
misinterprets some netflow data.
I am using:
# nfdump -V
nfdump: Version: NSEL-NEL1.6.13
nfdump 1.6.13 was compiled as:
./configure --enable-nsel --enable-nfprofile --enable-nftrack
--with-rrdpath=/usr/include
and nfsen:
# /data/nfsen/bin/nfsen -V
/data/nfsen/bin/nfsen: 1.3.6p1 $Id: nfsen 53 2012-01-23 16:36:02Z
peter $
By viewing raw nfdump data, it seems that some records are wrong. For
example, in the output of:
# nfdump -M /data/nfsen/profiles-data/live/thi -c 200 -r
2016/07/29/nfcapd.201607291640 -o raw | less
the first record is absolutely wrong (time, interfaces, etc):
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 2
size = 64
first = 1470300950 [2016-08-04 11:55:50]
last = 1470304097 [2016-08-04 12:48:17]
msec_first = 308
msec_last = 628
src addr = 227.0.0.7
dst addr = 55.0.0.0
src port = 61120
dst port = 2049
fwd status = 0
tcp flags = 0x11 .A...F
proto = 15 XNET
(src)tos = 1
(in)packets = 565
(in)bytes = 0
input = 1656
output = 45827
src as = 23751
dst as = 520
It is followed by about 50 correct records and then two wrong ones show up:
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 2
size = 64
first = 1466547443 [2016-06-22 01:17:23]
last = 1470471807 [2016-08-06 11:23:27]
msec_first = 481
msec_last = 844
src addr = 187.0.2.210
dst addr = 3.0.0.7
src port = 60941
dst port = 40961
fwd status = 0
tcp flags = 0x11 .A...F
proto = 209 209
(src)tos = 1
(in)packets = 8206
(in)bytes = 0
input = 1728
output = 49409
src as = 50263
dst as = 20832
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 2
size = 64
first = 1471447633 [2016-08-17 18:27:13]
last = 1472500355 [2016-08-29 22:52:35]
msec_first = 704
msec_last = 180
src addr = 188.6.252.10
dst addr = 1.187.0.0
src port = 0
dst port = 1
fwd status = 0
tcp flags = 0x20 U.....
proto = 0 0
(src)tos = 61
(in)packets = 184549376
(in)bytes = 1346374668
input = 0
output = 0
src as = 8209
dst as = 1608
I have not continued this, but it is obvious that something is not going
right.
I can't tell why nfsen puts all this absurd data to the particular
interface in the diagrams, but it's the first one defined in the
profile, if that can tell you something.
Can someone please explain whether I'm doing something wrong (e.g.
nfdump compilation, etc) or it's nfdump/nfsen bug?
What should I do to correct things?
Thanks in advance,
Nick
------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
