Hello,
I have identified the packets that produced the wrong records I listed
(see below). I have exported them in text (through Wireshark) and they
are as follows:
They are IPv6 records.
Can you please explain if I am doing something wrong (nfdump
compilation, nfsen config, etc.) or if there something that should be
changed/added to nfdump/nfsen?
Thanks,
Nick
------------------- Exported Original Packet 1
---------------------------------
No. Time Source Destination
Protocol Length Info
131 2016-07-29 16:40:00.509062 195.251.204.254
195.251.204.212 CFLOW 119 total: 1 (v9) record
Obs-Domain-ID= 0 [Data:256]
Frame 131: 119 bytes on wire (952 bits), 119 bytes captured (952 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Jul 29, 2016 16:40:00.509062000 GTB Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1469799600.509062000 seconds
[Time delta from previous captured frame: 0.942114000 seconds]
[Time delta from previous displayed frame: 0.942114000 seconds]
[Time since reference or first frame: 53.000453000 seconds]
Frame Number: 131
Frame Length: 119 bytes (952 bits)
Capture Length: 119 bytes (952 bits)
[Frame is marked: True]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:cflow]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: CiscoInc_52:38:11 (f4:0f:1b:52:38:11), Dst:
DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)
Destination: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)
Address: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)
.... ..1. .... .... .... .... = LG bit: Locally administered
address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
Source: CiscoInc_52:38:11 (f4:0f:1b:52:38:11)
Address: CiscoInc_52:38:11 (f4:0f:1b:52:38:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 195.251.204.254, Dst: 195.251.204.212
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)
Total Length: 105
Identification: 0xd4a3 (54435)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0xc515 [validation disabled]
[Good: False]
[Bad: False]
Source: 195.251.204.254
Destination: 195.251.204.212
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 57095 (57095), Dst Port: 9995 (9995)
Source Port: 57095
Destination Port: 9995
Length: 85
Checksum: 0x8b2a [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 0]
Cisco NetFlow/IPFIX
Version: 9
Count: 1
SysUptime: -32440.1919310368 seconds
Timestamp: Jul 29, 2016 16:40:00.000000000 GTB Daylight Time
CurrentSecs: 1469799600
FlowSequence: 20496 (expected 81465)
[Expert Info (Warn/Sequence): Unexpected flow sequence for
domain ID 0 (expected 81465, got 20496)]
[Unexpected flow sequence for domain ID 0 (expected 81465,
got 20496)]
[Severity level: Warn]
[Group: Sequence]
SourceId: 0
FlowSet 1 [id=256] (1 flows)
FlowSet Id: (Data) (256)
FlowSet Length: 57
[Template Frame: 69]
Flow 1
DstAddr: 2001:648:2011:10::235
Protocol: TCP (6)
SrcPort: 30899 (30899)
DstPort: 995 (995)
Octets: 1847
Packets: 15
[Duration: 0.332000000 seconds (switched)]
StartTime: 32423.944000000 seconds
EndTime: 32424.276000000 seconds
SrcAddr: 2001:648:2011:8002:85c:c793:3e1f:c573
[Expected Sequence Number: 81465]
[Previous Frame in Sequence: 130]
0000 aa 00 00 2e f5 53 f4 0f 1b 52 38 11 08 00 45 00 .....S...R8...E.
0010 00 69 d4 a3 00 00 ff 11 c5 15 c3 fb cc fe c3 fb .i..............
0020 cc d4 df 07 27 0b 00 55 8b 2a 00 09 00 01 01 ef ....'..U.*......
0030 00 6c 57 9b 5c b0 00 00 50 10 00 00 00 00 01 00 .lW.\...P.......
0040 00 39 20 01 06 48 20 11 00 10 00 00 00 00 00 00 .9 ..H .........
0050 02 35 06 78 b3 03 e3 00 00 07 37 00 00 00 0f 01 .5.x......7.....
0060 ee c0 08 01 ee c1 54 20 01 06 48 20 11 80 02 08 ......T ..H ....
0070 5c c7 93 3e 1f c5 73 \..>..s
�
------------------- Exported Original Packet 2
---------------------------------
No. Time Source Destination
Protocol Length Info
134 2016-07-29 16:40:01.509001 195.251.204.254
195.251.204.212 CFLOW 172 total: 2 (v9) records
Obs-Domain-ID= 0 [Data:256]
Frame 134: 172 bytes on wire (1376 bits), 172 bytes captured (1376 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Jul 29, 2016 16:40:01.509001000 GTB Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1469799601.509001000 seconds
[Time delta from previous captured frame: 0.941572000 seconds]
[Time delta from previous displayed frame: 0.941572000 seconds]
[Time since reference or first frame: 54.000392000 seconds]
Frame Number: 134
Frame Length: 172 bytes (1376 bits)
Capture Length: 172 bytes (1376 bits)
[Frame is marked: True]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:cflow]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: CiscoInc_52:38:11 (f4:0f:1b:52:38:11), Dst:
DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)
Destination: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)
Address: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)
.... ..1. .... .... .... .... = LG bit: Locally administered
address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
Source: CiscoInc_52:38:11 (f4:0f:1b:52:38:11)
Address: CiscoInc_52:38:11 (f4:0f:1b:52:38:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 195.251.204.254, Dst: 195.251.204.212
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)
Total Length: 158
Identification: 0xd4a4 (54436)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0xc4df [validation disabled]
[Good: False]
[Bad: False]
Source: 195.251.204.254
Destination: 195.251.204.212
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 57095 (57095), Dst Port: 9995 (9995)
Source Port: 57095
Destination Port: 9995
Length: 138
Checksum: 0xba5d [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 0]
Cisco NetFlow/IPFIX
Version: 9
Count: 2
SysUptime: -32441.1918310368 seconds
Timestamp: Jul 29, 2016 16:40:01.000000000 GTB Daylight Time
CurrentSecs: 1469799601
FlowSequence: 20497 (expected 81467)
[Expert Info (Warn/Sequence): Unexpected flow sequence for
domain ID 0 (expected 81467, got 20497)]
[Unexpected flow sequence for domain ID 0 (expected 81467,
got 20497)]
[Severity level: Warn]
[Group: Sequence]
SourceId: 0
FlowSet 1 [id=256] (2 flows)
FlowSet Id: (Data) (256)
FlowSet Length: 110
[Template Frame: 69]
Flow 1
DstAddr: 2a00:1450:4017:805::200e
Protocol: TCP (6)
SrcPort: 49345 (49345)
DstPort: 443 (443)
Octets: 184835
Packets: 2001
[Duration: 46.312000000 seconds (switched)]
StartTime: 32378.272000000 seconds
EndTime: 32424.584000000 seconds
SrcAddr: 2001:648:2011:8a51:60c4:57a2:e941:5864
Flow 2
DstAddr: 2a00:1450:400c:c0b::bc
Protocol: TCP (6)
SrcPort: 64522 (64522)
DstPort: 443 (443)
Octets: 61
Packets: 1
[Duration: 0.000000000 seconds (switched)]
StartTime: 32424.436000000 seconds
EndTime: 32424.436000000 seconds
SrcAddr: 2001:648:2011:8a51:1096:cc14:6925:92f8
[Expected Sequence Number: 81467]
[Previous Frame in Sequence: 133]
0000 aa 00 00 2e f5 53 f4 0f 1b 52 38 11 08 00 45 00 .....S...R8...E.
0010 00 9e d4 a4 00 00 ff 11 c4 df c3 fb cc fe c3 fb ................
0020 cc d4 df 07 27 0b 00 8a ba 5d 00 09 00 02 01 ef ....'....]......
0030 04 54 57 9b 5c b1 00 00 50 11 00 00 00 00 01 00 .TW.\...P.......
0040 00 6e 2a 00 14 50 40 17 08 05 00 00 00 00 00 00 .n*..P@.........
0050 20 0e 06 c0 c1 01 bb 00 02 d2 03 00 00 07 d1 01 ...............
0060 ee 0d a0 01 ee c2 88 20 01 06 48 20 11 8a 51 60 ....... ..H ..Q`
0070 c4 57 a2 e9 41 58 64 2a 00 14 50 40 0c 0c 0b 00 .W..AXd*..P@....
0080 00 00 00 00 00 00 bc 06 fc 0a 01 bb 00 00 00 3d ...............=
0090 00 00 00 01 01 ee c1 f4 01 ee c1 f4 20 01 06 48 ............ ..H
00a0 20 11 8a 51 10 96 cc 14 69 25 92 f8 ..Q....i%..
------------------------------------------------------------------------
On 29/7/2016 5:53 μμ, Nikolaos Milas wrote:
> By viewing raw nfdump data, it seems that some records are wrong. For
> example, in the output of:
>
> # nfdump -M /data/nfsen/profiles-data/live/thi -c 200 -r
> 2016/07/29/nfcapd.201607291640 -o raw | less
>
> the first record is absolutely wrong (time, interfaces, etc):
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 2
> size = 64
> first = 1470300950 [2016-08-04 11:55:50]
> last = 1470304097 [2016-08-04 12:48:17]
> msec_first = 308
> msec_last = 628
> src addr = 227.0.0.7
> dst addr = 55.0.0.0
> src port = 61120
> dst port = 2049
> fwd status = 0
> tcp flags = 0x11 .A...F
> proto = 15 XNET
> (src)tos = 1
> (in)packets = 565
> (in)bytes = 0
> input = 1656
> output = 45827
> src as = 23751
> dst as = 520
>
> It is followed by about 50 correct records and then two wrong ones
> show up:
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 2
> size = 64
> first = 1466547443 [2016-06-22 01:17:23]
> last = 1470471807 [2016-08-06 11:23:27]
> msec_first = 481
> msec_last = 844
> src addr = 187.0.2.210
> dst addr = 3.0.0.7
> src port = 60941
> dst port = 40961
> fwd status = 0
> tcp flags = 0x11 .A...F
> proto = 209 209
> (src)tos = 1
> (in)packets = 8206
> (in)bytes = 0
> input = 1728
> output = 49409
> src as = 50263
> dst as = 20832
>
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 2
> size = 64
> first = 1471447633 [2016-08-17 18:27:13]
> last = 1472500355 [2016-08-29 22:52:35]
> msec_first = 704
> msec_last = 180
> src addr = 188.6.252.10
> dst addr = 1.187.0.0
> src port = 0
> dst port = 1
> fwd status = 0
> tcp flags = 0x20 U.....
> proto = 0 0
> (src)tos = 61
> (in)packets = 184549376
> (in)bytes = 1346374668
> input = 0
> output = 0
> src as = 8209
> dst as = 1608
------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
