Re: [Nfsen-discuss] Netflow v9 data misinterpreted by nfsen/nfdump

Sat, 30 Jul 2016 15:16:28 -0700

On 30/7/2016 7:46 μμ, Nikolaos Milas wrote:

After further research, I found that all IPv6 traffic exported by this 
router is being misinterpreted by nfdump/nfsen as IPv4 (and 
misinterpreted IPv6-traffic flow records enter the system in a state of 
total "junk").

I just tried with nfdump 1.6.15 and the problem persists. The bad record (as stored by nfsen/nfcapd/nfdump):
Flow Record:
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 2
  size         =                60
  first        =        1470300950 [2016-08-04 11:55:50]
  last         =        1470304097 [2016-08-04 12:48:17]
  msec_first   =               124
  msec_last    =               444
  src addr     =          53.0.0.0
  dst addr     =         169.0.0.0
  ICMP         =              64.8  type.code
  fwd status   =                 0
  tcp flags    =              0x11 .A...F
  proto        =                 1 ICMP
  (src)tos     =                 8
  (in)packets  =               566
  (in)bytes    =                 0
  input        =              4578
  output       =             54272
is  derived by the following packet (exported by Wireshark as plain text) referring to IPv6 traffic:
No.     Time                          Source                Destination           Protocol Length Info
    441 2016-07-31 00:19:59.693603    195.251.204.254       195.251.204.212       CFLOW    119    total: 1 (v9) record Obs-Domain-ID=    0 [Data:257]

Frame 441: 119 bytes on wire (952 bits), 119 bytes captured (952 bits)
Ethernet II, Src: CiscoInc_52:38:11 (f4:0f:1b:52:38:11), Dst: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)
Internet Protocol Version 4, Src: 195.251.204.254, Dst: 195.251.204.212
User Datagram Protocol, Src Port: 57095 (57095), Dst Port: 9995 (9995)
Cisco NetFlow/IPFIX
    Version: 9
    Count: 1
    SysUptime: 146439.410723936 seconds
    Timestamp: Jul 31, 2016 00:19:59.000000000 GTB Daylight Time
        CurrentSecs: 1469913599
    FlowSequence: 59898 (expected 271165)
        [Expert Info (Warn/Sequence): Unexpected flow sequence for domain ID 0 (expected 271165, got 59898)]
    SourceId: 0
    FlowSet 1 [id=257] (1 flows)
        FlowSet Id: (Data) (257)
        FlowSet Length: 57
        [Template Frame: 877 (received after this frame)]
        Flow 1
            DstAddr: 2001:648:2011:10::236
            Protocol: UDP (17)
            SrcPort: 58068 (58068)
            DstPort: 53 (53)
            Octets: 169
            Packets: 1
            [Duration: 0.000000000 seconds (switched)]
                StartTime: 146423.104000000 seconds
                EndTime: 146423.104000000 seconds
            SrcAddr: 2001:648:2011:8002:85c:c793:3e1f:c573
    [Expected Sequence Number: 271165]
    [Previous Frame in Sequence: 440]
I am available to provide whatever additional information/data needed to resolve the issue.

Thanks in advance.

All the best,
Nick



 



------------------------------------------------------------------------------

_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to