Re: [Ntop-dev] IPFIX generated traffic from nProbe

Maltby, David Fri, 01 May 2009 06:57:43 -0700

Just wondering if you had an answer on whether this was a bug or not.
Maybe you missed the response to your questions from my colleague
Georgiy.  I've include it below.


Thanks,
David Maltby

        -----Original Message-----
        From: Zhytar, Georgiy 
        Sent: Friday, April 17, 2009 4:02 AM
        To: [email protected]
        Cc: Maltby, David
        Subject: RE: [Ntop-dev] IPFIX generated traffic from nProbe

        Hi,

        Here is command line: 
        nprobe /c -i 1 -n 10.140.2.53:2055 -V 10 -b 2 -s 5 -l 5 -u 1 -Q
2 -T "%IPV4_SRC_ADDR %  IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP
%OUTPUT_SNMP %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES %FIRST_SWITCHED
%LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS
%SRC_AS %DST_AS %SRC_MASK %DST_MASK" -U 777

        WireShark version 1.1.3 shows that flows as IPFIX partial flow
(254/1) where 254 - expected length, 1-length in a header.

        Thanks for your collaboration!

        Georgiy Zhytar

-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Luca Deri
Sent: Thursday, April 16, 2009 6:17 PM
To: [email protected]
Subject: Re: [Ntop-dev] IPFIX generated traffic from nProbe

David
I need to look at the issue:
- What command line arguments you passed to nprobe in your test?
- what wireshark version are you using?

Luca

On Apr 17, 2009, at 1:10 AM, Maltby, David wrote:

> Hi,
> My company is considering buying "nProbe 5.x [Win32]" because of its  
> ability to generate IPFIX traffic.  We downloaded the demo version  
> and took a packet capture of the traffic.  The flow headers  
> indicated version 10, as expected, but the Length field in the flow  
> header is reporting the number of FlowSets (like was done in NetFlow  
> Version 9).
>
> The RFC
(http://www.ietf.org/internet-drafts/draft-ietf-ipfix-file-03.txt 
> ) indicates:
>
>    1.  Search for the first occurrence of the octet string 0x00,  
> 0x0A (the IPFIX Message Header Version field)
>
>    2.  Treat this field as the beginning of a candidate IPFIX  
> Message.  Read the two bytes following the Version field as a  
> Message Length, and seek to that offset from the beginning of the  
> candidate IPFIX Message.
>
> Also, Wireshark is unable to decode the IPFIX packets, until I  
> manually modify a packet so that it is the message length.  So, I  
> guess my question is, is this a bug or intended behavior?
>
>
>
> Thanks,
>
> David
>
>
>
>
>
>
>
> _______________________________________________
> Ntop-dev mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-dev

_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev

Re: [Ntop-dev] IPFIX generated traffic from nProbe

Reply via email to