It shouldn't be that hard to make ntop handle those too. If we could find out the settings of the flags and whether stuff like router_sc can be zeros, it should be doable...
Code is isolated into two places - netflow.c and plugins/netflowPlugin.c Reference I have is http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_2_0/nfc_ug/nfcform.htm although this looks better: http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm But that doesn't define the fields any better... Header Bytes v5 v7 Contents 0-1 y y version NetFlow export format version number 2-3 y y count Number of flows exported in this packet (1-30) 4-7 y y SysUptime Current time in milliseconds since the export device booted 8-11 y y unix_secs Current count of seconds since 0000 UTC 1970 12-15 y y unix_nsecs Residual nanoseconds since 0000 UTC 1970 16-19 y y flow_sequence Sequence counter of total flows seen 20 y engine_type Type of flow-switching engine y zero 21 y engine_id Slot number of the flow-switching engine y zero 22-23 reserved Unused (zero) bytes Flow Record Bytes v5 v7 Contents 0-3 y y srcaddr Source IP address 4-7 y y dstaddr Destination IP address 8-11 y y nexthop IP address of next hop router 12-13 y y input SNMP index of input interface 14-15 y y output SNMP index of output interface 16-19 y y dPkts Packets in the flow 20-23 y y dOctets Total number of Layer 3 bytes in the packets of the flow 24-27 y y First SysUptime at start of flow 28-31 y y Last SysUptime at the time the last packet of the flow was received 32-33 y y srcport TCP/UDP source port number or equivalent 34-35 y y dstport TCP/UDP destination port number or equivalent 36 y pad1 Unused (zero) bytes 36 y flags Flags indicating, among other things, what flow fields are invalid 37 y y tcp_flags Cumulative OR of TCP flags 38 y y prot IP protocol type (for example, TCP=6; UDP=17) 39 y y tos IP type of service (ToS) 40-41 y y src_as Autonomous system number of the source, either origin or peer 42-43 y y dst_as Autonomous system number of the destination, either origin or peer 44 y y src_mask Source address prefix mask bits 45 y y dst_mask Destination address prefix mask bits 46-47 y pad2 Unused (zero) bytes 46-47 y flags Flags indicating, among other things, what flows are invalid 48-51 y router_sc IP address of the router that is short-cut by the Catalyst 5000 series switch. This is the same address the router uses when it sends NetFlow export packets. This IP address is propagated to all switches shortcutting the router through the FCP protocol. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eugene Spiker Sent: Saturday, April 27, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: RE: [Ntop] Ntop 26-4-2002 All, Thanks for the information. The problem seems to be that I am trying to read the information from a switch and not a router. Routers can send ver 1, 5, and also I believe 8. Switchs can only send version 1, 7, and also I believe 8. I use Ntop to view the information from the monitor port of the switch, but I was hoping that it could read the Netflow data also. I'll try another package for the Netflow. Thanks again for you help. Gene -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Baird Sent: Saturday, April 27, 2002 1:38 PM To: [EMAIL PROTECTED] Subject: RE: [Ntop] Ntop 26-4-2002 These are all the settings I use on my cisco to get the data to ntop, of course change the IP/Port to whatever you want to use. ip flow-export source FastEthernet0/0 ip flow-export version 5 origin-as ip flow-export destination 192.168.0.1 2055 Regards MIKE On Sat, 2002-04-27 at 09:33, Burton M. Strauss III wrote: v5 -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eugene Spiker Sent: Saturday, April 27, 2002 8:18 AM To: 'Serge Maandag'; [EMAIL PROTECTED] Subject: RE: [Ntop] Ntop 26-4-2002 Serge, I don't have either running. With tcpdump I can see the packet coming across. The 6509 uses version 7 of netflow. Does Ntop understand version 7 or only version 5. Gene -----Original Message----- From: Serge Maandag [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 27, 2002 8:45 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Ntop] Ntop 26-4-2002 Are you sure your ipchains / iptables aren't blocking your packets? Serge. -----Original Message----- From: Eugene Spiker [mailto:[EMAIL PROTECTED]] Sent: vrijdag 26 april 2002 21:53 To: [EMAIL PROTECTED] Subject: RE: [Ntop] Ntop 26-4-2002 Mike, I have a Cisco 6509 set up to send to my Linux system on port 2055. I started Ntop and configured the Netflow plugin to receive on port 2055. Do I turn on the eth0 device and/or the netflow device on the plugin screen? I have tried different combinations. I then went to the admin screen and selected the netflow device as the NIC. The switch says it is sending packets, the count keeps going up. The Netflow screen on the DataSent and DataRcvd screens is not incrementing. I don't see any information on any of the other screens. I am running the snapshot from 26-4-2002. I am running Redhat 7.2. Both the switch and the Linux box are on the same lan. Do you know if there is anything that would need to be done to the Linux system? Anyway, thanks for you assistance. Gene _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
