There was past mention of NAT and netflow. I'm sure if you google it you'll find a billion hits. From what I recall there is a way to address that from the Cisco side.
Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 24, 2007 1:25 PM To: [email protected] Subject: RE: [Ntop] ntop stops updating when using NetFlow-problemparsingNetFlow v9? I have switched down to v5 flows for the meantime; it has been a couple of hours without problems. This particular router also does NAT, so I was hoping ntop would make use of the NAT information in the v9 flows to make the reports a little more sane but it doesn't seem do that anyway. In any case even if the v5 flows don't cause this problem with the collector, ntop is likely still vulnerable to a denial of service with its v9 flow processing. The problem does still occur with a regular ntop pcap capture going on eth0 or even on dummy0 -- I had disabled it in order to be sure it wasn't related. John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Thursday, May 24, 2007 10:06 AM To: [email protected] Subject: RE: [Ntop] ntop stops updating when using NetFlow -problemparsingNetFlow v9? Sorry, I'm also still running 3.2.1 and although libpcap isn't seeing any traffic I do have it running. I was using it to see any diffs between what netflow and lipcap interfaces report and any features lacking in one over the other. G -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Thursday, May 24, 2007 9:54 AM To: [email protected] Subject: RE: [Ntop] ntop stops updating when using NetFlow - problemparsingNetFlow v9? I use netflow for pretty much everything, but haven't seen this on BSD. Maybe try using v5 flows - and make sure it's v5 on both ends. I doubt it will do anything, but most people are using v5 so maybe there's an unknown issue with the v9 format. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 24, 2007 9:48 AM To: [email protected] Subject: [Ntop] ntop stops updating when using NetFlow - problem parsingNetFlow v9? Greetings, I am using ntop 3.2 on debian (package version 3.2-10) with the NetFlow plugin receiving v9 flows from a Cisco 2800 series router. The NetFlow interface is the only configured interface in ntop; there is no pcap interface. Everything works great, but only for a few hours (The duration between breakage does not seem to be fixed). After the problem occurs, accessing ntop via the web interface works fine, but all statistics are blank and nothing updates. I have verified the router is sending the flows and the ntop machine is receiving the packets using tcpdump. Ntop is still listening on the correct port to receive them according to netstat -l -p. Viewing the NetFlow plugin statistics page reveals statistics that if correct (which they aren't) would be alarming: Flow Senders 192.168.XXX.XXX [1,622 pkts] Number of Packets Received 1,622 Number of Packets with Bad Version 0 Number of Packets Processed 1,622 Number of Valid Flows Received 2,179,991,226 Average Number of Flows per Packet 40058.6 Number of V1 Flows Received 0 Number of V5 Flows Received 0 Number of V7 Flows Received 0 Number of V9 Flows Received 2,179,976,669 Total V9 Templates Received 362 Number of Bad V9 Templates Received 58 Number of V9 Flows with Unknown Templates Received 1,844 Discarded Flows Number of Flows with Zero Packet Count 2,179,963,863 Number of Flows with Zero Byte Count 0 Number of Flows with Bad Data 0 Number of Flows with Unknown Template 1,844 Total Number of Flows Processed 27,362 The counter for number of flows received increases whether or not netflow packets are actually arriving. The counter is incrementing by approximately 10 million per second. The packets processed counter never increments. When valid netflow packets do actually arrive, the packets received counter which would normally increment does not. Restarting ntop brings everything back to normal. I am unsure whether or not I could reliably capture the specific packet which might be causing this problem, but I thought I'd ask the list for advice first. At the very least it seems there is some kind of denial of service potential in the netflow collector's processing. Thanks, John Laur _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop ======================================================================== === "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop ======================================================================== === "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
