Davide
thanks for your help. If you open the file with wirshark it says that
template is missing (as ntop says). Can you please capture a longer
file until you see a template? Or perhaps you have something to
configure in the router to export the templates?
Luca
Davide Lorenzetti wrote:
----- Original Message ----- From: "Luca Deri" <d...@ntop.org>
To: <ntop@unipi.it>
Sent: Monday, June 15, 2009 5:32 PM
Subject: Re: [Ntop] Collecting NetFlow from Adtran Netvanta 3305
routers
Jeremy
can you please capture some netflow packets (full size) and mail them
to me so I can see what happens?
Thanks Luca
On Jun 15, 2009, at 4:46 PM, Jeremy Campbell wrote:
It looks as though consistently 75-85% of
flows get dropped with “Unknown Template” across all 20 of my Adtran
Netvanta 3305’s.
My Cisco’s don’t drop any…
I’ve checked AOS (Adtran software) updates and errata and nothing is
mentioned about NetFlow problems…
Would someone be willing to take a look at a pcap and see if the
Adtran is formatting out of spec or if nTop is handling something
incorrectly?
Can someone recommend another NetFlow server to try out and see if it
has the same problem?
Any other suggestions?
Thanks…
V9 Data Flows Received
83,919
V9 Option Flows Received
2,623
Total V9 Templates Received
5,262
V9 Flows with Unknown Templates Received
63,394
V9 Data Flows Received
133,610
V9 Option Flows Received
4,024
Total V9 Templates Received
8,257
Bad V9 Templates Received
6
V9 Flows with Unknown Templates Received
115,003
V9 Data Flows Received
83,688
V9 Option Flows Received
2,417
Total V9 Templates Received
4,875
V9 Flows with Unknown Templates Received
67,080
Jeremy Campbell
Premium Financing Specialists, Inc.
From: ntop-boun...@unipi.it [mailto:ntop-boun...@unipi.it] On Behalf
Of Gary Gatten
Sent: Friday, June 12, 2009 10:55 AM
To: ntop@unipi.it
Subject: Re: [Ntop] Collecting NetFlow from Adtran Netvanta 3305
routers
I can try v9 flows from Cisco on 3.3.10 and see what happens. My
GUESS is Adtran is not formatting the records correctly.
----- Original Message -----
From: ntop-boun...@unipi.it <ntop-boun...@unipi.it>
To: n...@listgateway.unipi.it <n...@listgateway.unipi.it>
Sent: Fri Jun 12 09:29:40 2009
Subject: [Ntop] Collecting NetFlow from Adtran Netvanta 3305 routers
I'm running nTop v3.3.9 and getting many Unknown Templates collecting
from an Adtran NetVanta 3305 using Netflow V9 (Only version supported
by this router). There is no configurability on the Netvanta, so I'm
looking for ways on the nTop side to get it to recognize the
templates.
Example statistics:
Flow Senders
192.168.253.38 [9,919 pkts]
Packets Received
9,919
Packets with Bad Version
0
Packets Processed
9,919
Valid Flows Received
16,674
Average Number of Flows per Packet
3.2
V1 Flows Received
0
V5 Flows Received
0
V7 Flows Received
0
V9 Data Flows Received
16,674
V9 Option Flows Received
496
Total V9 Templates Received
1,015
V9 Flows with Unknown Templates Received
15,365
Discarded Flows
Flows with Zero Packet Count
0
Flows with Zero Byte Count
0
Flows with Bad Data
0
Flows with Unknown Template
15,365
Total Number of Flows Processed
16,674
Configuration on the NetVanta is very basic:
ip flow export destination 10.100.0.143 2014 source eth 0/1
nTop debug output:
Jun 12 09:26:21 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 2660 [displ=64][len=16488]
Jun 12 09:26:22 pfc-flow ntop[43246]: NETFLOW_DEBUG: Received
NetFlow packet(len=556)(deviceId=3)
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=20]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 258 [displ=20][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=64]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 257 [displ=64][len=72]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=136]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 258 [displ=136][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=180]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 257 [displ=180][len=40]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=220]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 258 [displ=220][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=264]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 257 [displ=264][len=40]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=304]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 258 [displ=304][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=348]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 257 [displ=348][len=40]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=388]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 258 [displ=388][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=432]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 257 [displ=432][len=40]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=472]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 258 [displ=472][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]: Found FlowSet [displ=516]
Jun 12 09:26:22 pfc-flow ntop[43246]: >>>>> Rcvd flow
with UNKNOWN template 257 [displ=516][len=40]
Any suggestions? I'm willing to put effort into helping nTop
recognize the Netvanta templates if someone can point me in the right
direction...
Thanks...
_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential. If
you are not the intended recipient, you are hereby notified that any
review, use, dissemination, disclosure or copying of this email and
its attachments, if any, is strictly prohibited. If you have received
this email in error, please immediately notify the sender by return
email and delete this email from your system."
_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
|
