Re: [Nfdump-discuss] IPFIX and nfdump

[Dave h. <har...@gm...>]

I'm also having problems with IPFIX from inline-jflow (MX-480)...

My records are recorded as such (manually randomized):

Date flow start          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port   Packets    Bytes Flows
1970-01-01 00:00:00.000     0.000 TCP     1y0.xx.206.200:59812 ->
1zz.172.21.198:38159        0        0     1
1970-01-01 00:00:00.000     0.000 TCP     1y0.xx.206.203:36276 ->
1zz.172.21.196:38001        0        0     1
1970-01-01 00:00:00.000     0.000 TCP     1y0.xx.206.194:1217  ->
1zz.172.21.197:53452        0        0     1
1970-01-01 00:00:00.000     0.000 TCP       172.16.20.23:50104 ->
192.168.133.215:19764        0        0

Lots of zero values in the fields, and basically a zero date.

>From what I can tell, this might be Junos version related, as I don't
see this on a Junos 10.3 (to a different 1.6.6 collector).  Here is
the problematic 10.4 config:

family inet {
            output {
                flow-server 192.xx.mm.nn {
                    port 4739;
                    autonomous-system-type origin;
                    no-local-dump;
                    version-ipfix {
                        template {
                            ipv4;
                        }
                    }
                }
                inline-jflow {
                    source-address 192.168.xx.yy;
                }
            }
        }
    }

The Wireshark decodes of the IPFIX packets look fine....

Dave



On Tue, Jul 17, 2012 at 8:45 PM, Bruce Morgan
<Bru...@aa...> wrote:
> I'm using inline jflow on an MX80 configured for IPFIX export and the
> records get generated and exported except all the srcas, dstas fields are
> sort of scrambled but rather uniformly.
>
> The following is a list of some transpositions:
> Real AS -> NFDump reported AS
> 786  -> 786
> 65511 -> 20454
> 38083 -> 21474
> 15169 -> 57369
> 4134 -> 4134
>
> Anyone seen this before? Is there an issue with the nfdump beta code for
> IPFIX? As far as I can tell nfdump seems to be reporting fine with the other
> fields.
>
> Regards
>
> Bruce
>
> --
> street address:  AARNet, POD 3, 20 Dick Perry Ave, Kensington, WA 6151,
> Australia
> m. 0408 882 390     t. +61 8 9289 2212      e.  bru...@aa...
> w. www.aarnet.edu.au
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Nfdump-discuss mailing list
> Nfd...@li...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>