Re: [Nfdump-discuss] Have you already worked with nfdump and Asr 1000 NEL ?
netflow collecting and processing tools
Brought to you by:
phaag
From: Peter H. <ph...@us...> - 2014-02-05 20:06:20
|
On 5/2/14 4:28 AM, Wilkinson, Alex wrote: > 0n Thu, Jan 30, 2014 at 05:53:53AM +1100, Peter Haag wrote: > > >Hi David, > > > >On 29/1/14 2:18 PM, David Villaume wrote: > >> Hi, > >> > >> I tried the new feature < Asr 1000 NEL > but i can't get the field < vrf id> valid. > >> > >> Did someone tried this feature with vrf Nat ? > > > >If you have the enabled NSEL/NEL while compiling (--enable-nsel), then the vrf information should be available. Do not > >forget to tell nfcapd to switch on those extension ( -Tnsel or -Tall ). Test the collected record with ./nfdump -o raw. > >You'll see the complete record content. > > Using "nfdump -o raw -R ..." what exactly within the record would indicate that NSEL is being exported ? It's indeed a bug in netflow v9 module: The patch fixes this: --- netflow_v9.c.orig 2013-12-19 10:49:11.000000000 +0100 +++ netflow_v9.c 2014-02-04 21:17:56.000000000 +0100 @@ -1026,10 +1026,10 @@ break; case EX_NEL_COMMON: PushSequence( table, NF_N_NAT_EVENT, &offset, NULL); - offset += 3; + offset += 7; // XXX PushSequence( table, NF_N_POST_NAPT_SRC_PORT, &offset, NULL); // XXX PushSequence( table, NF_N_POST_NAPT_DST_PORT, &offset, NULL); -// XXX PushSequence( table, NF_N_INGRESS_VRFID, &offset, NULL); + PushSequence( table, NF_N_INGRESS_VRFID, &offset, NULL); break; case EX_NEL_GLOBAL_IP_v4: // XXX PushSequence( table, NF_N_NAT_INSIDE_GLOBAL_IPV4, &offset, NULL); Thanks for the pcaps I got. It helps a lot to track down such problem. Thanks - Peter > > -Alex > > ************** IMPORTANT MESSAGE ***************************** > This e-mail message is intended only for the addressee(s) and contains information which may be > confidential. > If you are not the intended recipient please advise the sender by return email, do not use or > disclose the contents, and delete the message and any attachments from your system. Unless > specifically indicated, this email does not constitute formal advice or commitment by the sender > or the Commonwealth Bank of Australia (ABN 48 123 123 124) or its subsidiaries. > We can be contacted through our web site: commbank.com.au. > If you no longer wish to receive commercial electronic messages from us, please reply to this > e-mail by typing Unsubscribe in the subject line. > ************************************************************** > > > > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk > _______________________________________________ > Nfdump-discuss mailing list > Nfd...@li... > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :) |