Re: [Nfdump-discuss] Have you already worked with nfdump and Asr 1000 NEL ?
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfdump-discuss] Have you already worked with nfdump and Asr 1000 NEL ?
|
From: Peter H. <ph...@us...> - 2014-02-05 20:06:20
|
On 5/2/14 4:28 AM, Wilkinson, Alex wrote:
> 0n Thu, Jan 30, 2014 at 05:53:53AM +1100, Peter Haag wrote:
>
> >Hi David,
> >
> >On 29/1/14 2:18 PM, David Villaume wrote:
> >> Hi,
> >>
> >> I tried the new feature < Asr 1000 NEL > but i can't get the field < vrf id> valid.
> >>
> >> Did someone tried this feature with vrf Nat ?
> >
> >If you have the enabled NSEL/NEL while compiling (--enable-nsel), then the vrf information should be available. Do not
> >forget to tell nfcapd to switch on those extension ( -Tnsel or -Tall ). Test the collected record with ./nfdump -o raw.
> >You'll see the complete record content.
>
> Using "nfdump -o raw -R ..." what exactly within the record would indicate that NSEL is being exported ?
It's indeed a bug in netflow v9 module: The patch fixes this:
--- netflow_v9.c.orig 2013-12-19 10:49:11.000000000 +0100
+++ netflow_v9.c 2014-02-04 21:17:56.000000000 +0100
@@ -1026,10 +1026,10 @@
break;
case EX_NEL_COMMON:
PushSequence( table, NF_N_NAT_EVENT, &offset, NULL);
- offset += 3;
+ offset += 7;
// XXX PushSequence( table, NF_N_POST_NAPT_SRC_PORT, &offset, NULL);
// XXX PushSequence( table, NF_N_POST_NAPT_DST_PORT, &offset, NULL);
-// XXX PushSequence( table, NF_N_INGRESS_VRFID, &offset, NULL);
+ PushSequence( table, NF_N_INGRESS_VRFID, &offset, NULL);
break;
case EX_NEL_GLOBAL_IP_v4:
// XXX PushSequence( table, NF_N_NAT_INSIDE_GLOBAL_IPV4, &offset, NULL);
Thanks for the pcaps I got. It helps a lot to track down such problem.
Thanks
- Peter
>
> -Alex
>
> ************** IMPORTANT MESSAGE *****************************
> This e-mail message is intended only for the addressee(s) and contains information which may be
> confidential.
> If you are not the intended recipient please advise the sender by return email, do not use or
> disclose the contents, and delete the message and any attachments from your system. Unless
> specifically indicated, this email does not constitute formal advice or commitment by the sender
> or the Commonwealth Bank of Australia (ABN 48 123 123 124) or its subsidiaries.
> We can be contacted through our web site: commbank.com.au.
> If you no longer wish to receive commercial electronic messages from us, please reply to this
> e-mail by typing Unsubscribe in the subject line.
> **************************************************************
>
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Nfdump-discuss mailing list
> Nfd...@li...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
|