Re: [Nfdump-discuss] nfdump possible problem/bug

[Peter H. <ph...@us...>]

Hi Spiros
May I ask you to download the lastet version from Github https://github.com/phaag/nfdump
and test again? There is a bug fixed which could also solve your problem. If it is still
there, please send me a pcap to the collector.

Many thanks

	- Peter


On 04.10.15 09:19, Spiros Papageorgiou wrote:
> Hi all,
> 
> I think i have come across a bug in nfdump, unless I'm not using it right.
> I have an ASR1002 that has the Flexible Netflow feature. I'm exporting 
> v9 netflow custom records that I collect with nfcapd and view with nfdump.
> It seems to be that nfcapd/nfdump does not understand correctly the size 
> of some attributes and it outputs misaligned attributes (or that's what 
> i understand). Here is the output:
> 
> # there should be both 4octet source AS and dest AS
> # nfdump -r nfcapd.201510032220 -o "fmt: %sas,%das" | head -5
>   Src AS Dst AS
>   81330176,     0
>   81330179,     0
>   81330179,     0
>   81330176,     0
> 
> # the correct IP of the exporter is 31.177.56.2
> # nfdump -r nfcapd.201510032220 -o "fmt: %ra" | head -5
>          Router IP
>         0.0.31.177
>         0.0.31.177
>         0.0.31.177
>         0.0.31.177
> 
> Here is the cache output from the router (how it should be):
> R2#sh flow monitor flm-sa-da cache format table
>    Cache type:                               Normal (Platform cache)
>    Cache size:                               200000
>    Current entries:                            2138
> 
>    Flows added:                               35022
>    Flows aged:                                32884
>      - Active timeout      (   600 secs)       2188
>      - Inactive timeout    (    60 secs)      30696
> 
> IPV4 SRC ADDR    IPV4 DST ADDR    IP PROT  ip src as 4-octet  ip dst as 
> 4-octet  ipv4 next hop addr  ipv4 src mask  ipv4 dst mask  tcp flags  
> intf output           flow sampler id       bytes pkts    time first     
> time last
> ===============  ===============  =======  ================= 
> =================  ==================  =============  ============= 
> =========  ====================  ===============  ========== ==========  
> ============  ============
> 93.xx.yy.168    193.xx.yy.105         6 4xy21               1241  
> 62.1.16.241 /21            /17  0x1B       Gi0/0/3 0     4722937        
> 3454  22:20:42.004  22:20:54.100
> 93.xx.yy.31     193.xx.ff.122         6 4xy21               1241  
> 62.1.16.241 /21            /17  0x1B       Gi0/0/3 0       
> 30681          55  22:20:36.979  22:20:38.068
> 93.xx.tt.203     62.xx.gg.98          6 4xy21               1241  
> 62.1.16.241 /21            /17  0x18       Gi0/0/3 0         
> 927           3  22:20:15.284  22:20:57.268
> 31.xx.zz.70      91.xx.dd.40         17 3.xy86              35432  
> 62.1.16.241 /27            /19  0x00       Gi0/0/3 0       
> 52676          98  22:14:16.659  22:20:51.731
> 31.177.ww.vv     77.xx.ee.69          6 0               1241  
> 62.1.16.241                   /29 /17  0x1A       
> Gi0/0/3                             0 2535314        2027  22:18:09.555  
> 22:21:06.036
> 31.177.xx.ww    188.xx.yy.211         6 0               1241  
> 62.1.16.241                   /25 /17  0x1B       
> Gi0/0/3                             0 3040          20  22:18:35.156  
> 22:21:03.955
> 185.xx.gg.68    213.xx.zz.0           6 3.xy81               1241  
> 62.1.16.241 /22            /18  0x1B       Gi0/0/3 0     1388405        
> 1971  22:14:56.435  22:21:05.875
> 
> 
> The ASR outputs the template every 1min. The netflow record on ASR is:
> R2#sh flow record flr-sa-da2
> flow record flr-sa-da2:
>    Description:        User defined
>    No. of users:       1
>    Total field space:  48 bytes
>    Fields:
>      match ipv4 protocol
>      match ipv4 source address
>      match ipv4 destination address
>      collect routing source as 4-octet
>      collect routing destination as 4-octet
>      collect routing next-hop address ipv4
>      collect ipv4 source mask
>      collect ipv4 destination mask
>      collect transport tcp flags
>      collect interface output
>      collect flow sampler
>      collect counter bytes
>      collect counter packets
>      collect timestamp sys-uptime first
>      collect timestamp sys-uptime last
> 
> The way nfdump sees the capture is:
> nfdump -x nfcapd.201510032220
> 
> Dump all extension maps:
> ========================
> Extension Map:
>    Map ID   = 0
>    Map Size = 24
>    Ext Size = 40
>    ID   1, ext   5 = 4 byte input/output interface index
>    ID   2, ext   7 = 4 byte src/dst AS number
>    ID   3, ext   8 = dst tos, direction, src/dst mask
>    ID   4, ext   9 = IPv4 next hop
>    ID  13, ext  23 = IPv4 router IP addr
>    ID  14, ext  25 = router ID
>    ID  16, ext  27 = time packet received
> 
>   I am capturing with :
> /usr/local/bin/nfcapd -w -D -p 9994 -u netflow -g apache -B 200000 -S 1 
> -P /var/run/p9994.pid -z -T all -I R2v9-sada -l 
> /mnt/netflowdata/profiles-data/live/R2v9-sada
> 
> # nfdump -V
> nfdump: Version: 1.6.13
> # nfcapd -V
> nfcapd: Version: 1.6.13
> 
> Does anyone have seen something like that? Am i missing an nfcapd/nfdump 
> option or something?
> 
> Thanx
> Spiros
> 
> PS: I have captures of netflow packets and the nfdump files, if needed.
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Nfdump-discuss mailing list
> Nfd...@li...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
Be nice to your netflow data. Use NfSen and nfdump :)