[Nfdump-discuss] as information

[Jones, B. <bj...@us...>]

Hello,


I am trying to use nfdump to gather some information on traffic to
certain destination AS's.

The data I am getting back from my filter does not seem to be correct.
I don't know if it is a problem with the query or the actual information
exported from netflow.

Doing the query following query to see web traffic to Google's AS:

-r nfcapd.200603071310 -n 500 -s record/bytes -o raw 'dst AS 15169 and
dst port 80'

I get:

Flow Record:=20
  addr        =3D   1.1.1.1
  dstaddr     =3D    2.2.2.2
  nexthop     =3D     0.x.y.z
  input       =3D           37720
  output      =3D           53182
  dPkts       =3D              20
  dOctets     =3D           10241
  First       =3D      1141755007 [2006-03-07 13:10:07]
  Last        =3D      1141755266 [2006-03-07 13:14:26]
  port        =3D            1636
  dstport     =3D              80
  tcp_flags   =3D               0
  prot        =3D               6
  tos         =3D               0
  src_as      =3D           25538
  dst_as      =3D            2784
  msec_first  =3D             896
  msec_last   =3D             982


Problems I am seeing:
	The dst_as (2784) is not what I searched for (15169); issued to
RIPE:
	The src_as (25538) is not on my network; it's registered to
RIPE:
	The nexthops don't seem to make sense - they are all in the
format of 	0.x.y.z.=20

Is there a way to see the output of the dst_as and src_as in the normal
output (without doing a -o raw)?

We are using version 1.4.1.


Thanks for your help.

Brian Jones