Re: [Nfdump-discuss] IP_PROTOCOL_VERSION field in Netflow v9
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfdump-discuss] IP_PROTOCOL_VERSION field in Netflow v9
|
From: InterNetX - C. S. <car...@in...> - 2010-08-12 13:39:30
|
Hi Peter, nprobe has no option to define multiple templates, so this should be supported on receivers side - which is nfdump in this case. It would be great if you can implement the field as an option. bye Carsten Peter Haag schrieb: > > > On 22/7/10 2:53 PM, InterNetX - Carsten Schoene wrote: >> Hello, > >> i saw, that nfcapd/nfdump is missing the implementation for IP_PROTOCOL_VERSION (60) field >> for netflow version 9. > >> This is really bad because we can't decide which IP address to show in nfdump output. > > > This field is not really needed. Different templates should be used for IPv4 and IPv6. Using IP_PROTOCOL_VERSION (60) is > ambiguous is therefore not really needed. > nfdump automatically detects v4/v6 flows and processes them accordingly. Have both protocols mixed in the same template > is not a good idea amd inefficient anyway. Furthermore nfdump optimises space and packs addresses in the same slots. > This also produces collisions. > > Therefore I would strongly recommend to separate template for v4/v6, where nfdump is designed for. > > - Peter > >> I'm using nprobe to send the netflow data with the following template: >> "%IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV4_SRC_ADDR %IPV4_DST_ADDR %LAST_SWITCHED %FIRST_SWITCHED >> %IN_BYTES %OUT_BYTES %IN_PKTS %OUT_PKTS %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %TCP_FLAGS >> %IP_PROTOCOL_VERSION %INPUT_SRC_TOS %SRC_AS %DST_AS %IPV6_SRC_MASK %IPV6_DST_MASK %SRC_MASK %DST_MASK" > >> nfdump output, for e.g. ICMP6, only displays 0.0.0.0 as IP addresses instead of the real IPv6 >> adresses. The decission which IP SRC/DST address to display could be done by using the >> IP_PROTOCOL_VERSION field. > >> Can you please implement this field for that purpose ? > >> Regards -- Carsten Schöne Leiter Rechenzentrum InterNetX GmbH Maximilianstr. 6 93047 Regensburg Tel. +49 941 59559-480 Fax +49 941 59579-051 www.internetx.com www.facebook.com/InterNetX www.twitter.com/InterNetX Geschäftsführer/CEO: Thomas Mörz Amtsgericht Regensburg, HRB 7142 |