Re: [Nfdump-discuss] Next hop IP addr isn't stored

[Joan <as...@gm...>]

Ok, answering to myself, I overlook the extension 5 (5 BGP next hop IP
addr), found about this while looking in the archives for this mailing list.
For the curious, look here:
http://sourceforge.net/p/nfdump/mailman/nfdump-discuss/thread/520...@us.../


2014-04-08 11:31 GMT+02:00 Joan <as...@gm...>:

> I am using the version 1.6.6-1 (debian wheezy), and just saw in the
> changelogs for 1.6.8 P1 a comment like this:
> - Fix v9/ipfix cache initialisation with no templates > 1 in same packet
>
> Might it be something related to my issue?
>
>
> 2014-04-08 10:34 GMT+02:00 Joan <as...@gm...>:
>
> I am collecting netflow data that has both AS information (ext.2) and
>> next-hop information(ext 4)
>> I can verify that this data is being send by launching a tshark session
>> > tshark -i eth1 host 192.168.1.9 -d udp.port==2591,cflow  -s0 -V
>> Would output something like this:
>>
>> >        Flow 7
>> >            [Duration: 0.001000000 seconds]
>> >                StartTime: 64609.881000000 seconds
>> >                EndTime: 64609.882000000 seconds
>> >            Octets: 60
>> >            Packets: 1
>> >            IPVersion: 04
>> >            InputInt: 0
>> >            OutputInt: 0
>> >            Direction: Ingress (0)
>> >            SrcAddr: 123.123.123.1 (123.123.123.1)
>> >            DstAddr: 37.139.120.55 (37.139.120.55)
>> >            BGPNextHop: 125.5.5.5 (125.5.5.5)
>> >            SrcPort: 10960
>> >            DstPort: 17500
>> >            IP ToS: 0x00
>> >            TCP Flags: 0x00
>> >            Protocol: 17
>> >            SrcAS: 4808
>> >            DstAS: 7629
>>
>> The capture daemon is like this (launched by nfsen)
>> > /usr/bin/nfcapd -w -D -p 2591 -u netflow -g www-data -B 200000 -P
>> /var/lib/netflow/var/run/p2591.pid -z -T +4 -n flow_host 192.168.1.9
>> /var/lib/netflow/profiles-data/live/flow_host
>>
>> With this nfdump command:
>> > nfdump -r
>> /var/lib/netflow/profiles-data/live/flow_grn_es/nfcapd.current.* -o
>> 'fmt:%sa %dap %fl %byt %nhb %pkt %sas %das' 'host 125.5.5.5'
>>
>> Prints this out
>> >     Src IP Addr      Dst IP Addr:Port  Flows    Bytes  BGP next-hop IP
>>  Packets Src AS Dst AS
>> >     123.123.123.1        125.5.5.5:0.0       1       84
>>  0.0.0.0        1  4808   7629
>> >       125.5.5.5      123.123.123.1:0.0       1       84
>>  0.0.0.0        1   7629  4808
>> >     123.123.123.1        125.5.5.5:0.0       1       84
>>  0.0.0.0        1  4808   7629
>>  >       125.5.5.5      123.123.123.1:0.0       1       84
>>  0.0.0.0        1   7629  4808
>>
>>
>> So at some point the nexthop information is lost, and apparently not
>> stored into the flow data.
>> Can someoen give me some light?
>>
>
>