Re: [Nfdump-discuss] nfdump and 32bit ASNs with Cisco FNF /w user template

[Spiros P. <pa...@no...>]

Hi all,

I was just looking at nfcapd code and It seems that while it supports 
srcas/dstas, it doen't support srcpeeras/dstpeeras which have different 
ID numbers in netflow v9.

Sp
On 08-Jan-15 2:52 PM, Spiros Papageorgiou wrote:
> Hi Peter and all,
>
> I sent you a private message with an nfcapd file. The cisco surely 
> exports 32bit ASes and I'm using nfdump/nfcapd Version: 1.6.8.
>
> What nfdump options can I use to produce the AS matrix?
> I tried the following and many other options:
> *nfdump -M /usr/local/nfsen/profiles-data/live/R2v9as  -T -r 
> 2015/01/08/nfcapd.201501081355 -A dstas,srcas*
> Date flow start          Duration  Dst AS Src AS Packets    Bytes      
> bps    Bpp Flows
> 2015-01-08 13:25:15.593  2068.185       0      0    30.5 M 16.2 G   
> 62.5 M    529   326
> Summary: total flows: 326, total bytes: 16.2 G, total packets: 30.5 M, 
> avg bps: 62.5 M, avg pps: 14770, avg bpp: 529
> Time window: 2015-01-08 13:25:15 - 2015-01-08 13:59:43
> Total flows processed: 326, Blocks skipped: 0, Bytes read: 19660
> Sys: 0.000s flows/second: 326326.3   Wall: 0.000s flows/second: 438761.8
> -------------------------
>
> The output of the cisco is like that (cmd: *sh flow monitor flm-4 
> cache format table *):
> IP SRC PEER AS 4-OCTET  IP DST PEER AS 4-OCTET  INTF INPUT            
> INTF OUTPUT           FLOW DIRN bytes        pkts    time first     
> time last
> ======================  ====================== ====================  
> ====================  ========= ==========  ==========  ============  
> ============
>                      0                    3329 Gi0/0/1.111           
> Po6.98                Output 160102120     2550243  14:30:04.996  
> 14:46:33.956
>                      0                    6799 Gi0/0/1.136           
> Po6.98                Output 2858          36  14:42:33.797  14:46:25.029
>                      0                    1241 Gi0/0/1.802           
> Gi0/0/3               Output 1057612        8637  14:37:12.133  
> 14:46:33.924
>                 3.3520                    5408 Gi0/0/1.136           
> Po6.98                Output 194247342      147685  14:34:24.069  
> 14:46:33.956
>                      0                       0 Gi0/0/1.136           
> Po6.98                Output 586912        6493  14:30:16.421  
> 14:46:33.828
>                    174                  3.1869 Gi0/0/3               
> Gi0/1/0 Output             68           1  14:46:28.485 14:46:28.485
>                  42817                    3329 Gi0/0/1.104           
> Po6.98                Output 635302        2750  14:40:31.653  
> 14:46:22.916
>
>
> Thanx,
> Sp
>
> PS: The "peer AS" that shows as "3.3520" above means that it is a 
> 32bit AS and it is AS: 3*65536+3520=200128.
>
>
> On 03-Jan-15 2:54 PM, Peter Haag wrote:
>> Spiros Papageorgiou wrote:
>>> Hi all,
>>>
>>> I'm trying to produce an AS matrix with nfdump/nfsen and I'm using the
>>> following config on Cisco ASR1002 (03.10.02.S.153-3.S2) for FNF v9:
>>> flow record flr-4:
>>>     Description:        User defined
>>>     No. of users:       1
>>>     Total field space:  33 bytes
>>>     Fields:
>>>       match routing source as peer 4-octet
>>>       match routing destination as peer 4-octet
>>>       match interface input
>>>       match interface output
>>>       match flow direction
>>>       collect counter bytes
>>>       collect counter packets
>>>       collect timestamp sys-uptime first
>>>       collect timestamp sys-uptime last
>>>
>>> which is based on the predefined record "netflow ipv4 as peer" but with
>>> 4byte ASNs.
>>>
>>> While nfcapd collects the packets, nfdump doesn't seem to be able to
>>> understand the format and doesn't show anything.
>>>
>>> Anyone can help me on this? Am I doing something wrong?
>> Well - if packets are written to the file, then nfdump understands it,
>> otherwise they are discarded. 32bit ASes are supported already for a
>> long time, so I can not imaging what went wrong. It maybe best, you
>> collect some traffice to the collector and send it to me.
>>
>> 	- Peter
>>
>>> Thanx,
>>> Spiros
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming! The Go Parallel Website,
>>> sponsored by Intel and developed in partnership with Slashdot Media, is your
>>> hub for all things parallel software development, from weekly thought
>>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>>> look and join the conversation now.http://goparallel.sourceforge.net
>>> _______________________________________________
>>> Nfdump-discuss mailing list
>>> Nfd...@li...
>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfd...@li...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss