[Nfdump-discuss] Flexible Netflow and nfdump/nfcapd alignment problem

[Maxim R. <Mra...@iv...>]

Hello Everyone,

I am trying to set up nfdump / nfcapd to work with Cisco Flexible Netflow (Sup2T). From what I see, there is some alignment problem with the data collected. Here's what I have:

Cisco config:

flow exporter Flowviewer1
destination 192.168.7.74
source lo1
dscp 63
ttl 5
transport udp 9992
template data timeout 120
option exporter-stats timeout 120

flow monitor FLOW-OUT
exporter Flowviewer1
record platform-original ipv4 interface-full


flow record platform-original ipv4 interface-full:
  Description:        Original platform IPv4 interface-full fields
  No. of users:       1
  Total field space:  41 bytes
  Fields:
    match ipv4 protocol
    match ipv4 source address
    match ipv4 destination address
    match transport source-port
    match transport destination-port
    match interface input
    collect routing source as
    collect routing destination as
    collect routing next-hop address ipv4
    collect counter bytes
    collect counter packets
    collect timestamp sys-uptime first
    collect timestamp sys-uptime last

nfcapd run:
/usr/bin/nfcapd -w -D -p 9992 -u nfcapd -g nfcapd -B 200000 -S 1 -P /storage/nfsen/var/run/p9992.pid -z -T all -I gw-linx-1 -l /storage/nfsen/profiles-data/live/gw-linx-1

When I run nfdump I get:

[mrayevskiy@adm2 ~]$ nfdump -M /storage/nfsen/profiles-data/live/gw-linx-1  -T  -R 2015/02/09/nfcapd.201502091750:2015/02/09/nfcapd.201502091850 -o raw -c 1

Flow Record:
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 1
  size         =                86
  first        =        1423493350 [2015-02-09 17:49:10]
  last         =        1423493394 [2015-02-09 17:49:54]
  msec_first   =               962
  msec_last    =               362
  src addr     =     91.233.219.77
  dst addr     =    31.162.147.183
  src port     =                80
  dst port     =             52024
  fwd status   =                 0
  tcp flags    =              0x00 ......
  proto        =                 6 TCP
  (src)tos     =                 0
  (in)packets  =               190
  (in)bytes    =            267398
  input        =               262
  output       =                 0
  src as       =             28719
  dst as       =              9433
  ip next hop  =    219.254.195.34
  ip router    =        0.0.91.233
  engine type  =               130
  engine ID    =               136
  received at  =     2814749788827345 [91165-11-14 16:20:27.345]

Summary: total flows: 1, total bytes: 267398, total packets: 190, avg bps: 49289, avg pps: 4, avg bpp: 1407
Time window: 2014-12-22 00:51:12 - 2015-02-09 17:54:58
Total flows processed: 12188, Blocks skipped: 0, Bytes read: 1048524
Sys: 0.000s flows/second: 0.0        Wall: 0.004s flows/second: 2778841.8


This seems to be OK, except:
Router IP is in fact 91.233.219.254
NEXTHOP IP is 195.34.36.218 (so it would seem that part of the router address moved into nexthop IP)
SRC AS is in fact a DST AS for the destination IP
DST AS is probably temperature on Venus since it's not even our AS (57629)
And the 'received at' timestamp is totally from the far-away future. :)

Finally, both nfcapd and nfdump are at version 1.6.13.

I would really appreciate some help with the matter.

Maxim Rayevskiy
Senior Manager
ivi.ru online movies
tel.: +7 495 276-06-31 (ext. 206)
cell: +7 964 551 12 43
e-mail: ra...@iv...