Re: [Nfdump-discuss] nfdump and Cisco CRS CGSE+ module

[Aleksandar C. <a....@gm...>]

Hi Andrei,

CGSE thingie does not export all the values we might like it too, check the
events and templates with associated fields here. I myself am planning for
production use with bulk port allocation feature and am ok with using
"received at" field for time data.
http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-3/cg_nat/configuration/guide/cgnat_cg43crs/cgnat51log.html

On Wed, Mar 25, 2015 at 12:14 PM, Андрей Седлецкий <ase...@sp...>
wrote:

> Hi all!
>
> We have an issue with the Cisco CRS's CGSE+ module. The module is used
> to do NAT (PAT) and the export of netflow is configured on it.
> I try to use nfdump (now it is nfdump-1.6.13) as a netflow collector but
> experience problems wih some fields:
>
> /usr/local/nfdump-1.6.13/bin/nfdump -r nfcapd.201503250700 -o "fmt:%ts
> %te %sap-->%nsa:%nsp >> %nda:%ndp-->%dap %pr %nevt %ivrf %evrf" | less
> Date first seen         Date last seen               Src IP
> Addr:Port       X-late Src IP XsPort       X-late Dst IP XdPort
> Dst IP Addr:Port  Proto  Event   I-VRF-ID   E-VRF-ID
> 1970-01-01 03:00:00.000 1970-01-01 03:00:00.000
> 10.114.136.169:49958-->   37.190.63.117: 55550 >> 0.0.0.0:     0-->
> 37.58.73.181:80    TCP   IGNORE 1610612766 1610612754
> 1970-01-01 03:00:00.48984 1970-01-01 03:00:00.000
> 10.114.136.169:37764-->   37.190.63.117: 22597 >> 0.0.0.0:     0-->
> 37.58.73.181:80    TCP   IGNORE 1610612766 1610612754
> 1970-01-01 03:00:00.25651 1970-01-01 03:00:00.000
> 10.114.228.152:30947-->   37.190.63.114: 62311 >> 0.0.0.0:     0-->
> 62.112.113.170:53    UDP   IGNORE 1610612766 1610612754,
>
> Mostly it concernes such fields as "Date first seen", "Date last seen"
> etc, while X-late fields as well as "source/destination" fields are
> seems to be correct.
> What I would like to know is if nfdump can support netflow streams from
> CGSE+ card installed in Cisco CRS chassis ?
> If so, are there any special ./configure options? The current one was
> compiled with "$ ./configure --prefix=/usr/local/nfdump-1.6.13
> --enable-nsel --enable-nel" options.
>
> I have also contacted Cisco Technical Support about the problem. They
> answered the ASR9k/CRS routers inform (periodically) the netflow
> collector about the format of data transmitted and then send the data in
> accordence to it.
> Hence they advised to find out if nfdump supports Dynamic Templates.
>
> Thank you in advance.
> Best regards,
> Andrey
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Nfdump-discuss mailing list
> Nfd...@li...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>