Re: [Nfdump-discuss] nfdump and Cisco CRS CGSE+ module

[Андрей С. <ase...@sp...>]

Hi Aleksandar!

Thank you for your reply.
Yes, you are right. CGSE does not export time of events occured (there 
are no such fields in there templates). It was discovered with the help 
of tcpdump and Wireshark. Also, as it is known CGSE cards don't export 
flow data less then one second, the using of "received at" time should 
look Ok.

Thank you again,
Andrey

30.03.2015 1:31, Aleksandar Ciric пишет:
> Hi Andrei,
>
> CGSE thingie does not export all the values we might like it too, 
> check the events and templates with associated fields here. I myself 
> am planning for production use with bulk port allocation feature and 
> am ok with using "received at" field for time data.
> http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-3/cg_nat/configuration/guide/cgnat_cg43crs/cgnat51log.html
>
> On Wed, Mar 25, 2015 at 12:14 PM, Андрей Седлецкий 
> <ase...@sp... <mailto:ase...@sp...>> wrote:
>
>     Hi all!
>
>     We have an issue with the Cisco CRS's CGSE+ module. The module is used
>     to do NAT (PAT) and the export of netflow is configured on it.
>     I try to use nfdump (now it is nfdump-1.6.13) as a netflow
>     collector but
>     experience problems wih some fields:
>
>     /usr/local/nfdump-1.6.13/bin/nfdump -r nfcapd.201503250700 -o "fmt:%ts
>     %te %sap-->%nsa:%nsp >> %nda:%ndp-->%dap %pr %nevt %ivrf %evrf" | less
>     Date first seen         Date last seen               Src IP
>     Addr:Port       X-late Src IP XsPort       X-late Dst IP XdPort
>     Dst IP Addr:Port  Proto  Event   I-VRF-ID   E-VRF-ID
>     1970-01-01 03:00:00.000 1970-01-01 03:00:00.000
>     10.114.136.169:49958--> 37.190.63.117 <http://37.190.63.117>:
>     55550 >> 0.0.0.0 <http://0.0.0.0>:  0-->
>     37.58.73.181:80 <http://37.58.73.181:80>    TCP   IGNORE
>     1610612766 1610612754
>     1970-01-01 03:00:00.48984 1970-01-01 03:00:00.000
>     10.114.136.169:37764--> 37.190.63.117 <http://37.190.63.117>:
>     22597 >> 0.0.0.0 <http://0.0.0.0>:  0-->
>     37.58.73.181:80 <http://37.58.73.181:80>    TCP   IGNORE
>     1610612766 1610612754
>     1970-01-01 03:00:00.25651 1970-01-01 03:00:00.000
>     10.114.228.152:30947--> 37.190.63.114 <http://37.190.63.114>:
>     62311 >> 0.0.0.0 <http://0.0.0.0>:  0-->
>     62.112.113.170:53 <http://62.112.113.170:53>    UDP   IGNORE
>     1610612766 1610612754,
>
>     Mostly it concernes such fields as "Date first seen", "Date last seen"
>     etc, while X-late fields as well as "source/destination" fields are
>     seems to be correct.
>     What I would like to know is if nfdump can support netflow streams
>     from
>     CGSE+ card installed in Cisco CRS chassis ?
>     If so, are there any special ./configure options? The current one was
>     compiled with "$ ./configure --prefix=/usr/local/nfdump-1.6.13
>     --enable-nsel --enable-nel" options.
>
>     I have also contacted Cisco Technical Support about the problem. They
>     answered the ASR9k/CRS routers inform (periodically) the netflow
>     collector about the format of data transmitted and then send the
>     data in
>     accordence to it.
>     Hence they advised to find out if nfdump supports Dynamic Templates.
>
>     Thank you in advance.
>     Best regards,
>     Andrey
>
>
>     ------------------------------------------------------------------------------
>     Dive into the World of Parallel Programming The Go Parallel
>     Website, sponsored
>     by Intel and developed in partnership with Slashdot Media, is your
>     hub for all
>     things parallel software development, from weekly thought
>     leadership blogs to
>     news, videos, case studies, tutorials and more. Take a look and
>     join the
>     conversation now. http://goparallel.sourceforge.net/
>     _______________________________________________
>     Nfdump-discuss mailing list
>     Nfd...@li...
>     <mailto:Nfd...@li...>
>     https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
>