[Nfdump-discuss] IPv6 netflow v9 traffic is misinterpreted as IPv4

[Nikolaos M. <nm...@no...>]

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body style="background-color: rgb(255, 255, 255); color: rgb(0, 0,
    0); font-family: Palatino Linotype; font-size: 13px;"
    bgcolor="#FFFFFF" text="#000000">
    Hello, <br>
    <br>
    I've posted this issue to nfsen-discuss mailing list and as an Issue
    to nfdump GIT issue tracker, but I thought I should post it here as
    well, since it's the most relevant place. <br>
    <br>
    Here is the link to the nfsen-discuss thread:
    <a class="moz-txt-link-freetext" href="https://sourceforge.net/p/nfsen/mailman/nfsen-discuss/?viewmonth=201607">https://sourceforge.net/p/nfsen/mailman/nfsen-discuss/?viewmonth=201607</a><br>
    <div class="comment-body markdown-body markdown-format
      js-comment-body">
      <p>Traffic is exported by a Cisco ISR 2951 Router (using netflow
        v9) running IOS v15.5(1)T2. </p>
      <p>IPv6 traffic netflow records are misinterpreted by
        nfcapd/nfdump v1.6.15 (tried v1.6.13 too) as IPv4 traffic and
        are read into the system totally wrong.</p>
      <p>(Note: IPv6 traffic records from an ASA 5525 is interpreted
        correctly by the same nfsen/nfdump installation.)</p>
      <p>IPv4 traffic records are read correctly into nfcapd files.</p>
      <p>Here is such a wrong record: </p>
      <p>Flow Record:</p>
      <blockquote>
        <pre><code>Flags        =              0x06 FLOW, Unsampled
export sysid =                 2
size         =                60
first        =        1470300950 [2016-08-04 11:55:50]
last         =        1470304097 [2016-08-04 12:48:17]
msec_first   =               124
msec_last    =               444
src addr     =          53.0.0.0
dst addr     =         169.0.0.0
ICMP         =              64.8  type.code
fwd status   =                 0
tcp flags    =              0x11 .A...F
proto        =                 1 ICMP
(src)tos     =                 8
(in)packets  =               566
(in)bytes    =                 0
input        =              4578
output       =             54272
</code></pre>
      </blockquote>
      <p>which was derived by the following packet (exported by
        Wireshark as plain text) referring to IPv6 traffic:</p>
      <blockquote>
        <p><tt> No. Time                       Source         
            Destination     Protocol Length Info</tt><tt><br>
          </tt><tt> 441 2016-07-31 00:19:59.693603 195.251.204.254
            195.251.204.212 CFLOW    119 total: 1 (v9) record
            Obs-Domain-ID= 0 [Data:257]</tt></p>
        <pre><code>Frame 441: 119 bytes on wire (952 bits), 119 bytes captured (952 bits)
Ethernet II, Src: CiscoInc_52:38:11 (f4:0f:1b:52:38:11), Dst: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)
Internet Protocol Version 4, Src: 195.251.204.254, Dst: 195.251.204.212
User Datagram Protocol, Src Port: 57095 (57095), Dst Port: 9995 (9995)
Cisco NetFlow/IPFIX
    Version: 9
    Count: 1
    SysUptime: 146439.410723936 seconds
    Timestamp: Jul 31, 2016 00:19:59.000000000 GTB Daylight Time
        CurrentSecs: 1469913599
    FlowSequence: 59898 (expected 271165)
        [Expert Info (Warn/Sequence): Unexpected flow sequence for domain ID 0 (expected 271165, got 59898)]
    SourceId: 0
    FlowSet 1 [id=257] (1 flows)
        FlowSet Id: (Data) (257)
        FlowSet Length: 57
        [Template Frame: 877 (received after this frame)]
        Flow 1
            DstAddr: 2001:648:2011:10::236
            Protocol: UDP (17)
            SrcPort: 58068 (58068)
            DstPort: 53 (53)
            Octets: 169
            Packets: 1
            [Duration: 0.000000000 seconds (switched)]
                StartTime: 146423.104000000 seconds
                EndTime: 146423.104000000 seconds
            SrcAddr: 2001:648:2011:8002:85c:c793:3e1f:c573
    [Expected Sequence Number: 271165]
    [Previous Frame in Sequence: 440]
</code></pre>
      </blockquote>
      <p>I am available to provide whatever additional information/data
        needed to resolve the issue.</p>
      <p><strong>Original packets captured on wire and the respective
          nfcapd files are available at your request.</strong></p>
      <p>Here is the setup on the router that produces the IPv6 netflow
        export:</p>
      <p><code>flow record ipv6_record_cisco2 match ipv6 destination
          address collect ipv6 protocol collect ipv6 source address
          collect transport source-port collect transport
          destination-port collect counter bytes collect counter packets
          collect timestamp sys-uptime first collect timestamp
          sys-uptime last !
        </code></p>
      <p>I am using: </p>
      <blockquote>
        <p><code># nfdump -V nfdump: Version: NSEL-NEL1.6.15</code></p>
      </blockquote>
      <p>nfdump 1.6.15 was compiled as:</p>
      <blockquote>
        <p><code># ./configure --enable-nsel --enable-nfprofile
            --enable-nftrack --with-rrdpath=/usr/include</code></p>
      </blockquote>
      <p>and nfsen:</p>
      <blockquote>
        <p><code># /data/nfsen/bin/nfsen -V /data/nfsen/bin/nfsen:
            1.3.6p1 $Id: nfsen 53 2012-01-23 16:36:02Z peter $ </code></p>
      </blockquote>
      <div class="comment-body markdown-body markdown-format
        js-comment-body">
        <p>It seems to me that this issue is related to:</p>
        <blockquote>
          <p><a
              href="https://sourceforge.net/p/nfdump/mailman/message/31901489/">https://sourceforge.net/p/nfdump/mailman/message/31901489/</a></p>
        </blockquote>
        <p>but in this case we do have a source address; however, it
          seems that the IPv6 traffic flow records still do not get
          properly read by nfcapd.</p>
      </div>
      <p><strong>Please correct nfdump/nfcapd to correctly interpret
          IPv6 flow records.</strong></p>
      Thanks in advance,<br>
      <p>
        Nick</p>
    </div>
    <br>
  </body>
</html>