Re: [Nfdump-discuss] IPv6 netflow v9 traffic is misinterpreted as IPv4
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfdump-discuss] IPv6 netflow v9 traffic is misinterpreted as IPv4
|
From: Nikolaos M. <nm...@no...> - 2016-07-31 11:11:46
|
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body style="background-color: rgb(255, 255, 255); color: rgb(0, 0,
0); font-family: Palatino Linotype; font-size: 13px;"
bgcolor="#FFFFFF" text="#000000">
On 31/7/2016 1:48 μμ, Phil Mayers wrote:<br>
<br>
<blockquote style="font-size: small;"
cite="mid:66d...@im..."
type="cite">
<pre wrap="">The template frame is relevant too. Could you show the wireshark of that?</pre>
</blockquote>
<br>
<font size="-1">Of course. Here it is:</font><br>
<blockquote><tt>No. Time
Source Destination Protocol Length Info</tt><br>
<tt> 877 2016-07-31 00:23:44.691830 195.251.204.254
195.251.204.212 CFLOW 163 total: 2 (v9) records
Obs-Domain-ID= 0 [Data:257] [Data-Template:257]</tt><br>
<br>
<tt>Frame 877: 163 bytes on wire (1304 bits), 163 bytes captured
(1304 bits)</tt><br>
<tt> Encapsulation type: Ethernet (1)</tt><br>
<tt> Arrival Time: Jul 31, 2016 00:23:44.691830000 GTB Daylight
Time</tt><br>
<tt> [Time shift for this packet: 0.000000000 seconds]</tt><br>
<tt> Epoch Time: 1469913824.691830000 seconds</tt><br>
<tt> [Time delta from previous captured frame: 0.126154000
seconds]</tt><br>
<tt> [Time delta from previous displayed frame: 0.126154000
seconds]</tt><br>
<tt> [Time since reference or first frame: 401.126018000
seconds]</tt><br>
<tt> Frame Number: 877</tt><br>
<tt> Frame Length: 163 bytes (1304 bits)</tt><br>
<tt> Capture Length: 163 bytes (1304 bits)</tt><br>
<tt> [Frame is marked: True]</tt><br>
<tt> [Frame is ignored: False]</tt><br>
<tt> [Protocols in frame: eth:ethertype:ip:udp:cflow]</tt><br>
<tt> [Coloring Rule Name: UDP]</tt><br>
<tt> [Coloring Rule String: udp]</tt><br>
<tt>Ethernet II, Src: CiscoInc_52:38:11 (f4:0f:1b:52:38:11), Dst:
DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)</tt><br>
<tt> Destination: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)</tt><br>
<tt> Address: DigitalE_2e:f5:53 (aa:00:00:2e:f5:53)</tt><br>
<tt> .... ..1. .... .... .... .... = LG bit: Locally
administered address (this is NOT the factory default)</tt><br>
<tt> .... ...0 .... .... .... .... = IG bit: Individual
address (unicast)</tt><br>
<tt> Source: CiscoInc_52:38:11 (f4:0f:1b:52:38:11)</tt><br>
<tt> Address: CiscoInc_52:38:11 (f4:0f:1b:52:38:11)</tt><br>
<tt> .... ..0. .... .... .... .... = LG bit: Globally
unique address (factory default)</tt><br>
<tt> .... ...0 .... .... .... .... = IG bit: Individual
address (unicast)</tt><br>
<tt> Type: IPv4 (0x0800)</tt><br>
<tt>Internet Protocol Version 4, Src: 195.251.204.254, Dst:
195.251.204.212</tt><br>
<tt> 0100 .... = Version: 4</tt><br>
<tt> .... 0101 = Header Length: 20 bytes (5)</tt><br>
<tt> Differentiated Services Field: 0x00 (DSCP: CS0, ECN:
Not-ECT)</tt><br>
<tt> 0000 00.. = Differentiated Services Codepoint: Default
(0)</tt><br>
<tt> .... ..00 = Explicit Congestion Notification: Not
ECN-Capable Transport (0)</tt><br>
<tt> Total Length: 149</tt><br>
<tt> Identification: 0x6ebf (28351)</tt><br>
<tt> Flags: 0x00</tt><br>
<tt> 0... .... = Reserved bit: Not set</tt><br>
<tt> .0.. .... = Don't fragment: Not set</tt><br>
<tt> ..0. .... = More fragments: Not set</tt><br>
<tt> Fragment offset: 0</tt><br>
<tt> Time to live: 255</tt><br>
<tt> Protocol: UDP (17)</tt><br>
<tt> Header checksum: 0x2ace [validation disabled]</tt><br>
<tt> [Good: False]</tt><br>
<tt> [Bad: False]</tt><br>
<tt> Source: 195.251.204.254</tt><br>
<tt> Destination: 195.251.204.212</tt><br>
<tt> [Source GeoIP: Unknown]</tt><br>
<tt> [Destination GeoIP: Unknown]</tt><br>
<tt>User Datagram Protocol, Src Port: 57095 (57095), Dst Port:
9995 (9995)</tt><br>
<tt> Source Port: 57095</tt><br>
<tt> Destination Port: 9995</tt><br>
<tt> Length: 129</tt><br>
<tt> Checksum: 0x9d37 [validation disabled]</tt><br>
<tt> [Good Checksum: False]</tt><br>
<tt> [Bad Checksum: False]</tt><br>
<tt> [Stream index: 1]</tt><br>
<tt>Cisco NetFlow/IPFIX</tt><br>
<tt> Version: 9</tt><br>
<tt> Count: 2</tt><br>
<tt> SysUptime: 146664.635723936 seconds</tt><br>
<tt> Timestamp: Jul 31, 2016 00:23:44.000000000 GTB Daylight
Time</tt><br>
<tt> CurrentSecs: 1469913824</tt><br>
<tt> FlowSequence: 59948 (expected 271514)</tt><br>
<tt> [Expert Info (Warn/Sequence): Unexpected flow sequence
for domain ID 0 (expected 271514, got 59948)]</tt><br>
<tt> [Unexpected flow sequence for domain ID 0
(expected 271514, got 59948)]</tt><br>
<tt> [Severity level: Warn]</tt><br>
<tt> [Group: Sequence]</tt><br>
<tt> SourceId: 0</tt><br>
<tt> FlowSet 1 [id=257] (1 flows)</tt><br>
<tt> FlowSet Id: (Data) (257)</tt><br>
<tt> FlowSet Length: 57</tt><br>
<tt> [Template Frame: 877]</tt><br>
<tt> Flow 1</tt><br>
<tt> DstAddr: 2001:648:2011:10::234</tt><br>
<tt> Protocol: TCP (6)</tt><br>
<tt> SrcPort: 46042 (46042)</tt><br>
<tt> DstPort: 80 (80)</tt><br>
<tt> Octets: 495</tt><br>
<tt> Packets: 5</tt><br>
<tt> [Duration: 0.012000000 seconds (switched)]</tt><br>
<tt> StartTime: 146647.752000000 seconds</tt><br>
<tt> EndTime: 146647.764000000 seconds</tt><br>
<tt> SrcAddr: 2001:648:2011:8010::211</tt><br>
<tt> FlowSet 2 [id=0] (Data Template): 257</tt><br>
<tt> FlowSet Id: Data Template (V9) (0)</tt><br>
<tt> FlowSet Length: 44</tt><br>
<tt> Template (Id = 257, Count = 9)</tt><br>
<tt> Template Id: 257</tt><br>
<tt> Field Count: 9</tt><br>
<tt> Field (1/9): IPV6_DST_ADDR</tt><br>
<tt> Type: IPV6_DST_ADDR (28)</tt><br>
<tt> Length: 16</tt><br>
<tt> Field (2/9): PROTOCOL</tt><br>
<tt> Type: PROTOCOL (4)</tt><br>
<tt> Length: 1</tt><br>
<tt> Field (3/9): L4_SRC_PORT</tt><br>
<tt> Type: L4_SRC_PORT (7)</tt><br>
<tt> Length: 2</tt><br>
<tt> Field (4/9): L4_DST_PORT</tt><br>
<tt> Type: L4_DST_PORT (11)</tt><br>
<tt> Length: 2</tt><br>
<tt> Field (5/9): BYTES</tt><br>
<tt> Type: BYTES (1)</tt><br>
<tt> Length: 4</tt><br>
<tt> Field (6/9): PKTS</tt><br>
<tt> Type: PKTS (2)</tt><br>
<tt> Length: 4</tt><br>
<tt> Field (7/9): FIRST_SWITCHED</tt><br>
<tt> Type: FIRST_SWITCHED (22)</tt><br>
<tt> Length: 4</tt><br>
<tt> Field (8/9): LAST_SWITCHED</tt><br>
<tt> Type: LAST_SWITCHED (21)</tt><br>
<tt> Length: 4</tt><br>
<tt> Field (9/9): IPV6_SRC_ADDR</tt><br>
<tt> Type: IPV6_SRC_ADDR (27)</tt><br>
<tt> Length: 16</tt><br>
<tt> [Expected Sequence Number: 271514]</tt><br>
<tt> [Previous Frame in Sequence: 876]</tt><br>
</blockquote>
<font size="-1">Thanks for the help!<br>
<br>
Nick</font><br>
</body>
</html>
|
