Re: [Nfsen-discuss] Can't dump IOS XR Netflow v9 AS info
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] Can't dump IOS XR Netflow v9 AS info
|
From: Adrian P. <adr...@gm...> - 2012-12-22 08:52:26
|
It's probably not related to your issue - but make sure you are running the latest nfdump release, because the v9 flows exported by IOSXR have 4 byte AS numbers, not 2 byte like regular IOS exports. This was an issue for me (AS numbers not saved correctly) when running older nfdump versions... On Sat, Dec 22, 2012 at 1:41 AM, Jason Lixfeld < jas...@li...> wrote: > I might be missing something, but I dunno.. > > I've attached a wireshark capture, a nfcapd -E dump and a nfdump -o cap to > try to illustrate my question. The wireshark capture, nfcapd capture and > nfdump capture are not from the same flow. I'm just using them as > examples.. > > My XR box is exporting SrcAS and DstAS and nfcapd and nfdump see this AS > data but writes it as "prev as" and/or "next as". > > In nfsen (or even in nfdump, for that matter), I'm not able to actually > use this data in any way. I'd like to be able to use it the same way one > would use SrcAS or DstAS; search keys for statistics, mainly. > > Is SrcAS/DstAS not supported or something? > > Frame 1: 1494 bytes on wire (11952 bits), 1494 bytes captured (11952 bits) > Ethernet II, Src: Cisco_ba:ba:40 (f4:ac:c1:ba:ba:40), Dst: Vmware_a5:70:ae > (00:0c:29:a5:70:ae) > Internet Protocol Version 4, Src: 10.219.49.11 (10.219.49.11), Dst: > 10.219.51.130 (10.219.51.130) > User Datagram Protocol, Src Port: 20762 (20762), Dst Port: 4911 (4911) > Cisco NetFlow/IPFIX > Version: 9 > Count: 25 > SysUptime: 842465796 > Timestamp: Dec 21, 2012 18:26:17.000000000 EST > FlowSequence: 999480 > SourceId: 2049 > FlowSet 1 > FlowSet Id: (Data) (324) > FlowSet Length: 1432 > Flow 1 > Packets: 1 > Octets: 551 > SrcAddr: mail.bosworthfieldassoc.com (64.40.179.2) > DstAddr: 146.66.153.174 (146.66.153.174) > InputInt: 36 > OutputInt: 18 > [Duration: 0.000000000 seconds] > SrcPort: 28961 > DstPort: 37956 > PeerSrcAS: 32900 > PeerDstAS: 3356 > BGPNextHop: ae5-269.edge3.newyork1.level3.net (4.28.132.85) > SrcMask: 20 > DstMask: 23 > Protocol: 17 > TCP Flags: 0x00 > IP ToS: 0x00 > Direction: Egress (1) > Forwarding Status: Forward: Forwarded (Unknown) > SamplerID: 1 > Flow 2 > Packets: 1 > Octets: 60 > SrcAddr: lb2.readingrockets.org (144.202.247.111) > DstAddr: informativodigital.info (72.15.54.212) > InputInt: 18 > OutputInt: 42 > [Duration: 0.000000000 seconds] > SrcPort: 42613 > DstPort: 4506 > PeerSrcAS: 3356 > PeerDstAS: 0 > BGPNextHop: lo0.pe01.23fraserav01.yyz.beanfield.com(72.15.50.34) > SrcMask: 16 > DstMask: 26 > Protocol: 6 > TCP Flags: 0x02 > IP ToS: 0x00 > Direction: Ingress (0) > Forwarding Status: Forward: Forwarded (Unknown) > SamplerID: 1 > > > nfcapd -E: > > Flow Record: > Flags = 0x06 Unsampled > export sysid = 1 > size = 92 > first = 1356130756 [2012-12-21 17:59:16] > last = 1356130757 [2012-12-21 17:59:17] > msec_first = 985 > msec_last = 823 > src addr = 94.97.7.228 > dst addr = 66.207.211.183 > src port = 52177 > dst port = 80 > fwd status = 64 > tcp flags = 0x1a .AP.S. > proto = 6 > (src)tos = 0 > (in)packets = 4 > (in)bytes = 817 > input = 15 > output = 36 > src mask = 18 94.97.0.0/18 > dst mask = 28 66.207.211.176/28 > dst tos = 0 > direction = 0 > bgp next hop = 72.15.50.96 > ip router = 10.219.49.11 > engine type = 0 > engine ID = 0 > next as = 0 > prev as = 1273 > received at = 1356130768076 [2012-12-21 17:59:28.076] > > nfdump: > > Flow Record: > Flags = 0x06 Unsampled > export sysid = 1 > size = 92 > first = 1356127220 [2012-12-21 17:00:20] > last = 1356127220 [2012-12-21 17:00:20] > msec_first = 613 > msec_last = 656 > src addr = 66.207.201.186 > dst addr = 74.125.174.6 > src port = 39217 > dst port = 80 > fwd status = 64 > tcp flags = 0x10 .A.... > proto = 6 > (src)tos = 0 > (in)packets = 3 > (in)bytes = 138 > input = 15 > output = 67 > src mask = 30 66.207.201.184/30 > dst mask = 16 74.125.0.0/16 > dst tos = 0 > direction = 1 > bgp next hop = 206.108.34.6 > ip router = 10.219.49.2 > engine type = 8 > engine ID = 1 > next as = 15169 > prev as = 0 > received at = 1356127236954 [2012-12-21 17:00:36.954] > > > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > |
