Hi All, I use flow-import pcap hack fuction : http://mail.net.informatik.tu-muenchen.de/~robin/flowtools/
In my environment, our cisco device is cata6509. Now the netflow traffic is send to billing system,and cata6509 can't send multiple destination. So I setup port mirroring on the cata3550 before the billing machine, and use our flowscan machine to catch the sniffered netflow traffic using tcpdump.(flow-import -f1) The traffic is 2Gbps by mrtg. and about 1.5Mbps netflow traffic. But I found our flow-import lost many data. It seems that the traffic get by port mirroring is always out of order. The output is as belows: [EMAIL PROTECTED] hcj]# tcpdump -n udp -i eth0 -s 2000 port 555 -w -|/home/hcj/flow-tools-0.56/src/flow-import -b big -V5 -f1|/home/hcj/flow-tools-0.56/src/flow-send 192.168.25.31/192.169.25.2/2000 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes flow-import: ftpdu_seq_check: expected=1812774917 received=1812775990 lost=1073 flow-import: ftpdu_seq_check: expected=1812777991 received=1812783617 lost=5626 flow-import: ftpdu_seq_check: expected=1812784081 received=1812796203 lost=12122 flow-import: ftpdu_seq_check: expected=1812796696 received=1812799973 lost=3277 flow-import: ftpdu_seq_check: expected=1812802090 received=1812812153 lost=10063 flow-import: ftpdu_seq_check: expected=1812812646 received=1812825203 lost=12557 641 packets captured 4026 packets received by filter 3385 packets dropped by kernel It may not becasue of lose data, it may because of out of oder sequence UDP packets by tcpdump. Below is the output of tcpdump, we can clearly see the out of order traffic: 08:13:29.839859 IP 192.168.25.1.49725 > 192.168.25.3.555: UDP, length: 1416 08:13:29.840100 IP 192.168.25.1.49725 > 192.168.25.3.555: UDP, length: 1416 08:13:29.840339 IP 192.168.25.1.49725 > 192.168.25.3.555: UDP, length: 1416 08:13:30.796932 IP 192.168.25.1.49725 > 192.168.25.3.555: UDP, length: 1464 08:13:38.796880 IP 192.168.25.1.49725 > 192.168.25.3.555: UDP, length: 1464 08:13:41.514801 IP 192.168.25.1.49725 > 192.168.25.3.555: UDP, length: 1416 08:13:41.515162 IP 192.168.25.1.49725 > 192.168.25.3.555: UDP, length: 1416 Do you know how to deal with it? Since now I don't consider using flow-fanout. Haina tang -------------------------------------------------------------------------------- --------------------------------------------------------------------------------
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
