-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ras,
This looks totally strange to me. It seem some kind of template/data mismatch.
Have you more routers sending to the same collector? What does the daemon
syslog file say?
I have several v9 collectors running, collecting data from cisco routers
without a problem.
- Peter
- --On July 18, 2007 9:36:16 +0100 Ras <[EMAIL PROTECTED]> wrote:
| I've just started using nfdump to capture and analyse some traffic
| flows, and I'm seeing a few... strange lines of output when I nfdump.
|
| My cisco config is:
| ip flow-export version 9
| int fa0/1
| ip flow ingress
|
| My nfcapd line is:
| ./nfcapd -p 64512 -l ../capture/64512/ -P ../var/run/64512.pid -D
|
|
| When I nfdump the capture files, I see numerous lines like the following:
| 57.044 4174393.760 VMTP 0.7.0.0:21123 ->
| 23.508 520097.792 146 0.0.0.1:33195 ->
| 41.300 3774869.504 HOP6 0.0.0.79:0 ->
| 38.214 1079619.153 CBT 0.0.0.0:59180
| 02.260 4294508.545 MFESP 0.161.0.0:4096
|
| etc
|
| The dates/times on some of these are less than plausible (next month)
| while others seem OK. The duration/protocol/src are invariable
| impossible.
|
| The problem is that these flows often look like this in totality:
| 2007-07-16 23:58:02.260 4294508.545 MFESP 0.161.0.0:4096 ->
| 0.0.0.0:0 1.3 G 2.3 G 1
|
| Which throws off visualisation of my real traffic somewhat, as we
| appear to have in the 100s of gigabits flowing over a 2M E1 line :)
|
| Has anyone seen the above before? Is there a workaround beyond
| manually filtering out 'impossible' source/destinations?
|
| Thanks,
| Ras
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by DB2 Express
| Download DB2 Express C - the FREE version of DB2 express and take
| control of your XML. No limits. Just data. Click to get it now.
| http://sourceforge.net/powerbar/db2/
| _______________________________________________
| Nfdump-discuss mailing list
| Nfdump-discuss@lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRp39KP5AbZRALNr/AQLVngP+P6Iw9dPyXhlp/aT8JjQ9UQ8l6yROQ0hs
eOYezrW//j3fdX87m2GmjytcLK+UskouU5zICM+Ey82o4pV/r+dl1tPKl+YsWuwu
6WiMsg4bDm4aUyHBcIWSX0yrgszWGZ1KhQ6CxjXkbGpQI1fIrsNwFj6xRzb+KvlO
w/6uo31Umcw=
=3c4i
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
