All,
I have been using argus working with netflow v5 for a while, but I'm starting
to work with nfdump for the IPFIX support. So far it seems like a great
package!
I am having one difficulty though: the router ip is always 0.0.0.0. I have
been testing with 1.6.10 and 1.6.10p1 with the same result. I am collecting
from and esxi server and a cisco 2801.
As you can see I'm also not getting timestamps from VMware due to their bug
that was discussed in another thread.
I am using "-T all" with nfcapd to ensure that all extensions are being used
(nfcapd output is below). While the output below show me using the -l switch
with nfcapd, I did also try using the -n switch with the same result.
I have also verified that I am getting the router ip from argus on the cisco
flow (it can't read the IPFIX from VMware).
# nfdump -r nfcapd.201309121943 -o "fmt:%eng %ra %in %ts %te %td %sa %da %pr
%sap %dap %stos %dtos %opkt %obyt %ipkt %ibyt %flg" -A
srcip,dstip,srcport,dstport,proto
engine Router IP Input Date first seen Date last seen
Duration Src IP Addr Dst IP Addr Proto Src IP Addr:Port
Dst IP Addr:Port STos DTos Out Pkt Out Byte In Pkt In Byte Flags
0/0 0.0.0.0 0 1970-01-01 00:00:00.000 1970-01-01 00:00:00.000
0.000 172.31.30.56 172.31.30.255 UDP 172.31.30.56:17500
172.31.30.255:17500 0 0 0 0 2 322 ......
0/0 0.0.0.0 0 2013-09-12 19:47:11.759 2013-09-12 19:47:15.947
4.188 172.31.30.41 172.31.31.1 TCP 172.31.30.41:33340
172.31.31.1:23 0 0 0 0 12 497 ......
0/0 0.0.0.0 0 2013-09-12 19:47:22.599 2013-09-12 19:47:25.607
3.008 172.31.32.10 172.31.30.163 ICMP 172.31.32.10:0
172.31.30.163:0.0 0 0 0 0 4 336 ......
0/0 0.0.0.0 0 2013-09-12 19:47:27.575 2013-09-12 19:47:27.575
0.000 172.31.31.254 224.0.0.9 UDP 172.31.31.254:520
224.0.0.9:520 0 0 0 0 1 92 ......
0/0 0.0.0.0 0 1970-01-01 00:00:00.000 1970-01-01 00:00:00.000
0.000 172.31.30.56 255.255.255.255 UDP 172.31.30.56:17500
255.255.255.255:17500 0 0 0 0 2 322 ......
Summary: total flows: 7, total bytes: 1569, total packets: 21, avg bps: 0, avg
pps: 0, avg bpp: 74
Time window: Time Window unknown
Total flows processed: 7, Blocks skipped: 0, Bytes read: 764
Sys: 0.004s flows/second: 1750.0 Wall: 0.000s flows/second: 21943.6
# nfcapd -b 172.31.30.107 -p 9996 -l /home/risc/capture -T all
Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
Add extension: dst tos, direction, src/dst mask
Add extension: IPv4 next hop
Add extension: IPv6 next hop
Add extension: IPv4 BGP next IP
Add extension: IPv6 BGP next IP
Add extension: src/dst vlan id
Add extension: 4 byte output packets
Add extension: 8 byte output packets
Add extension: 4 byte output bytes
Add extension: 8 byte output bytes
Add extension: 4 byte aggregated flows
Add extension: 8 byte aggregated flows
Add extension: in src/out dst mac address
Add extension: in dst/out src mac address
Add extension: MPLS Labels
Add extension: IPv4 router IP addr
Add extension: IPv6 router IP addr
Add extension: router ID
Add extension: BGP adjacent prev/next AS
Add extension: time packet received
Add extension: NSEL Common block
Add extension: NSEL xlate ports
Add extension: NSEL xlate IPv4 addr
Add extension: NSEL xlate IPv6 addr
Add extension: NSEL ACL ingress/egress acl ID
Add extension: NSEL username
Add extension: NSEL max username
Add extension: nprobe latency
Add extension: NEL Common block
Add extension: NEL xlate IPv4 addr
Add extension: NEL xlate IPv6 addr
Thanks for your consideration!
Joel Bergstein
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
