[Nfdump-discuss] IPFIX date and packet metrics problem

Sat, 21 Sep 2013 01:41:29 -0700 

Hi All,

I've been using sfcapd with Extreme sFlow for a while now and it's been 
working well for us.  I'm now trying out IPFIX collecting with that same 
platform.  I am seeing issues with the date field wherein it's always 
listed as 1969-12-31 and the pps/bps fields are always showing 0.

We are running nfcapd with the "-w -t 60 -b <IP> -l PATH -D -T all" options.

A couple of data samples (IPs rewritten with private):


----
$ nfdump -r nfcapd.201309210046 -s dstip/bytes

Top 10 Dst IP Addr ordered by bytes:
Date first seen          Duration Proto       Dst IP Addr    Flows(%) 
   Packets(%)       Bytes(%)         pps      bps   bpp
1969-12-31 16:00:00.000     0.000 any     172.20.249.160      508( 0.8) 
   140293(10.3)  160.0 M(27.8)        0        0  1140
1969-12-31 16:00:00.000     0.000 any     172.20.247.245       16( 0.0) 
    53268( 3.9)   70.5 M(12.2)        0        0  1322
1969-12-31 16:00:00.000     0.000 any     172.20.252.202     1978( 3.3) 
    61364( 4.5)   49.7 M( 8.6)        0        0   809
1969-12-31 16:00:00.000     0.000 any      172.20.246.14      735( 1.2) 
    61092( 4.5)   31.7 M( 5.5)        0        0   518
1969-12-31 16:00:00.000     0.000 any     172.20.247.234       43( 0.1) 
    36818( 2.7)   16.5 M( 2.9)        0        0   447
1969-12-31 16:00:00.000     0.000 any     172.20.170.213       47( 0.1) 
    10418( 0.8)   14.5 M( 2.5)        0        0  1389
1969-12-31 16:00:00.000     0.000 any      172.20.50.215       57( 0.1) 
    51704( 3.8)   12.0 M( 2.1)        0        0   232
1969-12-31 16:00:00.000     0.000 any      172.20.50.118       75( 0.1) 
    47022( 3.5)   10.9 M( 1.9)        0        0   230
1969-12-31 16:00:00.000     0.000 any     172.20.246.139      454( 0.8) 
    19781( 1.5)    8.6 M( 1.5)        0        0   436
1969-12-31 16:00:00.000     0.000 any     172.20.180.209       15( 0.0) 
    35657( 2.6)    8.1 M( 1.4)        0        0   228

Summary: total flows: 60517, total bytes: 575.3 M, total packets: 1.4 M, 
avg bps: 0, avg pps: 0, avg bpp: 0
Time window: 2013-09-21 00:46:00 - 2013-09-21 00:47:00
Total flows processed: 60517, Blocks skipped: 0, Bytes read: 4599472
Sys: 0.013s flows/second: 4323569.3  Wall: 0.013s flows/second: 4536166.7
----



----
$ nfdump -r nfcapd.201309210046 -o long

Date first seen          Duration Proto      Src IP Addr:Port 
Dst IP Addr:Port   Flags Tos  Packets    Bytes Flows
1969-12-31 16:00:00.000     0.000 TCP      172.20.47.35:3588  -> 
172.20.250.90:80    ......   0       13      676     1
1969-12-31 16:00:00.000     0.000 TCP     172.20.182.55:51718 -> 
172.20.252.202:5310  ......   0        1       52     1
1969-12-31 16:00:00.000     0.000 TCP    172.20.181.171:2236  -> 
172.20.245.21:80    ......   0        1       40     1

....

Summary: total flows: 60517, total bytes: 575.3 M, total packets: 1.4 M, 
avg bps: 0, avg pps: 0, avg bpp: 0
Time window: 2013-09-21 00:46:00 - 2013-09-21 00:47:00
Total flows processed: 60517, Blocks skipped: 0, Bytes read: 4599472
Sys: 0.711s flows/second: 85008.8    Wall: 1.414s flows/second: 42774.0
----


----
$ nfdump -r nfcapd.201309210046 -o raw

Flow Record:
   Flags        =              0x06 FLOW, Unsampled
   export sysid =                 1
   size         =                76
   first        =                 0 [1969-12-31 16:00:00]
   last         =                 0 [1969-12-31 16:00:00]
   msec_first   =                 0
   msec_last    =                 0
   src addr     =      172.20.47.35
   dst addr     =     172.20.250.90
   src port     =              3588
   dst port     =                80
   fwd status   =                89
   tcp flags    =              0x00 ......
   proto        =                 6 TCP
   (src)tos     =                 0
   (in)packets  =                13
   (in)bytes    =               676
   input        =              1042
   output       =              1042
   src mask     =                 0 /0
   dst mask     =                 0 /0
   dst tos      =                 0
   direction    =                 0
   ip router    =      172.20.255.3
   received at  =     1379749560000 [2013-09-21 00:46:00.000]


Flow Record:
   Flags        =              0x06 FLOW, Unsampled
   export sysid =                 1
   size         =                76
   first        =                 0 [1969-12-31 16:00:00]
   last         =                 0 [1969-12-31 16:00:00]
   msec_first   =                 0
   msec_last    =                 0
   src addr     =     172.20.182.55
   dst addr     =    172.20.252.202
   src port     =             51718
   dst port     =              5310
   fwd status   =                52
   tcp flags    =              0x00 ......
   proto        =                 6 TCP
   (src)tos     =                 0
   (in)packets  =                 1
   (in)bytes    =                52
   input        =              1042
   output       =              1042
   src mask     =                 0 /0
   dst mask     =                 0 /0
   dst tos      =                 0
   direction    =                 0
   ip router    =      172.20.255.3
   received at  =     1379749560003 [2013-09-21 00:46:00.003]
----



Using nfdump/nfcapd 1.6.10p1
exporter Extreme Networks Summit x480



I did see a similar posting with a reply but didn't see a solution:

http://sourceforge.net/mailarchive/forum.php?thread_name=4FE03FC5.1010702%40users.sourceforge.net&forum_name=nfsen-discuss


Thanks.

- Mike

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to