[Nfdump-discuss] IPv6 v9-flows without IPv6 source address record identified as IPv4

Fri, 03 Jan 2014 12:46:44 -0800 

Hi,

I'm currently experimenting with shortened NF records exported from a
Cisco ASR1K with nfdump 1.6.11 as collector. Ingress flows are defined
by source MAC and destination IPv6 address (think IXP port).

  flow record TEST-IPv6-DSTONLY
   match datalink mac source address input
   match routing forwarding-status
   match ipv6 destination address
   match interface input
   match interface output
   match flow direction
   collect counter bytes long
   collect timestamp sys-uptime first
   collect timestamp sys-uptime last

Apparently nfcapd defaults to IPv4 addresses if there is no IPv6 source
address record in the flow record/template. I was able to fix this with
the following patch, additionally evaluating IPv6 source address for
protocol decision.

--- nfdump-1.6.11/bin/netflow_v9.c~     2013-10-27 20:23:26.000000000 +0100
+++ nfdump-1.6.11/bin/netflow_v9.c      2013-12-28 22:40:16.886906406 +0100
@@ -751,14 +751,21 @@
        } else if ( cache.lookup_info[NF9_IPV6_SRC_ADDR].found ) {
                // IPv6 addresses 
                PushSequence( table, NF9_IPV6_SRC_ADDR, &offset, NULL);
                PushSequence( table, NF9_IPV6_DST_ADDR, &offset, NULL);
                // mark IPv6 
                SetFlag(table->flags, FLAG_IPV6_ADDR);
                ipv6 = 1;
+       } else if ( cache.lookup_info[NF9_IPV6_DST_ADDR].found ) {
+               // IPv6 addresses 
+               PushSequence( table, NF9_IPV6_SRC_ADDR, &offset, NULL);
+               PushSequence( table, NF9_IPV6_DST_ADDR, &offset, NULL);
+               // mark IPv6 
+               SetFlag(table->flags, FLAG_IPV6_ADDR);
+               ipv6 = 1;
        } else {
                // should not happen, assume empty IPv4 addresses
                PushSequence( table, NF9_IPV4_SRC_ADDR, &offset, NULL);
                PushSequence( table, NF9_IPV4_DST_ADDR, &offset, NULL);
        }


Best regards,
 Klaus

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to