Many thanks Klaus! - I'll put that into the next release.
Besten Dank und Gruss
- Peter
On 3/1/14 9:48 PM, Klaus Kastens wrote:
> Hi,
>
> I'm currently experimenting with shortened NF records exported from a
> Cisco ASR1K with nfdump 1.6.11 as collector. Ingress flows are defined
> by source MAC and destination IPv6 address (think IXP port).
>
> flow record TEST-IPv6-DSTONLY
> match datalink mac source address input
> match routing forwarding-status
> match ipv6 destination address
> match interface input
> match interface output
> match flow direction
> collect counter bytes long
> collect timestamp sys-uptime first
> collect timestamp sys-uptime last
>
> Apparently nfcapd defaults to IPv4 addresses if there is no IPv6 source
> address record in the flow record/template. I was able to fix this with
> the following patch, additionally evaluating IPv6 source address for
> protocol decision.
>
> --- nfdump-1.6.11/bin/netflow_v9.c~ 2013-10-27 20:23:26.000000000 +0100
> +++ nfdump-1.6.11/bin/netflow_v9.c 2013-12-28 22:40:16.886906406 +0100
> @@ -751,14 +751,21 @@
> } else if ( cache.lookup_info[NF9_IPV6_SRC_ADDR].found ) {
> // IPv6 addresses
> PushSequence( table, NF9_IPV6_SRC_ADDR, &offset, NULL);
> PushSequence( table, NF9_IPV6_DST_ADDR, &offset, NULL);
> // mark IPv6
> SetFlag(table->flags, FLAG_IPV6_ADDR);
> ipv6 = 1;
> + } else if ( cache.lookup_info[NF9_IPV6_DST_ADDR].found ) {
> + // IPv6 addresses
> + PushSequence( table, NF9_IPV6_SRC_ADDR, &offset, NULL);
> + PushSequence( table, NF9_IPV6_DST_ADDR, &offset, NULL);
> + // mark IPv6
> + SetFlag(table->flags, FLAG_IPV6_ADDR);
> + ipv6 = 1;
> } else {
> // should not happen, assume empty IPv4 addresses
> PushSequence( table, NF9_IPV4_SRC_ADDR, &offset, NULL);
> PushSequence( table, NF9_IPV4_DST_ADDR, &offset, NULL);
> }
>
>
> Best regards,
> Klaus
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends. Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
