Hi Aleksandar,
What nfdump version are you using? Could you probably send me - off list of
course - a pcap dump of the collector for a couple of minutes.
Thanks
- Peter
On 10/09/14 16:14, Aleksandar Ciric wrote:
> Hello everyone,
>
> I am having a bit of a problem with collecting flow from Cisco CGSE module in
> CRS-3. It's just a test but I would be very grateful for any help provided,
> be it from developers or guys and gals who use nfdump with Cisco CGN stuff. I
> have nfdump
> compiled with following options:
> ./configure --enable-nfprofile --enable-nftrack --enable-sflow --enable-nel
> --enable-nsel
>
> I run CGSE NAT44 setup with "bulk-port-alloc size 256", which seems to be the
> most sensible option in order to limit size of netflow log. I enclosed config
> for reference, the most basic setting possible.
>
> service cgn test
> service-location preferred-active 0/3/CPU0
> service-type nat44 nat1
> portlimit 1024
> inside-vrf sbb-cgse-test
> map address-pool x.x.x.x/x
> external-logging netflow version 9
> server
> address y.y.y.y port 10000
> bulk-port-alloc 256
>
> When I run collector with output to stdout, I receive fairly useful data,
> where I can identify what the NAT creation and deletion is by looking at
> "pblock start/end". However when the data gets written to a file, I seem to
> lose pblock data which
> makes it unusable to me.
>
> Apparently part of the problem with missing data is the fact that CGSE does
> not send data that defines the NAT event (check templete format below for
> CGSE), however its strange that -E output does not get written to files
> identically as it is.
> NetFlow Record Format:
> http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-3/cg_nat/configuration/guide/cgnat_cg43crs/cgnat51log.html#wp1085003
>
> For example I see no date/time for the flow records, beside received at (so
> so ok), and nat event also comes blank (apparently not defined in template,
> see link above).
>
> nfcapd -E -T all -w -B 200000 -l /root/netflow-test/ -p 10000
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 1
> size = 100
> first = 0 [1970-01-01 01:00:00]
> last = 0 [1970-01-01 01:00:00]
> msec_first = 0
> msec_last = 0
> src addr = 10.0.0.11
> dst addr = 0.0.0.0
> src port = 0
> dst port = 0
> fwd status = 0
> tcp flags = 0x00 ......
> proto = 0 0
> (src)tos = 0
> (in)packets = 0
> (in)bytes = 0
> ip router = z.z.z.z
> engine type = 209
> engine ID = 51
> received at = 1410355577961 [2014-09-10 15:26:17.961]
> src xlt ip = a.a.a.a
> dst xlt ip = 0.0.0.0
> nat event = 0: INVALID
> ingress VRF = 1610612738
> egress VRF = 1610612736
> pblock start = 13824
> pblock end = 14079
> pblock step = 0
> pblock size = 0
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 1
> size = 92
> first = 0 [1970-01-01 01:00:00]
> last = 0 [1970-01-01 01:00:00]
> msec_first = 0
> msec_last = 0
> src addr = 10.0.0.11
> dst addr = 0.0.0.0
> src port = 0
> dst port = 0
> fwd status = 0
> tcp flags = 0x00 ......
> proto = 0 0
> (src)tos = 0
> (in)packets = 0
> (in)bytes = 0
> ip router = z.z.z.z
> engine type = 209
> engine ID = 51
> received at = 1410355781961 [2014-09-10 15:29:41.961]
> nat event = 0: INVALID
> ingress VRF = 1610612738
> egress VRF = 0
> pblock start = 13824
> pblock end = 0
> pblock step = 0
> pblock size = 0
>
> -------------------
>
> When written to file it looks like this:
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 1
> size = 100
> first = 0 [1970-01-01 01:00:00]
> last = 0 [1970-01-01 01:00:00]
> msec_first = 0
> msec_last = 0
> src addr = 10.0.0.11
> dst addr = 0.0.0.0
> src port = 0
> dst port = 0
> fwd status = 0
> tcp flags = 0x00 ......
> proto = 0 0
> (src)tos = 0
> (in)packets = 0
> (in)bytes = 0
> ip router = z.z.z.z
> engine type = 209
> engine ID = 51
> received at = 1410355577961 [2014-09-10 15:26:17.961]
> src xlt ip = a.a.a.a
> dst xlt ip = 0.0.0.0
> nat event = 0: INVALID
> ingress VRF = 1610612738
> egress VRF = 1610612736
> pblock start = 13824
> pblock end = 14079
> pblock step = 0
> pblock size = 0
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 1
> size = 92
> first = 0 [1970-01-01 01:00:00]
> last = 0 [1970-01-01 01:00:00]
> msec_first = 0
> msec_last = 0
> src addr = 10.0.0.11
> dst addr = 0.0.0.0
> src port = 0
> dst port = 0
> fwd status = 0
> tcp flags = 0x00 ......
> proto = 0 0
> (src)tos = 0
> (in)packets = 0
> (in)bytes = 0
> ip router = z.z.z.z
> engine type = 209
> engine ID = 51
> received at = 1410355781961 [2014-09-10 15:29:41.961]
> nat event = 0: INVALID
> ingress VRF = 1610612738
> egress VRF = 0
>
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
