[Nfsen-discuss] Not getting AS information even if the exported packets have it

Tue, 29 Jun 2010 02:51:39 -0700 

Hello everyone,

I have this problem - I am exporting netflow v9 from a Cisco router running
IOS-XR and I managed to get it to export also source/destination AS numbers,
but they are not saved by nfcapd. I attached a screenshot showing the
decoded netflow packet showing the exported AS fields.

Here's how the same information looks like when requested from nfsen:

** nfdump -M /data/nfsen/profiles/live/7606_lab_1  -T  -r
nfcapd.201006291215 -o 'fmt:fmt:%ts %td %pr %sap -> %dap %pkt %byt
%bps %pps %in %out %sas %das %fl' -c 20
nfdump filter:
src ip 202.57.45.123
    Date flow start          Duration Proto      Src IP Addr:Port
    Dst IP Addr:Port   Packets    Bytes      bps      pps  Input
Output Src AS Dst AS Flows
fmt:2010-06-29 12:14:08.618   268.419 UDP      202.57.45.123:55122
<http://80.97.223.7/nfsen/nfsen.php#null> ->     109.99.158.2:11297
<http://80.97.223.7/nfsen/nfsen.php#null>       74    84042     2504
     0     17     16      0      0     1
fmt:2010-06-29 12:18:57.436     0.506 UDP      202.57.45.123:55122
<http://80.97.223.7/nfsen/nfsen.php#null> ->     109.99.158.2:11297
<http://80.97.223.7/nfsen/nfsen.php#null>        2     1514    23936
     3     17     16      0      0     1
Summary: total flows: 2, total bytes: 85556, total packets: 76, avg
bps: 2365, avg pps: 0, avg bpp: 1125
Time window: 2010-06-29 12:08:43 - 2010-06-29 12:19:43
Total flows processed: 122, Records skipped: 0, Bytes read: 6356
Sys: 0.000s flows/second: 122122.1   Wall: 0.000s flows/second: 552036.2

You can see that the Src AS and Dst AS fields are "0" (in this case, dst as
should be 0 because it's the local as, but src as should be as listed in the
packet).

What can I do to further troubleshoot this issue? I kind of remember I could
start the collector in some sort of debug mode, but I don't remember the
specifics...
I am running nfsen 1.3 and nfdump 1.5.7 (rather old, I know, but they served
me well).

Looking forward for suggestions,
Thanks,
Adrian

<<attachment: 2010-06-29_12-38-18_452x625.png>>

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to