I've just installed NFSen 1.3.2 on FreeBSD 7.2 and it's collecting from two
7600s, one running 12.2(33)SRC4 one running 12.2(33)SRE. All IP interfaces are
configured with ip flow ingress.
Router config looks like so:
! pe01.151front01
mls netflow usage notify 90 120
mls flow ip interface-full
ip flow-export source Loopback0
ip flow-export version 9 origin-as
ip flow-aggregation cache as
export version 9
export destination 10.10.10.116 10002
ip flow-aggregation cache protocol-port
export version 9
export destination 10.10.10.116 10002
enabled
ip flow-aggregation cache prefix
export version 9
export destination 10.10.10.116 10002
enabled
!
! pe01.77mowat01
mls netflow usage notify 90 120
mls flow ip interface-full
ip flow-export source Loopback0
ip flow-export version 9 origin-as
ip flow-aggregation cache as
export version 9
export destination 10.10.10.116 10001
ip flow-aggregation cache protocol-port
export version 9
export destination 10.10.10.116 10001
enabled
ip flow-aggregation cache prefix
export version 9
export destination 10.10.10.116 10001
enabled
!
NFSen config looks like so:
#nfsen.conf
%sources = (
'pe01-77mowat01' => { 'port' => '10001', 'col' => '#FFA200' },
'pe01-151front01' => { 'port' => '10002', 'col' => '#FF0000' },
);
I run a quick and dirty query on some random timeslot and I get some really
funky output. Dates are way early than when I started collecting data (turned
this up yesterday) and the IPs make no sense at all.
** nfdump -M
/usr/local/var/nfsen/profiles-data/live/pe01-151front01:pe01-77mowat01 -T -r
2011/03/07/nfcapd.201103071435 -n 10 -s ip/bps
nfdump filter:
any
Top 10 IP Addr ordered by bps:
Date first seen Duration Proto IP Addr Flows(%)
Packets(%) Bytes(%) pps bps bpp
2011-01-25 01:59:27.721 0.039 any
0.28.0.0
1( 0.0) 1.1 G( 0.9) 7.1 M( 0.0) 3.0 G 1.5 G 0
2011-01-25 01:59:27.345 0.039 any
32.32.213.217
1( 0.0) 1.1 G( 0.9) 7.1 M( 0.0) 3.0 G 1.5 G 0
2011-01-25 01:59:27.389 0.443 any
0.27.0.0
4( 0.0) 4.8 G( 3.7) 55.2 M( 0.0) 2.3 G 997.7 M 0
2011-01-25 01:59:27.189 0.063 any
32.22.213.217
1( 0.0) 1.2 G( 0.9) 6.2 M( 0.0) 2.3 G 790.6 M 0
2011-01-25 01:59:27.389 0.063 any
32.24.0.0
2( 0.0) 1.8 G( 1.3) 3.4 M( 0.0) 2.0 G 432.7 M 0
2011-01-25 01:59:27.389 0.836 any
0.29.0.0
5( 0.0) 5.8 G( 4.4) 34.3 M( 0.0) 2.6 G 328.6 M 0
2011-03-07 14:36:41.996 0.004 any
189.234.128.0
12( 0.0) 165( 0.0) 116073( 0.0) 41249 232.1 M 703
2011-01-25 01:59:27.389 0.063 any
32.16.0.0
1( 0.0) 3.3 G( 2.5) 1.7 M( 0.0) 353.5 M 216.4 M 0
2011-01-25 01:59:27.721 0.063 any
32.20.0.0
1( 0.0) 412.1 M( 0.3) 1.7 M( 0.0) 2.2 G 216.4 M 0
2011-01-25 01:59:27.389 0.063 any
32.18.0.0
1( 0.0) 3.6 G( 2.7) 1.7 M( 0.0) 1.1 G 216.4 M 0
Summary: total flows: 4811999, total bytes: 115.6 G, total packets: 130.8 G,
avg bps: 117274, avg pps: 16588, avg bpp: 0
Time window: 2010-12-06 08:56:40 - 2011-03-07 14:39:59
Total flows processed: 4811999, Blocks skipped: 0, Bytes read: 228753400
Sys: 3.745s flows/second: 1284740.7 Wall: 9.169s flows/second: 524788.6
Sorry for the "any one know what might be going on?" post, but I really don't
know where to even begin to troubleshoot this. Not sure if it's an IOS thing
or an nfcap|nfdump thing.
Can anyone point me in a direction of where to look?
------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
