Hi Tiago,
Make sure you collect the router IP address. Verify if your capture
contains the IP addresses, which is not enabled by default.
Make sure in nfsen.conf you have set
$EXTENSIONS = "+13"
This corresponds to the man page in nfcapd. See nfsen-dist.conf
To verify, if the IP addresses are included, list the flows in raw format:
nfdump -o raw -r .....
If you don't see the router IP it was not collected.
- Peter
On 3/7/12 15:47, Tiago Flôres wrote:
> I've upgraded to nfdump 1.6.1 and the syntax works fine, but without
> any result setting the "router ip" syntax with any router ip that I
> have.
>
> Except for ex, If I ran "router ip 0.0.0.0", in this case I got results, like:
>
> ** nfdump -M /usr/local/nfsen/profiles-data/live/ROUTER -T -r
> 2012/03/07/nfcapd.201203071110 -o long -c 20
> nfdump filter:
> router ip 0.0.0.0
> Date flow start Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Flags Tos Packets Bytes Flows
> 2012-03-07 11:39:52.980 0.000 TCP 172.20.31.42:62165 ->
> 172.20.110.31:445 .A.... 0 1 52 1
> 2012-03-07 11:39:53.116 0.000 TCP 172.20.110.146:1189 ->
> 172.20.254.131:443 .A.... 0 1 40 1
> 2012-03-07 11:39:53.432 0.000 UDP 172.20.110.34:138 ->
> 172.20.110.255:138 .A.... 0 1 233 1
> 2012-03-07 11:39:53.432 0.000 UDP 172.20.110.34:138 ->
> 172.20.110.255:138 .A.... 0 1 233 1
> 2012-03-07 11:39:54.636 12.064 TCP 10.10.7.24:1534 ->
> 10.10.3.5:12062 .AP.SF 104 6 351 1
> 2012-03-07 11:39:54.704 11.996 TCP 10.10.3.5:12062 ->
> 10.10.7.24:1534 .A..SF 104 5 268 1
> 2012-03-07 11:39:48.836 4.704 TCP 172.20.110.31:62975 ->
> 172.20.254.111:5723 .AP... 0 4 1800 1
> 2012-03-07 11:39:49.088 4.256 TCP 172.20.254.111:5723 ->
> 172.20.110.31:62975 .AP... 0 3 320 1
>
>
> But If I ran the syntax "router ip <any_exporter_router_ip>", I got NO
> results:
>
> Mar 7 11:12:53 localhost nfcapd[23497]: Process_v5: New exporter:
> engine id 0, type 0, IP: 172.20.110.1, Sampling Mode: 0, Sampling
> Interval: 1
>
> Ex.
>
> ** nfdump -M /usr/local/nfsen/profiles-data/live/ROUTER -T -r
> 2012/03/07/nfcapd.201203071110 -o long -c 20
> nfdump filter:
> router ip 172.20.110.1
> Date flow start Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Flags Tos Packets Bytes Flows
> Summary: total flows: 0, total bytes: 0, total packets: 0, avg bps: 0,
> avg pps: 0, avg bpp: 0
> Time window: 2038-01-19 01:14:07 - 1969-12-31 21:00:00
> Total flows processed: 156224, Blocks skipped: 0, Bytes read: 8123760
> Sys: 0.046s flows/second: 3324480.8 Wall: 0.040s flows/second: 3843148.8
>
>
> Why I can't Match the syntax with any exporter router ? any suspect?
>
>
> Cheers
>
>
> Tiago
>
>
> 2012/3/7 Adrian Popa <[email protected]>:
>> I'm using
>>
>> [root@hail ~]# nfdump -V
>> nfdump: Version: 1.6.1 $LastChangedDate: 2010-03-05 07:50:35 +0100 (Fri, 05
>> Mar 2010) $
>>
>>
>>
>> On Wed, Mar 7, 2012 at 2:09 PM, Tiago Flôres <[email protected]>
>> wrote:
>>>
>>> Adrian,
>>>
>>> Please tell me which version of nfdump and nfsen are you referring to?
>>>
>>> Unfortunately because an incompatibility between latest nfsen/nfdump
>>> and latest rrdtool 1.4.x (in RHEL 5), I have to use nfsen 1.3.2 with
>>> nfdump 1.5.8 and older rrdtool 1.2.x :(
>>>
>>> I got "Filter error: line 1: syntax error at 'router'!", with simple
>>> syntax "router ip 172.0.0.1"
>>>
>>> This feature should have been implemented in newer versions. I'll
>>> think about another way to work around.
>>>
>>> Thank you anyway!
>>>
>>> Tiago
>>>
>>>
>>>
>>> 2012/3/7 Adrian Popa <[email protected]>:
>>>> Sure it is.
>>>>
>>>> man nfdump:
>>>>
>>>> Router IP
>>>> router ip <ipaddr>
>>>> Filter the flows according the IP address of the exporting
>>>> router.
>>>>
>>>> Also, you can export to different ports and have multiple entries in
>>>> nfsen
>>>> (each router exports to a different UDP port) and you won't need
>>>> filtering
>>>> by router ip.
>>>>
>>>> On Wed, Mar 7, 2012 at 1:20 PM, Tiago Flôres <[email protected]>
>>>> wrote:
>>>>>
>>>>> I am not aware of this "router ip" syntax. This is very useful expr
>>>>> but it doesn't exist in the manuals?!?!
>>>>>
>>>>> Thanks all of you for the answers!
>>>>>
>>>>> Cheers
>>>>>
>>>>> Tiago
>>>>>
>>>>>
>>>>> 2012/3/7 Adrian Popa <[email protected]>:
>>>>>> Also, you can edit your filters to take into account the exporter
>>>>>> router
>>>>>> ip
>>>>>> and input/output interface indexes when you count traffic for a
>>>>>> prefix.
>>>>>> Something like
>>>>>>
>>>>>> router ip ip_of_router1 and in if snmp_index_of_input_interface and
>>>>>> src
>>>>>> ip
>>>>>> 1.2.3.4 and dst net 5.6.7.0/24
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Mar 6, 2012 at 7:23 PM, Tiago Flôres
>>>>>> <[email protected]>
>>>>>> wrote:
>>>>>>>
>>>>>>> Dear colleagues
>>>>>>>
>>>>>>> I have eight routers exporting flow to one source (I am not sure if
>>>>>>> it
>>>>>>> is the best scenario) or should I have each router exporting flow to
>>>>>>> own source (router1 -> source1, router2 -> source2, ...). One of
>>>>>>> these
>>>>>>> routers is a mpls concentrator and the others seven are peers, like
>>>>>>> clients. The concentrator is where the servers are installed. The
>>>>>>> network traffic are mostly destinated to the main site (router1)
>>>>>>> which
>>>>>>> has 34Mbps mpls bandwidth.
>>>>>>>
>>>>>>> I am using DST NET and SRC NET to classify the traffic for down and
>>>>>>> upload directions. The thing is I've been getting discrepancies in
>>>>>>> traffic graphs. The main site where I've 34Mbps 'physically limited'
>>>>>>> is showing me up to 90 Mbps in nfsen graphs.
>>>>>>>
>>>>>>> Remembering that I have eight routers exporting to one source. In
>>>>>>> this
>>>>>>> among of flows I am trying to analyze and identify the traffic which
>>>>>>> goes to router1, but the traffic graphed is much more than the
>>>>>>> interface is able to support.
>>>>>>>
>>>>>>> The flows are from all interfaces of all routers? LAN and WAN?
>>>>>>>
>>>>>>> By default nfsen aggregates identical network traffic? Or could the
>>>>>>> flows are not been aggregated?
>>>>>>>
>>>>>>> I am guessing around .... the same traffic which ingress in router1
>>>>>>> WAN is arriving in router1 LAN interface, what about it?
>>>>>>>
>>>>>>> Thanks in advance for any explanations
>>>>>>>
>>>>>>>
>>>>>>> Hugs
>>>>>>>
>>>>>>> Tiago
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Keep Your Developer Skills Current with LearnDevNow!
>>>>>>> The most comprehensive online learning library for Microsoft
>>>>>>> developers
>>>>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
>>>>>>> MVC3,
>>>>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>>>>> http://p.sf.net/sfu/learndevnow-d2d
>>>>>>> _______________________________________________
>>>>>>> Nfsen-discuss mailing list
>>>>>>> [email protected]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Virtualization & Cloud Management Using Capacity Planning
>>>>> Cloud computing makes use of virtualization - but cloud computing
>>>>> also focuses on allowing computing to be delivered as a service.
>>>>> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>>>>>
>>>>> _______________________________________________
>>>>> Nfsen-discuss mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Virtualization & Cloud Management Using Capacity Planning
>>> Cloud computing makes use of virtualization - but cloud computing
>>> also focuses on allowing computing to be delivered as a service.
>>> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>>> _______________________________________________
>>> Nfsen-discuss mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>
>>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
--
--
Be nice to your netflow data
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
