Hi Alexandro,
nfdump-1.6.6 should do fine with IPFIX. So far all users confirmed correct
IPFIX decoding.
I will check your file to see, what's wrong. As I'm out of the office, it may
take a week or so.
- Peter
On 6/19/12 4:34, Alexandro Marcelo Zacaron wrote:
> Hello,
>
> I noticed that there has been an issue for the list ...
> http://sourceforge.net/mailarchive/forum.php?thread_name=4F100259.9090308%40users.sourceforge.net&forum_name=nfsen-discuss
>
>
> I wonder that there is already a version running with support IPFIX?
>
> If not, I could help by sending some packet captures or assisting in any way.
>
>
> We are collecting the ipfix flow from a extreme summit X460-24t. I am
> sending to you the attached file with the packet captured from the
> collector machine. As you can see in this file the packets have the
> correct timestamp etc, but when we use the nfdump the information is
> wrong.
>
> NfSen read the flow IPFIX, but the flow have same date for any periods
> and some fields are wrong , as follows:
>
> (FILTER BY Any IP Address) Top 10 IP Addr ordered by flows:
> Date first seen Duration Proto
> IP Addr Flows(%) Packets(%) Bytes(%) pps
> bps bpp
> 1969-12-31 21:00:00.000 0.000 any
> 0.0.0.0 60(57.7) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> 239.255.255.250 12(11.5) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> 172.30.255.255 10( 9.6) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> 224.0.0.252 4( 3.8) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> ff02::1:2 4( 3.8) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> 172.30.2.118 4( 3.8) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> 224.0.0.1 3( 2.9) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> 224.0.1.22 3( 2.9) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> 239.255.255.253 3( 2.9) 0(-nan) 0(-nan) 0
> 0 0
> 1969-12-31 21:00:00.000 0.000 any
> 172.30.2.132 3( 2.9) 0(-nan) 0(-nan) 0
> 0 0
>
>
> (FILTER BY Flow Records) Top 10 flows ordered by flows:
> Date flow start Duration Proto
> Src IP Addr:Port Dst IP Addr:Port
> Packets Bytes Flows
> 1969-12-31 21:00:00.000 0.000 0
> 0.0.0.0:0 -> 0.0.0.0:0
> 0 0 60
> 1969-12-31 21:00:00.000 0.000 IGMP
> 172.30.2.4:0 -> 239.255.255.250:0
> 0 0 2
> 1969-12-31 21:00:00.000 0.000 IGMP
> 172.30.1.207:0 -> 224.0.1.22:0
> 0 0 1
> 1969-12-31 21:00:00.000 0.000 IGMP
> 172.30.1.11:0 -> 239.255.255.253:0
> 0 0 1
> 1969-12-31 21:00:00.000 0.000 UDP
> 172.30.1.149:138 -> 172.30.255.255:138
> 0 0 1
> 1969-12-31 21:00:00.000 0.000 UDP
> 10.90.75.101:138 -> 10.90.75.255:138
> 0 0 1
> 1969-12-31 21:00:00.000 0.000 UDP
> 172.30.1.2:138 -> 172.30.255.255:138
> 0 0 1
> 1969-12-31 21:00:00.000 0.000 0
> fe80::3ca2:4949:6991:e643.546 ->
> ff02::1:2.547 0 0 1
> 1969-12-31 21:00:00.000 0.000 UDP
> 172.30.1.21:138 -> 172.30.255.255:138
> 0 0 1
> 1969-12-31 21:00:00.000 0.000 UDP
> 172.30.2.140:59235 -> 239.255.255.250:1900
> 0 0 1
>
>
> NFDUMP version 1.6.6
> NfSen version 1.3.6p1
>
>
> Best regards
>
> --
> Alexandro Marcelo Zacaron
> +55 45 9942 8561
>
>
>
> This body part will be downloaded on demand.
>
>
>
> This body part will be downloaded on demand.
--
--
Be nice to your netflow data
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
