Hi Jens,
So let me explain a few internals:
With the introduction of Cisco Flexible Netflow - FNF, a device can
have multiple exporter definitions in its configuration. Traditionally
- for v5 for example - one device one exporter. For FNF you can define
multiple exporters with different configurations depending on your needs.
Each device assigns a device internal ID to an exporter to separate them.
As nfcapd can receive multiple netflow stream from multiple devices, these
device assigned exporter iDs may potentially collide. Therefore nfcapd needs
to separate them internally. Each exporter gets a sysID assigned which is
unique for the running nfcapd process. You can check the exporters in your
files:
./nfdump -E <file>
which shows a summary line for each exporter active at the time this file
was created:
flow source IP, unique sysID and device ID
If you print raw records -o raw ( or create a custom output format
including %exp %ra ) the unique sysID and router address are displayed per
record. That's the way you can identify which device/exporter has sent
a certain record.
Tip: To include the exporters and router IP in line output, you can extend
a given format:
./nfdump -o 'fmt:%line %exp %ra'
extends the line format with the 2 fields.
In order to get the router address included as well as the timestamp received
into the records, you have to enable these optional extensions on the nfcapd
command line ( -T13,16 or -Tall ).
Hopes, this explains a bit exporters in nfdump.
Cheers
- Peter
On 17/11/14 09:22, Jens Hektor wrote:
> Hi,
>
> I have still a problem with timestamps on my two Nexus-7000
>
> It seems like im getting correct timestamps from one,
> but wrong from the others.
>
> In identifying the problem I used the custom format for nfdump
> augmenting the output with %tr and %exp
>
> So for the wrong timestamps I have "exporter id"=3 and for
> the correct timestamps I have "exporter id"=2.
>
> My two questions:
>
> Q1: what exactly is the "exporter id" how can I use it to identify
> the cause of my problems?
>
> Q2: For %tr I only get "1970-01-01 01:00:00.000",
> so the value seems to be 0. Is that a bug in nfsen?
>
> Hoping for someone to enlighten me.
>
> Best regards, Jens Hektor
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
