On 01.08.16 09:12, Nikolaos Milas wrote:
> On 31/7/2016 1:06 μμ, Nikolaos Milas wrote:
>
>> On 31/7/2016 1:13 πμ, Nikolaos Milas wrote:
>>
>>>>>> After further research, I found that all IPv6 traffic exported by this
>>>>>> router is being misinterpreted by nfdump/nfsen as IPv4 (and
>>>>>> misinterpreted IPv6-traffic flow records enter the system in a state of
>>>>>> total "junk").
>
> FYI, I have posted about this issue to the nfdump-discuss mailing list
> and I have opened an issue to the nfdump issue tracker:
>
> https://github.com/phaag/nfdump/issues/33
I analyzed the packet capture, which Nick provided. It turned out, that the
exporter
sends buggy templates for IPv6. Only 1 out of ~30 template refreshes are
correct IPv6,
but the majority are buggy:
buggy templates - contain IPv4 records:
[0] Template ID: 257
template size: 80 buffersize: 80
found extension 0 for type: 21(time sec end), at index: 26, input length: 4
output length: 4 Extension: 0, Offset: 0
found extension 0 for type: 22(time sec create), at index: 27, input length: 4
output length: 4 Extension: 0, Offset: 4
found extension 0 for type: 1(bytes), at index: 1, input length: 4 output
length: 8 Extension: 0, Offset: 8
found extension 0 for type: 2(packets), at index: 3, input length: 4 output
length: 8 Extension: 0, Offset: 12
found extension 4 for type: 10(input SNMP), at index: 13, input length: 2
output length: 2 Extension: 4, Offset: 16
Enable extension: 4: 2 byte input/output interface index
found extension 4 for type: 14(output SNMP), at index: 18, input length: 2
output length: 2 Extension: 4, Offset: 18
found extension 0 for type: 8(V4 src addr), at index: 11, input length: 4
output length: 4 Extension: 0, Offset: 20
found extension 0 for type: 12(V4 dst addr), at index: 16, input length: 4
output length: 4 Extension: 0, Offset: 24
found extension 0 for type: 4(proto), at index: 7, input length: 1 output
length: 1 Extension: 0, Offset: 28
found extension 0 for type: 5(tos), at index: 8, input length: 1 output length:
1 Extension: 0, Offset: 29
found extension 0 for type: 7(src port), at index: 10, input length: 2 output
length: 2 Extension: 0, Offset: 30
found extension 0 for type: 11(dst port), at index: 15, input length: 2 output
length: 2 Extension: 0, Offset: 32
found extension 0 for type: 48(sampler ID), at index: 44, input length: 1
output length: 1 Extension: 0, Offset: 34
Skip unknown element type: 51, Length: 1
found extension 9 for type: 15(V4 next hop IP), at index: 20, input length: 4
output length: 4 Extension: 9, Offset: 36
Enable extension: 9: IPv4 next hop
found extension 8 for type: 13(V4 dst mask), at index: 17, input length: 1
output length: 1 Extension: 8, Offset: 40
Enable extension: 8: dst tos, direction, src/dst mask
found extension 8 for type: 9(V4 src mask), at index: 12, input length: 1
output length: 1 Extension: 8, Offset: 41
found extension 0 for type: 6(flags), at index: 9, input length: 1 output
length: 1 Extension: 0, Offset: 42
correct templates: contain IPv6 records:
[0] Template ID: 257
template size: 40 buffersize: 40
found extension 0 for type: 28(V6 dst addr), at index: 35, input length: 16
output length: 16 Extension: 0, Offset: 0
found extension 0 for type: 4(proto), at index: 7, input length: 1 output
length: 1 Extension: 0, Offset: 16
found extension 0 for type: 7(src port), at index: 10, input length: 2 output
length: 2 Extension: 0, Offset: 17
found extension 0 for type: 11(dst port), at index: 15, input length: 2 output
length: 2 Extension: 0, Offset: 19
found extension 0 for type: 1(bytes), at index: 1, input length: 4 output
length: 8 Extension: 0, Offset: 21
found extension 0 for type: 2(packets), at index: 3, input length: 4 output
length: 8 Extension: 0, Offset: 25
found extension 0 for type: 22(time sec create), at index: 27, input length: 4
output length: 4 Extension: 0, Offset: 29
found extension 0 for type: 21(time sec end), at index: 26, input length: 4
output length: 4 Extension: 0, Offset: 33
found extension 0 for type: 27(V6 src addr), at index: 34, input length: 16
output length: 16 Extension: 0, Offset: 37
The data stream sent by the exporter *always* decodes data according to the
IPv6 template,
but mostly announces IPv4. Therefore most IPv6 flows end up as garbage.
Regards
- Peter
>
> So, I look forward to a bug fix!
>
> I am sorry I can't help here, as I am not a coder.
>
> I do hope that nfdump will be fixed soon. nfdump/nfsen remains the most
> flexible and powerful netflow analyzer!
>
> Regards,
> Nick
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
