Re: [Ntop-misc] nprobe generates 3 records for a single TCP flow

Thu, 21 Apr 2011 12:43:15 -0700 

One more piece of info that maybe important: I am using pf_ring.

Piotr


On 04/21/2011 03:21 PM, Piotr Romanus wrote:

I wonder if this is a know bug for nprobe 6.1.6.
# nprobe --version

Welcome to nprobe v.6.1.6 ($Revision: 1835 $) for i686-redhat-linux-gnu
with native PF_RING acceleration.


I am generating a single TCP flow using netcat between 2 nodes:

30.3.0.10:12345 -> router with nprobe running -> 40.4.0.10:12345

NetCat commands used:
client: nc -T lowdelay -v -n -p 12345 -s 30.3.0.10  40.4.0.10 12345
server: nc -v -l -n 12345
With this single flow nprobe generates 3 NetFlow records! Here is WireShark output from the node that acts as a collector: 

Frame 24637 (210 bytes on wire, 210 bytes captured)
Ethernet II, Src: Cisco_8b:09:40 (00:16:9c:8b:09:40), Dst: Sony_1c:f4:22 (00:1d:ba:1c:f4:22) 
Internet Protocol, Src: <router IP>, Dst: <my box running WireShark>
User Datagram Protocol, Src Port: iop (2055), Dst Port: iop (2055)
Cisco NetFlow/IPFIX
    Version: 5
    Count: 3
    SysUptime: 2035100826
    Timestamp: Apr 21, 2011 14:23:11.000000514
    FlowSequence: 0
    EngineType: 1
    EngineId: 8
    00.. .... .... .... = SamplingMode: No sampling mode configured (0)
    ..00 0000 0000 0001 = SampleRate: 1
    pdu 1/3
        SrcAddr: 30.3.0.10 (30.3.0.10)
        DstAddr: 40.4.0.10 (40.4.0.10)
        NextHop: 0.0.0.0 (0.0.0.0)
        InputInt: 2053
        OutputInt: 0
        Packets: 14
        Octets: 975
        [Duration: 11.988000000 seconds]
            StartTime: 2035059.064000000 seconds
            EndTime: 2035071.052000000 seconds
        SrcPort: 12345
        DstPort: 12345
        padding
        TCP Flags: 0x19
        Protocol: 6
        IP ToS: 0x10
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 30.3.0.10/32)
        DstMask: 0 (prefix: 40.4.0.10/32)
        padding
    pdu 2/3
        SrcAddr: 30.3.0.10 (30.3.0.10)
        DstAddr: 40.4.0.10 (40.4.0.10)
        NextHop: 0.0.0.0 (0.0.0.0)
        InputInt: 2053
        OutputInt: 0
        Packets: 1
        Octets: 74
        [Duration: 0.000000000 seconds]
            StartTime: 2035059.061000000 seconds
            EndTime: 2035059.061000000 seconds
        SrcPort: 12345
        DstPort: 12288
        padding
        TCP Flags: 0x02
        Protocol: 6
        IP ToS: 0x10
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 30.3.0.10/32)
        DstMask: 0 (prefix: 40.4.0.10/32)
        padding
    pdu 3/3
        SrcAddr: 30.3.0.10 (30.3.0.10)
        DstAddr: 40.4.0.10 (40.4.0.10)
        NextHop: 0.0.0.0 (0.0.0.0)
        InputInt: 2053
        OutputInt: 0
        Packets: 1
        Octets: 72
        [Duration: 0.000000000 seconds]
            StartTime: 2035064.907000000 seconds
            EndTime: 2035064.907000000 seconds
        SrcPort: 12288
        DstPort: 12345
        padding
        TCP Flags: 0x18
        Protocol: 6
        IP ToS: 0x10
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 30.3.0.10/32)
        DstMask: 0 (prefix: 40.4.0.10/32)
        padding

_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Reply via email to