Re: [Ntop] What is "non-IP" traffic, really?

Barnaby Cockcroft Wed, 03 Nov 2010 17:08:30 -0700

According to wireshark, every single sflow packet is malformed.

All the packets I gathered seemed to contain fragments web traffic, so it
was pretty much all tcp. This is one example:





No.     Time        Source                Destination           Protocol
Info
    305 13.328640   [switch ip]          [ntop ip          sFlow    V5,
agent [switch ip], sub-agent ID 2, seq 1455088, 5 samples[Malformed Packet]

Frame 305 (970 bytes on wire, 970 bytes captured)
    Arrival Time: Nov  3, 2010 16:14:32.185217000
    [Time delta from previous captured frame: 0.054335000 seconds]
    [Time delta from previous displayed frame: 0.054335000 seconds]
    [Time since reference or first frame: 13.328640000 seconds]
    Frame Number: 305
    Frame Length: 970 bytes
    Capture Length: 970 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:sflow]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Force10N_4b:85:e3 (00:01:e8:4b:85:e3), Dst:
Xensourc_00:14:89 (00:16:3e:00:14:89)
    Destination: Xensourc_00:14:89 (00:16:3e:00:14:89)
        Address: Xensourc_00:14:89 (00:16:3e:00:14:89)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Source: Force10N_4b:85:e3 (00:01:e8:4b:85:e3)
        Address: Force10N_4b:85:e3 (00:01:e8:4b:85:e3)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Type: IP (0x0800)
Internet Protocol, Src: [switch ip] ([switch ip]), Dst: [ntop ip ([ntop ip)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 956
    Identification: 0x2323 (8995)
    Flags: 0x00
        0.. = Reserved bit: Not Set
        .0. = Don't fragment: Not Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0xcbb3 [correct]
        [Good: True]
        [Bad : False]
    Source: [switch ip] ([switch ip])
    Destination: [ntop ip ([ntop ip)
User Datagram Protocol, Src Port: sflow (6343), Dst Port: sflow (6343)
    Source port: sflow (6343)
    Destination port: sflow (6343)
    Length: 936
    Checksum: 0xcca1 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
InMon sFlow
    datagram version: 5
    address type: IP_V4 (1)
    agent address: [switch ip] ([switch ip])
    Sub-agent ID: 2
    Sequence number: 1455088
    SysUptime: 820344224
    NumSamples: 5
    Expanded flow sample, seq 691705, 0
        0000 0000 0000 0000 0000 .... .... .... = sFlow sample type
enterprise: 0
        .... .... .... .... .... 0000 0000 0011 = sFlow sample type:
Expanded flow sample (3)
        Sample length: 164
        Sample sequence number: 691705
        Source ID type: ifIndex (0)
        Source ID index: 0
        Sampling rate: 107791360
        Sample pool: 4096
        Dropped packets: 1504741009
        Input interface index: 0
        0... .... .... .... .... .... .... .... = Multiple outputs: No
        Output interface index: 0
        Number of records: 75547648
        Sample type: Unknown (0)
        Recordlength: 107791360
[Malformed Packet: sFlow]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Message: Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

0000  00 16 3e 00 14 89 00 01 e8 4b 85 e3 08 00 45 00   ..>......K....E.
0010  03 bc 23 23 00 00 ff 11 cb b3 c0 a8 32 01 c0 a8   ..##........2...
0020  16 08 18 c7 18 c7 03 a8 cc a1 00 00 00 05 00 00   ................
0030  00 01 c0 a8 32 01 00 00 00 02 00 16 33 f0 30 e5   ....2.......3.0.
0040  75 a0 00 00 00 05 00 00 00 03 00 00 00 a4 00 0a   u...............
0050  8d f9 00 00 00 00 06 6c c4 00 00 00 10 00 59 b0   .......l......Y.
0060  86 91 00 00 00 00 00 00 00 00 04 80 c4 00 00 00   ................
0070  00 00 06 6c c4 00 00 00 00 02 00 00 00 01 00 00   ...l............
0080  00 58 00 00 00 01 00 00 00 4a 00 00 00 04 00 00   .X.......J......
0090  00 46 00 16 3e 00 26 2c 00 1e c9 ab db 37 81 00   .F..>.&,.....7..
00a0  00 32 08 00 45 00 00 34 99 dd 40 00 40 06 f5 8d   .2..e.....@.@...
00b0  c0 a8 1a 05 c0 a8 10 03 99 d5 2b cb ad e6 ab c2   ..........+.....
00c0  6c ab 49 c1 80 10 28 12 8e 30 00 00 01 01 08 0a   l.I...(..0......
00d0  94 c0 54 6a 94 e8 c1 57 3a 22 00 00 03 e9 00 00   ..Tj...W:"......
00e0  00 10 00 00 00 32 00 00 00 00 00 00 00 32 00 00   .....2.......2..
00f0  00 00 00 00 00 03 00 00 00 9c 00 24 50 1f 00 00   ...........$P...
0100  00 00 06 68 c4 00 00 00 10 00 1d ec 76 9c 00 00   ...h........v...
0110  00 00 00 00 00 00 02 04 c4 00 00 00 00 00 06 68   ...............h
0120  c4 00 00 00 00 02 00 00 00 01 00 00 00 50 00 00   .............P..
0130  00 01 00 00 00 44 00 00 00 04 00 00 00 40 00 1e   .....d.......@..
0140  c9 ab d9 0c 00 5e 00 00 01 0a 81 00 00 32 08 00   .....^.......2..
0150  45 00 00 28 5d 89 40 00 ff 06 1e f2 c0 a8 64 01   E..(][email protected].
0160  c0 a8 1a 02 67 e6 00 50 25 6b c4 03 56 26 a9 48   ....g..P%k..V&.H
0170  50 10 19 32 46 3a 00 00 00 00 00 00 00 00 00 00   P..2F:..........
0180  03 e9 00 00 00 10 00 00 00 32 00 00 00 00 00 00   .........2......
0190  00 32 00 00 00 00 00 00 00 03 00 00 00 9c 00 03   .2..............
01a0  bb 15 00 00 00 00 06 18 c4 00 00 00 10 00 8d a8   ................
01b0  4f 26 00 00 00 00 00 00 00 00 02 04 c4 00 00 00   O&..............
01c0  00 00 06 18 c4 00 00 00 00 02 00 00 00 01 00 00   ................
01d0  00 50 00 00 00 01 00 00 00 44 00 00 00 04 00 00   .P.......D......
01e0  00 40 00 16 3e 00 05 20 00 5e 00 00 01 0a 81 00   ....@..>.. .^......
01f0  00 32 08 00 45 00 00 28 d8 cd 40 00 2d 06 8d bb   .2..E..([email protected]...
0200  c0 a8 64 64 c0 a8 01 92 30 d7 00 50 22 9d 95 8f   ..dd....0..P"...
0210  09 64 cc b4 50 10 0f f3 f9 2d 00 00 00 00 00 00   .d..P....-......
0220  00 00 00 00 03 e9 00 00 00 10 00 00 00 32 00 00   .............2..
0230  00 00 00 00 00 32 00 00 00 00 00 00 00 03 00 00   .....2..........
0240  00 dc 00 03 bb 16 00 00 00 00 06 18 c4 00 00 00   ................
0250  10 00 8d a8 56 2a 00 00 00 00 00 00 00 00 02 08   ....V*..........
0260  c4 00 00 00 00 00 06 18 c4 00 00 00 00 02 00 00   ................
0270  00 01 00 00 00 90 00 00 00 01 00 00 00 84 00 00   ................
0280  00 04 00 00 00 80 00 16 3e 00 05 20 00 16 3e 00   ........>.. ..>.
0290  14 6c 81 00 00 32 08 00 45 00 05 dc 02 18 40 00   .l...2..e.....@.
02a0  40 06 a0 13 c0 a8 10 0e c0 a8 01 92 2b cb e7 c3   @...........+...
02b0  02 ac a3 47 e5 3f 13 b3 80 10 03 fb 37 1c 00 00   ...G.?......7...
02c0  01 01 08 0a 90 2b 6f 44 1f f7 0d 66 6c 74 72 6f   .....+oD...fltro
02d0  77 2f 22 20 74 69 74 6c 65 3d 22 56 69 65 77 20   w/" title="View
02e0  61 6c 6c 20 70 6f 73 74 73 20 69 6e 20 47 77 79   all posts in Gwy
02f0  6e 65 74 68 20 50 61 6c 74 72 6f 77 22 20 72 65   neth Paltrow" re
0300  6c 3d 22 63 61 74 00 00 03 e9 00 00 00 10 00 00   l="cat..........
0310  00 32 00 00 00 00 00 00 00 32 00 00 00 00 00 00   .2.......2......
0320  00 03 00 00 00 a4 00 03 71 9d 00 00 00 00 06 28   ........q......(
0330  c4 00 00 00 10 00 8c bf 43 62 00 00 00 00 00 00   ........Cb......
0340  00 00 02 bc c4 00 00 00 00 00 06 28 c4 00 00 00   ...........(....
0350  00 02 00 00 00 01 00 00 00 58 00 00 00 01 00 00   .........X......
0360  00 4a 00 00 00 04 00 00 00 46 00 1a 64 68 3c bc   .J.......F..dh<.
0370  02 04 80 65 99 b7 81 00 00 32 08 00 45 08 00 34   ...e.....2..E..4
0380  c7 80 40 00 40 06 da de c0 a8 15 3a c0 a8 01 d2   ....@.@......:....
0390  94 60 0c ea a0 a4 c9 b6 a6 74 7a 3a 80 10 01 f5   .`.......tz:....
03a0  fd 35 00 00 01 01 08 0a 1d 7d 6a 26 f4 f7 36 45   .5.......}j&..6E
03b0  00 1e 00 00 03 e9 00 00 00 10 00 00 00 32 00 00   .............2..
03c0  00 00 00 00 00 32 00 00 00 00                     .....2....


On 11/3/10 13:49 , "Alex DEKKER" <[email protected]> wrote:

> On Wednesday 03 November 2010 20:38:41 Gary Gatten wrote:
>> Notice total packets and ipv4 packets are both about 8.69M, but 34GB and
>> 12GB respectively? Weird.
>> 
>> You're using sflow.  Would it be possible to connect to a SPAN port, tap,
>> etc. and use libpcap as a test?  I'd be curious if ntop classifies the
>> traffic the same as it does when using sflow...
> 
> Or even open some of the sflow packets in Wireshark and see what's in there.
> 
> alexd
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop

Barnaby Cockcroft  /  System Administrator, BuzzMedia  /  p 323 472 6400  f
323 466 0150  m 323 551 8878
----------------------------------------------------------------------------
-----------------------------------------
6464 Sunset Boulevard Ste 650, Hollywood, CA 90028

BUZZNET / Stereogum / The Hype Machine / Idolator / Absolute Punk /
BritneySpears.com / Lyrics.com / Friends or Enemies / The Gauntlet / The
Dougie / Vampire Freaks

CELEBUZZ / The Superficial / What Would Tyler Durden Do / JustJared /
JustJared Jr. / Socialite Life / Go Fug Yourself / Concrete Loop / Videogum
/ Celebslam / KimKardashian.com / NicoleRichie.com / KendraWilkinson.com /
KhloeKardashian.com / KourtneyKardashian.com / BrodyJenner.com /
WhitneyPort.com / AudrinaXO.com / MischaBarton.com / Splash News Online /
Pacific Coast News Online



_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: [Ntop] What is "non-IP" traffic, really?

Reply via email to