Tcpdump extract: notice all the 1464 byte packets are F'd, others OK: 15:16:24.818262 IP (tos 0x0, ttl 252, id 14766, offset 0, flags [none], proto: UDP (17), length: 1012) 10.15.26.200.50769 > monpapp1.waddell.com.netflow-Regn15: [udp sum ok] UDP, length 984
15:16:28.822210 IP (tos 0x0, ttl 251, id 14766, offset 0, flags [+], proto: UDP (17), length: 1396) 10.15.26.200.50769 > monpapp1.waddell.com.netflow-Regn15: [bad udp cksum 55bc!] UDP, length 1464 15:16:39.822211 IP (tos 0x0, ttl 252, id 14766, offset 0, flags [none], proto: UDP (17), length: 1060) 10.15.26.200.50769 > monpapp1.waddell.com.netflow-Regn15: [udp sum ok] UDP, length 1032 15:16:46.822499 IP (tos 0x0, ttl 251, id 14766, offset 0, flags [+], proto: UDP (17), length: 1396) 10.15.26.200.50769 > monpapp1.waddell.com.netflow-Regn15: [bad udp cksum 6409!] UDP, length 1464 15:16:50.821026 IP (tos 0x0, ttl 251, id 14766, offset 0, flags [+], proto: UDP (17), length: 1396) 10.15.26.200.50769 > monpapp1.waddell.com.netflow-Regn15: [bad udp cksum 9a8e!] UDP, length 1464 15:16:55.819812 IP (tos 0x0, ttl 251, id 14766, offset 0, flags [+], proto: UDP (17), length: 1396) 10.15.26.200.50769 > monpapp1.waddell.com.netflow-Regn15: [bad udp cksum 2191!] UDP, length 1464 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rick Jones Sent: Tuesday, May 31, 2011 2:48 PM To: [email protected] Subject: Re: [Ntop] Cisco netflow packet size - adjusting? On Tue, 2011-05-31 at 14:37 -0500, Gary Gatten wrote: > Hello, > > Anyone know how to force the Cisco IOS, specifically netflow, to use > packet sizes smaller than 1464 bytes? It doesn't seem to be honoring > the MTU size of the interfaces. It gets fragmented and then Checksum > is invalid, and then ntop doesn't see the packets. Annoying.... Um, gets fragmented by *what* and where? Fragmentation isn't *supposed* to corrupt datagrams, by what is the checksum being invalid being reported? Also, whence 1464? The maximum UDP payload on a standard 1500 byte MTU Ethernet-like network is 1472 bytes before the IPv4 datagram carrying the UDP datagram carrying the user message has to be fragmented. Does your network have a smaller than 1500 byte MTU? While IP fragmentation is indeed frowned upon, "not honoring the MTU size" is a bit strong - UDP-using applications can indeed send messages large enough to require fragmentation by IP. For example EDNS in DNS will do so, and it isn't considered dishonorable :) rick jones > I've googled for hours and haven't found anything yet. > > TIA > > Gary > > Tags: netflow, ntop, exporter not recognized, cant see netflow traffic > > > > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. If > you are not the intended recipient, you are hereby notified that any > review, use, dissemination, disclosure or copying of this email and > its attachments, if any, is strictly prohibited. If you have received > this email in error, please immediately notify the sender by return > email and delete this email from your system." > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
