RE: [Ntop] cisco 6509 and ntop

Thu, 15 Sep 2005 06:15:41 -0700

ntop collapses everything into a generic record, largely a V5:
 

struct generic_netflow_record {
  /* v5 */
  u_int32_t srcaddr;    /* Source IP Address */
  u_int32_t dstaddr;    /* Destination IP Address */
  u_int32_t nexthop;    /* Next hop router's IP Address */
  u_int16_t input;      /* Input interface index */
  u_int16_t output;     /* Output interface index */
  u_int32_t sentPkts, rcvdPkts;
  u_int32_t sentOctets, rcvdOctets;
  u_int32_t First;      /* SysUptime at start of flow */
  u_int32_t Last;       /* and of last packet of the flow */
  u_int16_t srcport;    /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) */
  u_int16_t dstport;    /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) */
  u_int8_t  tcp_flags;  /* Cumulative OR of tcp flags */
  u_int8_t  prot;       /* IP protocol, e.g., 6=TCP, 17=UDP, etc... */
  u_int8_t  tos;        /* IP Type-of-Service */
  u_int16_t dst_as;     /* dst peer/origin Autonomous System */
  u_int16_t src_as;     /* source peer/origin Autonomous System */
  u_int8_t  dst_mask;   /* destination route's mask bits */
  u_int8_t  src_mask;   /* source route's mask bits */
 
  /* v9 */
  u_int16_t vlanId;
 
  /* Latency extensions */
  u_int32_t nw_latency_sec, nw_latency_usec;
 
  /* VoIP Extensions */
  char sip_call_id[50], sip_calling_party[50], sip_called_party[50];
};
 
Read through handleGenericFlow() - there's nothing about sequence #s.
 
 
-----Burton
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goor, M. van, (ITBE)
Sent: Thursday, September 15, 2005 1:43 AM
To: [email protected]
Subject: RE: [Ntop] cisco 6509 and ntop

I meant the netflow sequences ….., the header has sequence numbers …

 

Mike.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss
Sent: woensdag 14 september 2005 17:15
To: [email protected]
Subject: RE: [Ntop] cisco 6509 and ntop

 

Um... it doesn't.  UDP packets don't HAVE sequence numbers, it's a connectionless protocol.

 

-----Burton

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goor, M. van, (ITBE)
Sent: Wednesday, September 14, 2005 9:11 AM
To: [email protected]
Subject: [Ntop] cisco 6509 and ntop

Hello,

 

The cisco 6509 sends 2 netflow streams, both on the same port to a machine in my network. Now I was unaware that ntop watches sequences and thus disregards one of the two streams. This led to the unexplainable packet loss I was talking about the other day. Or at least I think it does.

 

Maybe people might have similar problems and wanted to report this, but I was actually more wondering if anyone knows a way to adapt ntop to accept both streams or is there a way to tell my cisco 6509 to send the streams on different ports?

 

Kind regards,

Mike.

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to