Hi, I'm exporting NetFlow v9 from a Cisco ASR1k - the netflow9tester is collecting flows, but not decoding source or dest IPs. (every flow is showing as 0.0.0.0:0 -> 0.0.0.0:0)
I ran some debugs and see that the ASR1k tends to use IP_SRC_PREFIX and IP_DST_PREFIX fields rather than IP_SRC_ADDR and IP_DST_ADDR.
Could this be an issue with the netflow9tester not allowing for these fields in the template?
FYI, here are the format of the (typical) Flow Templates received from each of my netflow routers:
Typical Netflow Template from the Cisco 7206:
Field (1/13) = LAST_SWITCHED (21) Length: 4
Field (2/13) = FIRST_SWITCHED (22) Length: 4
Field (3/13) = BYTES (1) Length: 4
Field (4/13) = PKTS (2) Length: 4
Field (5/13) = INPUT_SNMP (10) Length: 2
Field (6/13) = OUTPUT_SNMP (14) Length: 2
Field (7/13) = IP_SRC_ADDR (8) Length: 4
Field (8/13) = IP_DST_ADDR (12) Length: 4
Field (9/13) = FLOWS (3) Length: 4
Field (10/13) = DST_MASK (13) Length: 1
Field (11/13) = SRC_MASK (9) Length: 1
Field (12/13) = DST_AS (17) Length: 2
Field (13/13) = SRC_AS (16) Length: 2
Flowset length = 38 bytes
with protocol headers = 64 bytes (inc 2 bytes padding)
Typical Netflow Template from Cisco ASR1006:
Field (1/12) = FIRST_SWITCHED (22) Length: 4
Field (2/12) = LAST_SWITCHED (21) Length: 4
Field (3/12) = BYTES (1) Length: 4
Field (4/12) = PKTS (2) Length: 4
Field (5/12) = INPUT_SNMP (10) Length: 4
Field (6/12) = OUTPUT_SNMP (14) Length: 4
Field (7/12) = IP_SRC_PREFIX (44) Length: 4
Field (8/12) = IP_DST_PREFIX (45) Length: 4
Field (9/12) = FLOWS (3) Length: 4
Field (10/12) = DST_MASK (13) Length: 1
Field (11/12) = SRC_MASK (9) Length: 1
Field (12/12) = DIRECTION (61) Length: 1
Flowset length = 39 bytes
with protocol headers = 64 bytes (inc 1 byte padding)
Last change on Jul 30, 2010 8:59:29 AM by
Add comment