[nsp] Catalyst NDE - network data export

From: Edward Henigin (ed@texas.net)
Date: Sun Feb 11 2001 - 14:40:28 EST


        I'm playing with NDE on the cat6k platform, and I'm trying
to understand the aspects of the records. I set it to use version
7 flow records.

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm

        Here's the format of the flow records:

ipaddrtype srcaddr; /* Source IP Address */
ipaddrtype dstaddr; /* Destination IP Address */
ipaddrtype nexthop; /* Next hop router */
ushort input; /* input interface index */
ushort output; /* output interface index */
ulong dPkts; /* Packets sent in Duration */
ulong dOctets; /* Octets sent in Duration */
ulong First; /* SysUptime at start of flow. */
ulong Last; /* and of last packet of the flow. */
ushort srcport; /* TCP/UDP source port number or equivalent */
ushort dstport; /* TCP/UDP dest port number or equivalent */
uchar flags; /* Shortcut mode(dest only,src only,full flows*/
uchar tcp_flags; /* TCP flags */
uchar prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */
uchar tos; /* IP Type-of-Service */
ulong src_as; /* source AS# */
ulong dst_as; /* destination AS# */
uchar src_mask; /* source subnet mask */
uchar dst_mask; /* destination subnet mask */
ushort pad;
ipaddrtype router_sc; /* Router which is shortcut by switch */

        Some of the thing I've found:

        1) Sometimes, 'First' is larger than 'Last', as if the
start of the flow came after the end of the flow. I don't believe
that's because the sysuptime counter has wrapped, I've looked
at the timestamps and the are like:

First 2071424034 Last 2068649850

        They're too close together to be wraps.

        2) I can't figure out if sysuptime here is in seconds,
hundredths of seconds (the way the SNMP counter is for sysuptime),
milliseconds, microseconds, or nanoseconds. The First & Last
records don't provide values that are at all near the values I get
from snmpget system.sysuptime.0, not even accounting for an
arbitrarily places decimal point.

        3) I can't get the total throughput to make sense. 8 *
dOctets / (Last - First) should give throughput in some scale of
bits/second. Trying many different scales for First & Last (see
(2)) gives me lots of numbers (obviously) but nothing that matches
my real traffic throughput stats.

        Any comments on the above?

        Also, anyone know how to set the interval for the NDE engine
to expire (& export) flow records?

        Thanks...



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:28 EDT