[c-nsp] Incorrect netflow data from 7600/6500?
ML
ml at kenweb.org
Thu Jun 18 20:36:36 EDT 2009
I'm trying to export flows from a 6509 to nfcapd/nfdump.
When I sort by protocol and bytes I see a "protocol 0" as the majority
of the traffic.
Top 20 Protocol ordered by bytes:
Proto Protocol Flows Packets Bytes
0 0 7.8 M 296.8 M 229.1 G
TCP 6 2.8 M 82.0 M 35.3 G
UDP 17 3.7 M 21.7 M 4.3 G
<truncated for brevity>
I've seen this result from multiple other Netflow tools: ntop, Orion
NetFlow and now nfdump. The only common element is my hardware.
I've exported flows from a 7606-SUP32 and a 6509SUP720-3B both running
12.2(18)SXF4. Both emit the mysterious protocol 0 flows.
I think I can make the assumption there isn't a protocol in use that
trumps both UDP and TCP traffic combined. Have I run into an IOS bug or
did I misconfigure?
Configuarion:
-----------------------------------
mls aging fast time 1 threshold 1
mls aging long 64
mls aging normal 32
mls flow ip interface-destination-source
no mls flow ipv6
mls nde sender version 5
no mls acl tcam share-global
mls nde sender version 5
ip flow-cache timeout inactive 10
ip flow-cache timeout active 1
"Config for interfaces of interest"
ip flow ingress
ip route-cache flow
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination x.x.x.x
------------------------------------
Any help is appreciated.
More information about the cisco-nsp
mailing list