[c-nsp] Incorrect netflow data from 7600/6500?

Peter Haag peter.haag at switch.ch
Fri Jun 19 09:08:01 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> 
> I'm trying to export flows from a 6509 to nfcapd/nfdump.
> 
> When I sort by protocol and bytes I see a "protocol 0" as the majority
> of the traffic.
> 
> Top 20    Protocol ordered by bytes:
> 
> Proto   Protocol   Flows  Packets    Bytes
> 0       0          7.8 M  296.8 M  229.1 G
> TCP     6          2.8 M   82.0 M   35.3 G
> UDP     17         3.7 M   21.7 M    4.3 G
> 
> <truncated for brevity>
> 
> I've seen this result from multiple other Netflow tools: ntop, Orion
> NetFlow and now nfdump.  The only common element is my hardware.
> I've exported flows from a 7606-SUP32 and a 6509SUP720-3B both running
> 12.2(18)SXF4.  Both emit the mysterious protocol 0 flows.
> 
> I think I can make the assumption there isn't a protocol in use that
> trumps both UDP and TCP traffic combined.  Have I run into an IOS bug or
> did I misconfigure?

No - port 0 result from fragmented packets Most likely UDP packets > MTU size.
Since the IP ID field is not tracked in a v5 Netflow record, the router
can not map a fragmented packet to the appropriate flow, and simply
creates a flow with port '0'

	- Peter
> 
> Configuarion:
> -----------------------------------
> mls aging fast time 1 threshold 1
> mls aging long 64
> mls aging normal 32
> mls flow ip interface-destination-source
> no mls flow ipv6
> mls nde sender version 5
> no mls acl tcam share-global
> mls nde sender version 5
> 
> ip flow-cache timeout inactive 10
> ip flow-cache timeout active 1
> 
> "Config for interfaces of interest"
>   ip flow ingress
>   ip route-cache flow
> 
> ip flow-export source Loopback0
> ip flow-export version 5
> ip flow-export destination x.x.x.x
> ------------------------------------
> 
> Any help is appreciated.
> 
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ------------------------------
> 
> Message: 9
> Date: Fri, 19 Jun 2009 05:15:17 +0200 (CEST)
> From: Andrew Yourtchenko <ayourtch at cisco.com>
> To: Paul Stewart <paul at paulstewart.org>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] L2TPv3 and VLANs
> Message-ID: <Pine.LNX.4.64.0906190452330.8007 at zippy.stdio.be>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> 
> 
> 
> On Thu, 18 Jun 2009, Paul Stewart wrote:
> 
>> I must admit  - I didn't know such an option existed... and that's great to
>> know...
> 
> I myself discovered it by accident when I saw the MTU on my linux box to 
> be not the 1500 :-)
> 
>> On a related note to the PS below... we have tested lt2tpv3 on a few
>> different boxes running various IOS images and on each of the devices we did
>> test we seen the same behavior.  This means something is either broke in the
>> code in my opinion or that we are doing something wrong.  Typically that
>> means the second option in our case (lol) but I did get a fair amount of
>> feedback offline from folks with similar problems....;)
> 
> It could be as well that it is the first option but that the tcp 
> mss-adjust hack is working "good enough" for anyone to bother - there are 
> always "more important battles" to fight. But if someone on the list is 
> willing to spend some cycles on this in the lab and subsequently open a 
> case to get this to a more definitive status quo - unicast me.
> 
> thanks,
> andrew
> 
> p.s. about the protocols that can break with this scenario, a few things 
> come to mind: kerberos, possibly IKE w/certs, SNMP, netflow.
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> 
> End of cisco-nsp Digest, Vol 79, Issue 65
> *****************************************

- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag at switch.ch Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBSjuNr/5AbZRALNr/AQJ//wQAmWIig5w5P2kB7uF/4gPMzwAbwJtPyG70
SqBEPKRG/KWat4iudfEwA/789EUNjSVK53mYSm2eWwU4UcLfExAcNHTWl2YAax7o
Sh9TZ4zimwScHrTTXoTAdUVs+qa7eKbhxWmOyrZGhvar/NxUK5B3dqUqiGsA7DBl
Err93Fg3fV0=
=HP1D
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list