[c-nsp] Incorrect netflow data from 7600/6500?

Peter Rathlev peter at rathlev.dk
Fri Jun 19 10:08:01 EDT 2009


On Fri, 2009-06-19 at 15:08 +0200, Peter Haag wrote:
> > I've seen this result from multiple other Netflow tools: ntop, Orion
> > NetFlow and now nfdump.  The only common element is my hardware.
> > I've exported flows from a 7606-SUP32 and a 6509SUP720-3B both
> > running 12.2(18)SXF4.  Both emit the mysterious protocol 0 flows.
> > 
> > I think I can make the assumption there isn't a protocol in use that
> > trumps both UDP and TCP traffic combined.  Have I run into an IOS
> > bug or did I misconfigure?
> 
> No - port 0 result from fragmented packets Most likely UDP packets >
> MTU size. Since the IP ID field is not tracked in a v5 Netflow record,
> the router can not map a fragmented packet to the appropriate flow,
> and simply creates a flow with port '0'

Well, that would be for _port_ 0 traffic, with either TCP or UDP in the
protocol field, wouldn't it? OPs traffic is "protocol 0", so IMHO Scotts
point about flow mask is the best bet.

Regards,
Peter




More information about the cisco-nsp mailing list