[c-nsp] Incorrect netflow data from 7600/6500?
ML
ml at kenweb.org
Fri Jun 19 20:18:39 EDT 2009
Peter Rathlev wrote:
> On Fri, 2009-06-19 at 15:08 +0200, Peter Haag wrote:
>>> I've seen this result from multiple other Netflow tools: ntop, Orion
>>> NetFlow and now nfdump. The only common element is my hardware.
>>> I've exported flows from a 7606-SUP32 and a 6509SUP720-3B both
>>> running 12.2(18)SXF4. Both emit the mysterious protocol 0 flows.
>>>
>>> I think I can make the assumption there isn't a protocol in use that
>>> trumps both UDP and TCP traffic combined. Have I run into an IOS
>>> bug or did I misconfigure?
>> No - port 0 result from fragmented packets Most likely UDP packets >
>> MTU size. Since the IP ID field is not tracked in a v5 Netflow record,
>> the router can not map a fragmented packet to the appropriate flow,
>> and simply creates a flow with port '0'
>
> Well, that would be for _port_ 0 traffic, with either TCP or UDP in the
> protocol field, wouldn't it? OPs traffic is "protocol 0", so IMHO Scotts
> point about flow mask is the best bet.
>
> Regards,
> Peter
To provide closure to the question Scott's suggestion does work but not
when the router is doing NAT.
More information about the cisco-nsp
mailing list