[c-nsp] Sup2T / EARL8 Netflow oddities

Jeroen van Ingen jeroen at zijndomein.nl
Mon Apr 29 09:26:47 EDT 2013


Hi,

Our university upgraded from Cat6k/Sup720-3B to Cat6k/Sup2TXL a while
ago. Recently a few researchers who use our NetFlow data noticed that
the NetFlow exports sometimes contain strange values: there are flow
records with a negative duration (flow end before flow start time) and
some exported flows are far (>1 month) in the past or future.

We're currently running IOS 15.1(1)SY. Has anyone else noticed something
similar?

If anyone wants to check their NetFlow v9 exports: Wireshark will show
flowsets containing flow records with negative duration when using the
display filter 'cflow.timedelta < 0'.


Regards,

Jeroen van Ingen
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands




More information about the cisco-nsp mailing list