[c-nsp] Sup2T / EARL8 Netflow oddities

Jeroen van Ingen jeroen at zijndomein.nl
Mon Apr 29 09:26:47 EDT 2013


Our university upgraded from Cat6k/Sup720-3B to Cat6k/Sup2TXL a while
ago. Recently a few researchers who use our NetFlow data noticed that
the NetFlow exports sometimes contain strange values: there are flow
records with a negative duration (flow end before flow start time) and
some exported flows are far (>1 month) in the past or future.

We're currently running IOS 15.1(1)SY. Has anyone else noticed something

If anyone wants to check their NetFlow v9 exports: Wireshark will show
flowsets containing flow records with negative duration when using the
display filter 'cflow.timedelta < 0'.


Jeroen van Ingen
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands

More information about the cisco-nsp mailing list