[c-nsp] reading HSL/NEL NetFlow/IPFIX streams on ASR [was: Announcement: FlowViewer v4.1]

Luis Miguel Cruz Miranda luismcm at imasd.net
Wed Jun 26 11:10:33 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes.

I just tested today nfdump 1.6.10 and it works.
https://github.com/illarionov/nfdump
Compiled and working over ubuntu 10.04
Dependencies for compilation available from official ubuntu
repository, so they can be installed just over "apt-get install..."

Just one note:
Be aware of the information of the release notes from nfdump, the NSEL
and NEL support (also called HSL) is just new, so we will probably
face some bugs, hopefully not but... deep tests should be done.

My scenario:
ASR1002-x with XE 3.9
NAT traffic around 20mb
Neflow traffic to the collector: no more than 80kbps
nfcapd running as daemon
nfcapd files rotated every 5 mins, no compressed by nfcapd
Size for nfcapd files in my scenario: @6Mbytes per file

No stability issues
No perfomance issues in the test server (p4 at 2.8ghz, with 256 ram),
no more process running on it.

IF you test nfdump, please share experiences.


- From release notes of nfdump:

Stable Release v1.6.10

See the Changelog file for all changes in release 1.6.10

Notes on NSEL/ASA support
- -------------------------

nfdump-1.6.9 includes a new written from scratch implemented NSEL/ASA
module. It's based on the CISCO ASA Spec 8.4:
"Implementation Note for NetFlow Collectors, Version 8.4"
Due to this new implementation, nfdump-1.6.9 is not compatible with old
nfdump-1.5.8-2-NSEL.
To build nfdump, add --enable-nsel to the configure command. By enabling
the ASA/NSEL option, nfdump processes normal flows as well ASA/NSEL
records
likewise. nfcapd adds by default all required NSEL extesions equivalent
to '-Tnsel'

Note on NEL support
- -------------------

nfdump-1.6.9 includes a new module for decoding the CISCO NEL ( NAT event
logging ) records. It's considered to be experimantal, as no official
documentation can be found. Let me know otherwise.
To build nfdump, add --enable-nel to the configure command. By enabling
the NEL option, nfdump processes normal flows as well NEL records
likewise. nfcapd adds by default all required NEL extesions equivalent
to '-Tnel'

Although it's possibel to enable NSEL und NEL likewise, users could get
confused by nfdump output, as NSEL output format overwrites NEL format.
In that case you need explicitly to define -o nel.



El 26/06/13 00:45, Tom Lanyon escribió:
> Has anyone found any open-source tools which will receive HSL
> streams from an ASR?
> 
> I've tried numerous for our NAT64 ASR1k devices - and from what I
> remember - whilst they understand and receive the NetFlow v9
> template packets, the data packets are silently discarded as an
> unknown format.
> 
> Tom
> 
> On 26/06/2013, at 6:42 AM, Joe Loiacono <jloiacon at csc.com> wrote:
>> It appears that these ASR logging features export events with a
>> single event time (IPFIX IE #230 for NEL and #323 for HSL). SiLK
>> does not support these fields. Further, FlowViewer relies on
>> typical flow start and end times as well, so I believe the tool
>> will not support these exports.
>> 
>> Joe
>> 
>> 
>>> From:   Luis Miguel Cruz Miranda <luismcm at imasd.net> Does it
>>> support HSL or NEL for ASR routers?
> 

- -- 
Luis Miguel Cruz Miranda
GPG 0x6C08F418

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRywRpAAoJEBosOHBsCPQY7SMIAIu4x1OW90vRN7s43BLhzg8H
Rvtmm40czsmlY6XFA02gKGtRktx8Y9X4jLuSyJr0ucZDPqc83hommn5Mu40/zkif
VDADaSyTR4/GsNCv0SCCjDCVnyJk746qZ6zbEk3Czw+eE/brxQx2yyqRhbmAydj5
w8Kqu6lGrgwUEKYyZjjidmL57el935zMZnqn0zuQpVz2gDKgwQduOPaXCuinZMct
mGesHGYwm32prS+8ks4oBUj9itB2kNamjoLO2fWhxBLjfxaO4sC1Z7Owt4oOw2xD
kjz7C9EVR8CPGbFZeRDTOpx7PBZDmPK89IX6RSFJjMrFydyl6E3WwpYBM1UBvw4=
=e/Bh
-----END PGP SIGNATURE-----



More information about the cisco-nsp mailing list