Comments (7)
Can you explain, what's wrong with the output and why it's an nfdump issue?
from nfdump.
The asn reported in the output is not a valid asn? 4294967295
from nfdump.
Well, it’s a private and valid AS. Why do you think it’s an nfdump issue? You did not explain the setup and the command line you used as well why you thing, this could be a bug.
from nfdump.
It's 0xFFFFFFFF the max value for a 32bit ASN number.
from nfdump.
it was just looking at traffic towards a prefix with nfsen, but topN towards dst asn
nfdump -M /data/nfsen/profiles-data/live/<routers>:<routers+> -T -R 2023/07/09/nfcapd.202307090000:2023/07/09/nfcapd.202307090030 -n 10 -s dstas/flows 'proto udp and dst net 185.230.60.0/22'
and as noted sadly I do not have the nfcapd data to pull out to verify more info to dig into.
mainly just bringing it up in case others see it or you've seen of it before as I've personally never seen it show up exepct that I know we drop bogon asn on ingress (which of course wouldnt matter for netflow ingress)
policy-statement bogon-asn-in {
term drop-bogon-asns {
from {
as-path-group bogon-asns;
}
then reject;
}
}
as-path-group bogon-asns {
as-path reserved0 ".* 0 .*";
as-path as_trans ".* 23456 .*";
as-path reserved1 ".* [64496-131071] .*";
as-path reserved2 ".* [4200000000-4294967295] .*";
}
Just looking at network wide for dst as gt 4200000000
for earlier time bucket I do see quite a few flows..
... -r 2023/07/30/nfcapd.202307300835 -o 'fmt:%ts %ra - %pr %sas -> %das %fl' -c 50000 'dst as gt 4200000000'
Date first seen Router IP Proto Src AS Dst AS Flows
2023-07-30 08:34:47.680 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:34:47.936 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:34:49.216 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:34:49.984 129.250.1.2 - TCP 208136 -> 4294967295 1
2023-07-30 08:34:52.800 129.250.1.2 - TCP 39572 -> 4294967295 1
2023-07-30 08:34:48.448 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:34:54.080 129.250.1.2 - UDP 12353 -> 4294967295 1
2023-07-30 08:34:43.072 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:35:00.224 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:35:01.760 129.250.1.2 - UDP 24309 -> 4294967295 1
2023-07-30 08:35:05.344 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:35:06.368 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:35:08.672 129.250.1.2 - TCP 16509 -> 4294967295 1
...
2023-07-30 08:39:08.032 129.250.1.2 - ICMP6 16509 -> 4294967295 1
2023-07-30 08:39:05.216 129.250.1.2 - UDP 4812 -> 4294967295 1
2023-07-30 08:39:09.568 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:39:10.080 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:09.824 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:10.336 129.250.1.2 - TCP 1136 -> 4294967295 1
2023-07-30 08:39:14.176 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:39:13.408 129.250.1.2 - TCP 174 -> 4294967295 1
2023-07-30 08:39:16.992 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:18.272 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:38:56.000 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:16.224 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:10.848 129.250.1.2 - TCP 20940 -> 4294967295 1
...
looking at another time bucket, seeing some odd ones
-r 2023/07/30/nfcapd.202307302035 -o 'fmt:%ts %ra - %pr %sas -> %das %fl' -c 5000 'dst as gt 4200000000'
Date first seen Router IP Proto Src AS Dst AS Flows
2023-07-30 20:34:52.544 129.250.0.190 - UDP 4294967295 -> 4294967295 1
2023-07-30 20:35:11.232 129.250.0.190 - UDP 4294967295 -> 4294967295 1
2023-07-30 20:37:10.016 129.250.1.11 - UDP 4294967295 -> 4294967295 1
2023-07-30 20:37:11.552 129.250.1.11 - UDP 4294967295 -> 4294967295 1
2023-07-30 20:37:01.312 129.250.0.54 - ICMP 136907 -> 4294967295 1
2023-07-30 20:34:49.984 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 20:34:49.216 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 20:34:48.192 129.250.1.2 - TCP 20940 -> 4294967295 1
...
I will run some tcpdump and capture flows to fact check if what nfsen is seeing is actually correct
from nfdump.
looking around it looks like its only some v6<>v6 traffic that shows up this way.
taking packet capture of netflow coming in, I see the same thing there as well
even in the pcap i see stuff from this asn v6 to other v6 just fine as well as other src asn v6<>v6 with it. tomorrow will take some pcaps from the vendor itself to see from there
ok it looks like its traffic that goes to v6 customer that doesnt use bgp, just v6 na/nd setup so there is no actual dst asn... so guessing the value is just used a placeholder or something.
from nfdump.
ok - I see then, it's a general question and not a bug of nfdump :) I guess you have to check that with your router vendor unless someone else has an answer.
Please add general questions to the discussion board and not to the issue section, as this is meant to deal with nfdump issues. I will move this to the discussion board.
from nfdump.
Related Issues (20)
- nfdump fails to filter for geo country "IN" HOT 1
- nfdump not showing NAT/Translated IPs for sflow HOT 3
- sfcapd writes empty flow files when samples contain VNI data
- Repeated "SequencerRun() ERROR" message in log HOT 4
- nfcapd logs problem ? HOT 3
- Can't find ftlib.h durning configure ft2nfdump HOT 2
- RAM consumption HOT 2
- NEL Port Block Allocation / Deallocation Events HOT 1
- Is it possible to know if a flow contained fragmented traffic? HOT 6
- nfdump current (1.7.3) has a bug exporting NSEL (cisco ASA) fw events HOT 3
- when daemonizing, requesting to set uid and gid to some user AND writing PIDfile -> permission denied encountered HOT 4
- feature: it will be very cool if nfcapd switch '-n' allow specifying port to listen to. not globally single '-p' but per-configured exporter HOT 3
- sfcapd -T Extensions 1.6.x missing in 1.7.x HOT 2
- nfprofile: Skip unknown record type 13 (after upgrrading from 1.6.20 to 1.7.3) HOT 8
- Sfcapd not processing netflow... HOT 2
- Include dependencies? HOT 4
- sfcapd not working properly after last commits HOT 4
- GCC14 build failure HOT 5
- nfdump: Skip unknown record type 9 HOT 6
- Troubleshooting NetFlow Data Collection and Router Address Display HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nfdump.