Giter Club home page Giter Club logo

Comments (7)

phaag avatar phaag commented on July 30, 2024

Can you explain, what's wrong with the output and why it's an nfdump issue?

from nfdump.

thezoggy avatar thezoggy commented on July 30, 2024

The asn reported in the output is not a valid asn? 4294967295

from nfdump.

phaag avatar phaag commented on July 30, 2024

Well, it’s a private and valid AS. Why do you think it’s an nfdump issue? You did not explain the setup and the command line you used as well why you thing, this could be a bug.

from nfdump.

phaag avatar phaag commented on July 30, 2024

It's 0xFFFFFFFF the max value for a 32bit ASN number.

from nfdump.

thezoggy avatar thezoggy commented on July 30, 2024

it was just looking at traffic towards a prefix with nfsen, but topN towards dst asn

nfdump -M /data/nfsen/profiles-data/live/<routers>:<routers+>  -T  -R 2023/07/09/nfcapd.202307090000:2023/07/09/nfcapd.202307090030 -n 10 -s dstas/flows 'proto udp and dst net 185.230.60.0/22'

and as noted sadly I do not have the nfcapd data to pull out to verify more info to dig into.

mainly just bringing it up in case others see it or you've seen of it before as I've personally never seen it show up exepct that I know we drop bogon asn on ingress (which of course wouldnt matter for netflow ingress)

    policy-statement bogon-asn-in {
        term drop-bogon-asns {
            from {
                as-path-group bogon-asns;
            }
            then reject;
        }
    }

    as-path-group bogon-asns {
        as-path reserved0 ".* 0 .*";
        as-path as_trans ".* 23456 .*";
        as-path reserved1 ".* [64496-131071] .*";
        as-path reserved2 ".* [4200000000-4294967295] .*";
    }

Just looking at network wide for dst as gt 4200000000 for earlier time bucket I do see quite a few flows..

... -r 2023/07/30/nfcapd.202307300835 -o 'fmt:%ts %ra - %pr %sas -> %das %fl' -c 50000 'dst as gt 4200000000'
Date first seen                Router IP   Proto Src AS    Dst AS Flows
2023-07-30 08:34:47.680      129.250.1.2 - TCP    16509 -> 4294967295     1
2023-07-30 08:34:47.936      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:34:49.216      129.250.1.2 - TCP    16509 -> 4294967295     1
2023-07-30 08:34:49.984      129.250.1.2 - TCP   208136 -> 4294967295     1
2023-07-30 08:34:52.800      129.250.1.2 - TCP    39572 -> 4294967295     1
2023-07-30 08:34:48.448      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:34:54.080      129.250.1.2 - UDP    12353 -> 4294967295     1
2023-07-30 08:34:43.072      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:35:00.224      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:35:01.760      129.250.1.2 - UDP    24309 -> 4294967295     1
2023-07-30 08:35:05.344      129.250.1.2 - TCP    16509 -> 4294967295     1
2023-07-30 08:35:06.368      129.250.1.2 - TCP    16509 -> 4294967295     1
2023-07-30 08:35:08.672      129.250.1.2 - TCP    16509 -> 4294967295     1
...
2023-07-30 08:39:08.032      129.250.1.2 - ICMP6  16509 -> 4294967295     1
2023-07-30 08:39:05.216      129.250.1.2 - UDP     4812 -> 4294967295     1
2023-07-30 08:39:09.568      129.250.1.2 - TCP    16509 -> 4294967295     1
2023-07-30 08:39:10.080      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:39:09.824      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:39:10.336      129.250.1.2 - TCP     1136 -> 4294967295     1
2023-07-30 08:39:14.176      129.250.1.2 - TCP    16509 -> 4294967295     1
2023-07-30 08:39:13.408      129.250.1.2 - TCP      174 -> 4294967295     1
2023-07-30 08:39:16.992      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:39:18.272      129.250.1.2 - TCP    16509 -> 4294967295     1
2023-07-30 08:38:56.000      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:39:16.224      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 08:39:10.848      129.250.1.2 - TCP    20940 -> 4294967295     1
...

looking at another time bucket, seeing some odd ones

-r 2023/07/30/nfcapd.202307302035 -o 'fmt:%ts %ra - %pr %sas -> %das %fl' -c 5000 'dst as gt 4200000000'
Date first seen                Router IP   Proto Src AS    Dst AS Flows
2023-07-30 20:34:52.544    129.250.0.190 - UDP   4294967295 -> 4294967295     1
2023-07-30 20:35:11.232    129.250.0.190 - UDP   4294967295 -> 4294967295     1
2023-07-30 20:37:10.016     129.250.1.11 - UDP   4294967295 -> 4294967295     1
2023-07-30 20:37:11.552     129.250.1.11 - UDP   4294967295 -> 4294967295     1
2023-07-30 20:37:01.312     129.250.0.54 - ICMP  136907 -> 4294967295     1
2023-07-30 20:34:49.984      129.250.1.2 - TCP    20940 -> 4294967295     1
2023-07-30 20:34:49.216      129.250.1.2 - TCP    16509 -> 4294967295     1
2023-07-30 20:34:48.192      129.250.1.2 - TCP    20940 -> 4294967295     1
...

I will run some tcpdump and capture flows to fact check if what nfsen is seeing is actually correct

from nfdump.

thezoggy avatar thezoggy commented on July 30, 2024

looking around it looks like its only some v6<>v6 traffic that shows up this way.
Screen Shot 2023-07-30 at 8 30 58 PM

taking packet capture of netflow coming in, I see the same thing there as well
Screen Shot 2023-07-30 at 8 37 00 PM

even in the pcap i see stuff from this asn v6 to other v6 just fine as well as other src asn v6<>v6 with it. tomorrow will take some pcaps from the vendor itself to see from there

ok it looks like its traffic that goes to v6 customer that doesnt use bgp, just v6 na/nd setup so there is no actual dst asn... so guessing the value is just used a placeholder or something.

from nfdump.

phaag avatar phaag commented on July 30, 2024

ok - I see then, it's a general question and not a bug of nfdump :) I guess you have to check that with your router vendor unless someone else has an answer.
Please add general questions to the discussion board and not to the issue section, as this is meant to deal with nfdump issues. I will move this to the discussion board.

from nfdump.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.