Netflow v9 ipv6

Carter Bullard carter at qosient.com
Fri Apr 3 11:12:00 EDT 2015 

Hey Eric,
I need a bunch more Netflow v9 data than the nfdump.pcap we're using.
Any chance you can save something bigger !!!
Thanks !!!
Carter

> On Apr 2, 2015, at 6:16 PM, Eric Camirand <techr at nexweb.ca> wrote:
> 
> Carter,
> 
> Still seeing Ipv4 address in Ipv6 format and sometime the source port is missing.
> 
> 10:35:53.768000 N tcp 53a4:7dce::ff:ffff ?> 6b46:ab51::fe:ffff.24580 1 1500   INT
> 
> Thanks !
> 
> Eric
> 
>> On Apr 2, 2015, at 4:53 PM, Carter Bullard <carter at qosient.com> wrote:
>> 
>> Hey Eric,
>> With regard to the protocol and port numbers.  This new file should fix those.
>> Sorry for the staged testing !!!!
>> Carter
>> 
>> <argus_import.c>
>> 
>>> On Apr 2, 2015, at 4:44 PM, Carter Bullard <carter at qosient.com> wrote:
>>> 
>>> My bad !!!!  Found the problem.  Add this line:
>>> 
>>> thoth:common carter$ p4 diff ...
>>> ==== //depot/argus/clients/common/argus_import.c#24 - /Volumes/Users/carter/argus/clients/common/argus_import.c ====
>>> 1642a1643
>>>>                ArgusParsingIPv6 = 0;
>>> 
>>> 
>>> Here is the complete file, with the fix.
>>> Carter
>>> 
>>> <argus_import.c>
>>>> On Apr 2, 2015, at 4:36 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>> 
>>>> Hey Carter,
>>>> 
>>>> Ipv4 address appear as Ipv6. This entry should be ipv4 :
>>>> 
>>>> 10:36:17.584000 N ip 53a4:7dce:3c6a:ab* -> :: 1 1500   REQ
>>>> 
>>>> Ipv6 look ok.
>>>> 
>>>> 10:36:17.576000 N ip 2001:db8:1::220 -> 2602:ffea:1001:11* 1 1500   REQ
>>>> 
>>>> For both entry, protocol and port informations are lost.
>>>> 
>>>> 
>>>> Eric
>>>> 
>>>> 
>>>>> On Apr 2, 2015, at 3:56 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>> 
>>>>> Carter,
>>>>> 
>>>>> Please replace k_CiscoV9IPV6SrcMask by k_CiscoV9IPv6SrcMask in your file.
>>>>> 
>>>>> I will get back to you soon with a test result.
>>>>> 
>>>>> Thanks,
>>>>> 
>>>>> 
>>>>> Eric
>>>>> 
>>>>>> On Apr 2, 2015, at 3:39 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>> 
>>>>>> Gentle people,
>>>>>> I think I have a fix for netflow v9 ipv6 import. If you could test the mods, replace your clients ./common/argus_import.c with the included one, recompile, that then check out ra.1 to see if you can now read some IPv6 Netflow v9 data, that would be great !!!
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Carter
>>>>>> 
>>>>>> <argus_import.c>
> 
>

More information about the argus mailing list