带有 nfsen/nfdump 的 Cisco netflow

网络工程 思科 路由器 净流
2022-02-25 04:20:55

我们有 Cisco ASR1000 路由器,它具有以下配置:

    flow record netflow-record
     match transport tcp destination-port
     match transport tcp source-port
     match transport udp destination-port
     match transport udp source-port
     match ipv4 destination address
     match ipv4 source address
     collect counter bytes
     collect counter packets
    !
    !
    flow exporter netflow-exporter
     description Netflow-Exporter
     destination xx.xx.xx.xx
     source TenGigabitEthernet0/0/0
     transport udp 9995
    !
    !
    flow monitor netflow-monitor
     exporter netflow-exporter
     cache timeout active 60
     record netflow-record
    !
    interface TenGigabitEthernet0/3/0
     description foo
     ip address 66.xx.xx.66 255.255.255.252
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow monitor netflow-monitor input
    !

恩森:

它正在运行,我可以在目录中看到数据:

[root@netflow 30]# ls -l /data/nfsen/profiles-data/live/r1/2016/06/30
total 168
-rw-r--r--. 1 netflow apache   276 Jun 30 15:40 nfcapd.201606301535
-rw-r--r--. 1 netflow apache   276 Jun 30 15:45 nfcapd.201606301540
-rw-r--r--. 1 netflow apache   276 Jun 30 15:50 nfcapd.201606301545
-rw-r--r--. 1 netflow apache   276 Jun 30 15:55 nfcapd.201606301550
-rw-r--r--. 1 netflow apache   276 Jun 30 16:00 nfcapd.201606301555
-rw-r--r--. 1 netflow apache   276 Jun 30 16:05 nfcapd.201606301600

但是当我打开数据时,我看到错误的日期1969-12-31和端口是0,它与 cisco netflow 设置有关吗?

[root@netflow 30]# nfdump -M /data/nfsen/profiles-data/live/r1  -T  -r nfcapd.201606301715 -a -c 10
Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
1969-12-31 19:00:00.000     0.000     0    176.61.183.77:0     ->     xx.xx.xx.98:0           56     2688     1
1969-12-31 19:00:00.000     0.000     0    187.23.16.207:0     ->    xx.xx.xx.171:0           81     2349     1
1969-12-31 19:00:00.000     0.000     0    187.23.16.207:0     ->     xx.xx.xx.39:0            2       58     1
1969-12-31 19:00:00.000     0.000     0    187.23.16.207:0     ->    xx.xx.xx.239:0           81     2349     1
1969-12-31 19:00:00.000     0.000     0    169.228.66.91:0     ->     xx.xx.xx.62:0            1       40     1

编辑:

我的cisco缓存流也是空的怎么可能?

r1#show ip cache flow
IP packet size distribution (0 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 0 bytes
  0 active, 0 inactive, 0 added
  0 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

r1#
1个回答

解决方案

在流记录中添加以下内容,它不会使用,ipfix但可以使用Netflow-v9

collect timestamp sys-uptime first
collect timestamp sys-uptime last

出口商启用Netflow-v9

其它你可能感兴趣的问题
上一篇带有隧道的 IPsec 数据包路径 下一篇为什么使用 GLBP 进行对象跟踪需要权重范围?