[prev in list] [next in list] [prev in thread] [next in thread]
List: ntop
Subject: RE: [Ntop] cisco 6509 and ntop
From: "Burton Strauss" <Burton () ntopSupport ! com>
Date: 2005-09-15 13:17:21
Message-ID: 0MKoyl-1EFtaN05zw-0004YI () mrelay ! perfora ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
ntop collapses everything into a generic record, largely a V5:
struct generic_netflow_record {
/* v5 */
u_int32_t srcaddr; /* Source IP Address */
u_int32_t dstaddr; /* Destination IP Address */
u_int32_t nexthop; /* Next hop router's IP Address */
u_int16_t input; /* Input interface index */
u_int16_t output; /* Output interface index */
u_int32_t sentPkts, rcvdPkts;
u_int32_t sentOctets, rcvdOctets;
u_int32_t First; /* SysUptime at start of flow */
u_int32_t Last; /* and of last packet of the flow */
u_int16_t srcport; /* TCP/UDP source port number (.e.g, FTP, Telnet,
etc.,or equivalent) */
u_int16_t dstport; /* TCP/UDP destination port number (.e.g, FTP,
Telnet, etc.,or equivalent) */
u_int8_t tcp_flags; /* Cumulative OR of tcp flags */
u_int8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, etc... */
u_int8_t tos; /* IP Type-of-Service */
u_int16_t dst_as; /* dst peer/origin Autonomous System */
u_int16_t src_as; /* source peer/origin Autonomous System */
u_int8_t dst_mask; /* destination route's mask bits */
u_int8_t src_mask; /* source route's mask bits */
/* v9 */
u_int16_t vlanId;
/* Latency extensions */
u_int32_t nw_latency_sec, nw_latency_usec;
/* VoIP Extensions */
char sip_call_id[50], sip_calling_party[50], sip_called_party[50];
};
Read through handleGenericFlow() - there's nothing about sequence #s.
-----Burton
_____
From: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] On Behalf Of
Goor, M. van, (ITBE)
Sent: Thursday, September 15, 2005 1:43 AM
To: ntop@Unipi.IT
Subject: RE: [Ntop] cisco 6509 and ntop
I meant the netflow sequences ..., the header has sequence numbers .
Mike.
_____
From: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] On Behalf Of
Burton Strauss
Sent: woensdag 14 september 2005 17:15
To: ntop@unipi.it
Subject: RE: [Ntop] cisco 6509 and ntop
Um... it doesn't. UDP packets don't HAVE sequence numbers, it's a
connectionless protocol.
-----Burton
_____
From: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] On Behalf Of
Goor, M. van, (ITBE)
Sent: Wednesday, September 14, 2005 9:11 AM
To: ntop@Unipi.IT
Subject: [Ntop] cisco 6509 and ntop
Hello,
The cisco 6509 sends 2 netflow streams, both on the same port to a machine
in my network. Now I was unaware that ntop watches sequences and thus
disregards one of the two streams. This led to the unexplainable packet loss
I was talking about the other day. Or at least I think it does.
Maybe people might have similar problems and wanted to report this, but I
was actually more wondering if anyone knows a way to adapt ntop to accept
both streams or is there a way to tell my cisco 6509 to send the streams on
different ports?
Kind regards,
Mike.
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:st1 =
"urn:schemas-microsoft-com:office:smarttags"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2722" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]--><o:SmartTagType name="City"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType
name="place"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType
name="PersonName"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><!--[if !mso]>
<STYLE>st1\:* {
BEHAVIOR: url(#default#ieooui)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: Tahoma;
}
@page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 90.0pt 72.0pt 90.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.EmailStyle18 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal-reply
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=437271213-15092005><FONT face=Arial
color=#0000ff size=2>ntop collapses everything into a generic record, largely a
V5:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=437271213-15092005><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV><SPAN class=437271213-15092005>
<DIV dir=ltr align=left><BR><FONT face=Arial color=#0000ff size=2>struct
generic_netflow_record {<BR> /* v5 */<BR> u_int32_t
srcaddr; /* Source IP Address */<BR> u_int32_t
dstaddr; /* Destination IP Address */<BR> u_int32_t
nexthop; /* Next hop router's IP Address */<BR>
u_int16_t input; /* Input interface index
*/<BR> u_int16_t output; /* Output interface index
*/<BR> u_int32_t sentPkts, rcvdPkts;<BR> u_int32_t sentOctets,
rcvdOctets;<BR> u_int32_t First; /*
SysUptime at start of flow */<BR> u_int32_t
Last; /* and of last packet of the flow
*/<BR> u_int16_t srcport; /* TCP/UDP source port number
(.e.g, FTP, Telnet, etc.,or equivalent) */<BR> u_int16_t
dstport; /* TCP/UDP destination port number (.e.g, FTP,
Telnet, etc.,or equivalent) */<BR> u_int8_t tcp_flags; /*
Cumulative OR of tcp flags */<BR> u_int8_t
prot; /* IP protocol, e.g., 6=TCP, 17=UDP,
etc... */<BR> u_int8_t
tos; /* IP Type-of-Service
*/<BR> u_int16_t dst_as; /* dst peer/origin
Autonomous System */<BR> u_int16_t src_as; /*
source peer/origin Autonomous System */<BR> u_int8_t
dst_mask; /* destination route's mask bits */<BR>
u_int8_t src_mask; /* source route's mask bits */</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2> /* v9
*/<BR> u_int16_t vlanId;</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2> /* Latency
extensions */<BR> u_int32_t nw_latency_sec, nw_latency_usec;</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2> /* VoIP
Extensions */<BR> char sip_call_id[50], sip_calling_party[50],
sip_called_party[50];<BR>};</FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff
size=2></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=437271213-15092005><FONT face=Arial
color=#0000ff size=2>Read through handleGenericFlow() - there's nothing about
sequence #s.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=437271213-15092005><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=437271213-15092005><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=437271213-15092005><FONT face=Arial
color=#0000ff size=2>-----Burton</FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff
size=2></FONT> </DIV>
<DIV dir=ltr align=left></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> ntop-bounces@unipi.it
[mailto:ntop-bounces@unipi.it] <B>On Behalf Of </B>Goor, M. van,
(ITBE)<BR><B>Sent:</B> Thursday, September 15, 2005 1:43 AM<BR><B>To:</B>
ntop@Unipi.IT<BR><B>Subject:</B> RE: [Ntop] cisco 6509 and
ntop<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">I meant the netflow
sequences ….., the header has sequence numbers …<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Mike.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<DIV>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT
face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal><B><FONT face=Tahoma size=2><SPAN
style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT
face=Tahoma size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">
ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] <B><SPAN
style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Burton Strauss<BR><B><SPAN
style="FONT-WEIGHT: bold">Sent:</SPAN></B> woensdag 14 september 2005
17:15<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> <st1:PersonName
w:st="on">ntop@unipi.it</st1:PersonName><BR><B><SPAN
style="FONT-WEIGHT: bold">Subject:</SPAN></B> RE: [Ntop] cisco 6509 and
ntop</SPAN></FONT><o:p></o:p></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Um... it doesn't.
UDP packets don't HAVE sequence numbers, it's a connectionless
protocol.</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">-----<st1:City
w:st="on"><st1:place
w:st="on">Burton</st1:place></st1:City></SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"><o:p> </o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT
face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face=Tahoma size=2><SPAN
style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT
face=Tahoma size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">
ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] <B><SPAN
style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Goor, M. van,
(ITBE)<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Wednesday,
September 14, 2005 9:11 AM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B>
ntop@Unipi.IT<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> [Ntop]
cisco 6509 and ntop</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hello,<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">The cisco 6509 sends 2 netflow
streams, both on the same port to a machine in my network. Now I was unaware
that ntop watches sequences and thus disregards one of the two streams. This led
to the unexplainable packet loss I was talking about the other day. Or at least
I think it does.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Maybe people might have similar
problems and wanted to report this, but I was actually more wondering if anyone
knows a way to adapt ntop to accept both streams or is there a way to tell my
cisco 6509 to send the streams on different ports?<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Kind
regards,<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Mike.<o:p></o:p></SPAN></FONT></P></DIV></BODY></HTML>
_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic