Re: Netflow v9 "Bad Packets" w/NTOP

niversen · ‎02-18-2010

I am trying to visualize the Netflow output of my Nexus 1000V using NTOP, among other tools. I am seeing flows from the Nexus, but the data is not correct. There appear to be two issues:

1) I see the "Bad v9 Packets" counter incrementing. In my lab, the only v9 source is the Nexus. This may be due to the flow set count field in the Netflow packets. It sometimes doesn't say how many flow sets there actually are, and I think this is causing them to be marked as "bad".


2) The data displayed is incorrect.  Even when transferring multiple GB of data across the 1000V, I see graphs in bytes.

This seems to be because the v9 packets are not reporting correct times for certain fields.  The Netflow V9 spec (RFC 3954) lists:

                                           sysUptime in msec at which
   LAST_SWITCHED                21   4     the last packet of this
                                           Flow was switched

                                           sysUptime in msec at which
   FIRST_SWITCHED               22   4     the first packet of this
                                           Flow was switched


But the Nexus sets these fields to sysUptime/1000. There is another sysUpTime in
the flow packet, which is set correctly to the millisecond unit.  I think the difference is causing results to be off by 1000 in my display.

shaagarw · ‎02-19-2010

For issue # 1, Can you please provide the ethereal capture of NetFlow V9 export packets to us. Please do include the packets marked 'Bad' by NTOP.

Also on VSM, can you run following commands and provide the output to us:

a. show running-config

b. show flow exporter

For issue # 2, We would be providing a fix for this in our next release. However, I would like to know which release are you using.

Thanks,

-Shachi

niversen · ‎02-22-2010

Here the capture of the netflow packets and some screenshots from NTOP. The only v9 source is the Nexus, and the Bad Packets increment as data flows, albeit slowly. During the capture period, I passed more than 1GB of traffic across the Nexus, but that doesn't seem to be reflected.

niversen · ‎02-23-2010

Software
loader:    version 1.2(2) [last: image booted through mgmt0]
kickstart: version 4.0(4)SV1(2)
system:    version 4.0(4)SV1(2)
kickstart image file is:
kickstart compile time: 9/22/2009 2:00:00
system image file is:    bootflash:/nexus-1000v-mz.4.0.4.SV1.2.bin
system compile time:     9/22/2009 2:00:00 [12/09/2009 18:21:33]

Hardware
Cisco Nexus 1000V Chassis ("Virtual Supervisor Module")
Intel(R) Xeon(R) CPU with 2075012 kB of memory.
Processor Board ID T5056BC5A5B

Device name: mkt-lab
bootflash: 2332296 kB

Kernel uptime is 21 day(s), 0 hour(s), 8 minute(s), 31 second(s)

plugin
Core Plugin, Ethernet Plugin

santhj · ‎03-18-2010

Hi,

I think this is not a problem with Netflow. Whatever the packet capture tool is not capturing complete information of packets.

Please look at Frame information of every packet

1) Frame 1 (222 bytes on wire, 90 bytes captured)

2) Frame 2 (222 bytes on wire, 90 bytes captured)

3) Frame 3 (110 bytes on wire, 90 bytes captured)

---> Actuall Netflow Flowset len - 48 bytes in this frame.

Since packet capture tool capture only 90 bytes of data last 20 bytes of netflow flowset data doe n't shown

....

54) Frame 54 (110 bytes on wire, 90 bytes captured)

With Regards

Santhan

niversen · ‎03-25-2010

Yes, sorry the capture was truncated. I'll redo it. First I have to get another license... my beta license has expired.... Will post here when done.

niversen · ‎04-16-2010

License fixed, but my setup has gone very south - see thread on not being able to delete DVS. I have to rebuild the lab. This is easy to reproduce, but I won't be able to until next week sometime.