Netflow SNMP with cnfTopFlowsDstAddress Issue

adelaorra4 · ‎10-13-2017

Hey everyone,

So I have been looking to query some Netflow MIBs to get Top-Talker statistics without logging into the routers themselves. I have come across a strange issue where a particular OID, cnfTopFlowsDstAddress (1.3.6.1.4.1.9.9.387.1.7.8.1.6) does not return a valid value. The issue is inconsistent however. The OID in question should only ever return a hex-string that represents an IP address from what I know. Every once in a while, I get a normal string value that's invalid. See below:

...

CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.1 = Hex-STRING: 0A 45 3E FE
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.2 = Hex-STRING: 0A 45 09 B2
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.3 = STRING: "
E ~"

...

I am doing an snmpwalk command from a linux node. It's querying a 3825 with IOS Version 12.4(15)T8

I have not seen anything on the internet from my extensive Google searches about this issue. Any guidance would be appreciated!

Flavio Miranda · ‎10-14-2017

hi,

Doesn´t seems to be an error.

As per the table, you are querying for "cnfTopFlowsDstAddress" which, in your case, presents value to .1 and .2 and brings an HEX address.

Then, it queries to a .3 and it returns a STRING value "E ~". I did not find what exactly this string actually means but could be, for example, empty value. Or no address.

What you can do is specify the address:

snmpwalk -c 'comunity' -v2c 'ip address ' 1.3.6.1.4.1.9.9.387.1.7.8.1.6.1

snmpwalk -c 'comunity' -v2c 'ip address ' 1.3.6.1.4.1.9.9.387.1.7.8.1.6.2

workstation% snmpwalk -c public -m all -v2c 10.4.9.62 cnfTopFlowsTable
CISCO-NETFLOW-MIB::cnfTopFlowsSrcAddressType.1 = INTEGER: ipv4(1)
CISCO-NETFLOW-MIB::cnfTopFlowsSrcAddress.1 = Hex-STRING: 0A 04 09 08 
CISCO-NETFLOW-MIB::cnfTopFlowsSrcAddressMask.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddressType.1 = INTEGER: ipv4(1)
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.1 = Hex-STRING: 0A 04 09 A7 
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddressMask.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsNhAddressType.1 = INTEGER: ipv4(1)
CISCO-NETFLOW-MIB::cnfTopFlowsNhAddress.1 = Hex-STRING: 00 00 00 00 
CISCO-NETFLOW-MIB::cnfTopFlowsSrcPort.1 = Gauge32: 32773
CISCO-NETFLOW-MIB::cnfTopFlowsDstPort.1 = Gauge32: 161
CISCO-NETFLOW-MIB::cnfTopFlowsSrcAS.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsDstAS.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsInputIfIndex.1 = INTEGER: 1
CISCO-NETFLOW-MIB::cnfTopFlowsOutputIfIndex.1 = INTEGER: 0
CISCO-NETFLOW-MIB::cnfTopFlowsFirstSwitched.1 = Timeticks: (12073160) 1 day, 9:32:11.60
CISCO-NETFLOW-MIB::cnfTopFlowsLastSwitched.1 = Timeticks: (12073160) 1 day, 9:32:11.60
CISCO-NETFLOW-MIB::cnfTopFlowsTOS.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsProtocol.1 = Gauge32: 17
CISCO-NETFLOW-MIB::cnfTopFlowsTCPFlags.1 = Gauge32: 16
CISCO-NETFLOW-MIB::cnfTopFlowsSamplerID.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsClassID.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsFlags.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsBytes.1 = Gauge32: 75
CISCO-NETFLOW-MIB::cnfTopFlowsPackets.1 = Gauge32: 1

-If I helped you somehow, please, rate it as useful.-

adelaorra4 · ‎10-16-2017

From the Cisco SNMP Object Navigator, 1.3.6.1.4.1.9.9.387.1.7.8.1.6 will have (10) items under it as per the 10 rows from the top talkers report and they should all be an IP address, the destination IP address per the top-talkers report on the router.

http://snmp.cloudapps.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.387.1.7.8.1.6#oidContent

Also, they aren't blank values. Below I have two sanitized reports pasted in below. The first one is a top-talkers report directly from the router. The second one is an snmpwalk from a linux node, querying just the destination IP addresses from the same router at the same time as the top-talkers report. The destinations addresses should match in both.

***************************************************************************************

RT01#sho ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
MF1.1 <publicIP> Vl1* 10.69.62.192 06 01BD FFAD 374M
MF1.1 <publicIP> Vl1* 10.69.9.169 06 0A26 C883 14M
Vl1 <publicIP> MF1.1 <publicIP> 06 FFAD 01BD 7412K
MF1.1 <publicIP> Vl1* 10.69.9.186 06 0A26 D092 5962K
MF1.1 <publicIP> Vl1* 10.69.4.80 06 0A26 E530 4494K
MF1.1 <publicIP> Vl1* 10.69.9.109 06 0A26 D27B 3869K
MF1.1 <publicIP> Vl1* 10.69.10.107 06 0A26 EC0D 3345K
MF1.1 <publicIP> Vl1* 10.69.9.129 06 0A26 DB6F 3194K
MF1.1 <publicIP> Vl1* 10.69.4.108 06 0A26 F09B 3074K
MF1.1 <publicIP> Vl1* 10.69.9.119 06 0A26 F526 2859K
10 of 10 top talkers shown. 605 flows processed.

***************************************************************************************

13:59:18 # snmpwalk -v 3 -l authPriv -u <user> -a SHA -A <secret> -x AES -X <secret> <RT IP> 1.3.6.1.4.1.9.9.387.1.7.8.1.6
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.1 = Hex-STRING: 0A 45 3E C0
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.2 = Hex-STRING: 0A 45 09 A9
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.3 = Hex-STRING: <publicIP>
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.4 = Hex-STRING: 0A 45 09 BA
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.5 = Hex-STRING: 0A 45 04 50
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.6 = STRING: "
E m"
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.7 = STRING: "
E
k"
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.8 = Hex-STRING: 0A 45 09 81
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.9 = Hex-STRING: 0A 45 04 6C
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.10 = STRING: "
E w"

I have also tried querying the same OIDs using SNMPv2c and also from different linux nodes with no difference seen.

telefoniaswiss · ‎05-14-2018

I'm having same issue but with srcAddresses. Didn't find a solution yet.