Impossible numbers
-
snapon_admin
- Posts: 952
- Joined: Mon Jun 10, 2013 10:39 am
- Location: Kenosha, WI
- Contact:
Re: Impossible numbers
Hmm, ok so that looks like it wouldn't really do what we want anyway. All of the traffic I'm trying to look at is going over a LAN to LAN VPN tunnel so all of it hits the external interface on both sides. I don't want to see the total traffic over the tunnel so much as I want to see the top talkers on the circuit. Running a query and aggregating by srcip and dstip shows me this, but the numbers don't add up. This circuit is a 200Mbps circuit and the top to conversations alone add up to 212 Mbps (in just one example).
-
jdalrymple
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Impossible numbers
I still think there is probably something wrong with the flow data. The fact that all fields except the rate fields are broken is strange to me.
Can you tell us what type of device is submitting the data (or what type of devices if there are more than 1?)
Can you tell us what type of device is submitting the data (or what type of devices if there are more than 1?)
-
snapon_admin
- Posts: 952
- Joined: Mon Jun 10, 2013 10:39 am
- Location: Kenosha, WI
- Contact:
Re: Impossible numbers
The device I'm currently looking at is a Cisco ASA 5545. This also just came to my attention. The below query is aggregated by srcip and dstip and is for a 40 minute time period on the 24th.
According to this we have almost 40gbps on our 200mbps line. The top conversation alone says that 6GB of data was transferred in 1 minute at ~37gbps. This is impossible...
You do not have the required permissions to view the files attached to this post.
-
jdalrymple
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Impossible numbers
And just to be clear ... there is only 1 device writing to this source?
It may be worthwhile to run the following command:
It may be worthwhile to run the following command:
Code: Select all
nfdump -r /usr/local/nagiosna/var/YOUR_SOURCE_NAME/flows/nfcapd.201506240840 | grep UNREASONABLE_SOURCE_IP | grep UNREASONABLE_DEST_IPRe: Impossible numbers
In addition to what jdalrymple has mentioned,
Cisco ASA devices typically use NSEL format when sending their 'netflows.' It's possible that the NSEL data is being misread due to nfcapd not being compiled properly with NSEL support. Do you recall manually recompiling nfcapd to support NSEL? If not, it's likely that NSEL isn't currently parsed appropriately on your NNA box.
I recommend giving the following procedure a shot:
Cisco ASA devices typically use NSEL format when sending their 'netflows.' It's possible that the NSEL data is being misread due to nfcapd not being compiled properly with NSEL support. Do you recall manually recompiling nfcapd to support NSEL? If not, it's likely that NSEL isn't currently parsed appropriately on your NNA box.
I recommend giving the following procedure a shot:
Code: Select all
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.13/nfdump-1.6.13.tar.gz/download
tar xzf download
cd nfdump-1.6.13/
./configure --enable-sflow --enable-nsel
make
make install-
snapon_admin
- Posts: 952
- Joined: Mon Jun 10, 2013 10:39 am
- Location: Kenosha, WI
- Contact:
Re: Impossible numbers
I definitely have not done that. I'll give it a shot and report back.
-
snapon_admin
- Posts: 952
- Joined: Mon Jun 10, 2013 10:39 am
- Location: Kenosha, WI
- Contact:
Re: Impossible numbers
Do I have to restart anything to make this change take affect or should it be good to go once I do this procedure?
-
jdalrymple
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Impossible numbers
Restart your sources.
-
snapon_admin
- Posts: 952
- Joined: Mon Jun 10, 2013 10:39 am
- Location: Kenosha, WI
- Contact:
Re: Impossible numbers
Oh god....*looks at feature request 551*jdalrymple wrote:Restart your sources.
Re: Impossible numbers
For reference: http://tracker.nagios.com/view.php?id=551
Former Nagios employee