Page 2 of 4
Re: Impossible numbers
Posted: Tue Jun 30, 2015 3:03 pm
by snapon_admin
Hmm, ok so that looks like it wouldn't really do what we want anyway. All of the traffic I'm trying to look at is going over a LAN to LAN VPN tunnel so all of it hits the external interface on both sides. I don't want to see the total traffic over the tunnel so much as I want to see the top talkers on the circuit. Running a query and aggregating by srcip and dstip shows me this, but the numbers don't add up. This circuit is a 200Mbps circuit and the top to conversations alone add up to 212 Mbps (in just one example).
Re: Impossible numbers
Posted: Wed Jul 01, 2015 12:48 pm
by jdalrymple
I still think there is probably something wrong with the flow data. The fact that all fields except the rate fields are broken is strange to me.
Can you tell us what type of device is submitting the data (or what type of devices if there are more than 1?)
Re: Impossible numbers
Posted: Wed Jul 01, 2015 12:54 pm
by snapon_admin
The device I'm currently looking at is a Cisco ASA 5545. This also just came to my attention. The below query is aggregated by srcip and dstip and is for a 40 minute time period on the 24th.
impossible bandwidth.png
According to this we have almost 40gbps on our 200mbps line. The top conversation alone says that 6GB of data was transferred in 1 minute at ~37gbps. This is impossible...
Re: Impossible numbers
Posted: Wed Jul 01, 2015 1:11 pm
by jdalrymple
And just to be clear ... there is only 1 device writing to this source?
It may be worthwhile to run the following command:
Code: Select all
nfdump -r /usr/local/nagiosna/var/YOUR_SOURCE_NAME/flows/nfcapd.201506240840 | grep UNREASONABLE_SOURCE_IP | grep UNREASONABLE_DEST_IP
Re: Impossible numbers
Posted: Wed Jul 01, 2015 1:11 pm
by jolson
In addition to what jdalrymple has mentioned,
Cisco ASA devices typically use NSEL format when sending their 'netflows.' It's possible that the NSEL data is being misread due to nfcapd not being compiled properly with NSEL support. Do you recall manually recompiling nfcapd to support NSEL? If not, it's likely that NSEL isn't currently parsed appropriately on your NNA box.
I recommend giving the following procedure a shot:
Code: Select all
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.13/nfdump-1.6.13.tar.gz/download
tar xzf download
cd nfdump-1.6.13/
./configure --enable-sflow --enable-nsel
make
make install
Re: Impossible numbers
Posted: Wed Jul 01, 2015 1:19 pm
by snapon_admin
I definitely have not done that. I'll give it a shot and report back.
Re: Impossible numbers
Posted: Wed Jul 01, 2015 1:31 pm
by snapon_admin
Do I have to restart anything to make this change take affect or should it be good to go once I do this procedure?
Re: Impossible numbers
Posted: Wed Jul 01, 2015 1:39 pm
by jdalrymple
Restart your sources.
Re: Impossible numbers
Posted: Wed Jul 01, 2015 1:45 pm
by snapon_admin
jdalrymple wrote:Restart your sources.
Oh god....*looks at feature request 551*
Re: Impossible numbers
Posted: Wed Jul 01, 2015 1:49 pm
by tmcdonald