Dst MAC

[alopera]

NNA Store srcMac but not dstMAC

Stiffing the network I see the netflow send src MAC and dst MAC but in nfcapd is not stored

Why?

[tgriep]

If you run the nfdump -r nfcapd.xxxxxxx -o raw on one of the cap files, what does it show?

[alopera]

I see dstMac = 00:00:00:00:00:00 but in the raw flow (sniffing the protocol netflow) I see the dstMac and srcMac

[alopera]

On monday I will execute of the command with arg raw. I post the data.

Thanks!!!!

[alopera]

I launch nfdump -r nfcapd.xxxxxxx -o raw

the result is
...
src addr = 10.1.1.2
dst addr = 10.1.1.30
src port 88
dst port 49156
proto tcp
src tos = 0
in packets 1
in bytes 580
input 56
outupt 0

in src mac has a MAC of VMware

out dst mac has a MAC 00:00:00:00:00:00

in dst mac has other MAC of VMware

in dst mac has 00:00:00:00:00:00

ip router 10.2.7.20
engine type = 0
engine id = 1
received at =date

[alopera]

ERRATA:

in src mac has a MAC of VMware

out dst mac has a MAC 00:00:00:00:00:00

in dst mac has other MAC of VMware

out src mac has 00:00:00:00:00:00

[alopera]

insrcmac In source MAC address
outdstmac out destination MAC address
indstmac In destintation MAC address
outsrcmac Out source MAC address

I UNDERSTAND!!!!!!

[alopera]

I in my Cisco I don´t record the OUTPUT!!!

I suppose that a switch L2 (switching) that records INPUT and OUTPUT:

The value of insrcmac == outsrcmac
The vaule indstcmac == outdstmac

In L3 (router)

The value of insrcmac is not same outsrcmac
The vaule indstcmac is not same outdstmac

THANKS!!!

[tgriep]

I take is that you figured out the format of the data when you are dumping the capture files.
Do you have any further questions?