[Ntop] Collecting NetFlow from Adtran Netvanta 3305 routers

Jeremy Campbell JEREMYC at premiumfinance.com
Tue Jun 16 15:30:09 CEST 2009 

Here's my pcap, templates included.

Thanks...

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Luca Deri
Sent: Tuesday, June 16, 2009 5:37 AM
To: ntop at unipi.it
Subject: Re: [Ntop] Collecting NetFlow from Adtran Netvanta 3305 routers

Davide
thanks for your help. If you open the file with wirshark it says that template is missing (as ntop says). Can you please capture a longer file until you see a template? Or perhaps you have something to configure in the router to export the templates?

Luca

Davide Lorenzetti wrote:

----- Original Message ----- From: "Luca Deri" <deri at ntop.org><mailto:deri at ntop.org>
To: <ntop at unipi.it><mailto:ntop at unipi.it>
Sent: Monday, June 15, 2009 5:32 PM
Subject: Re: [Ntop] Collecting NetFlow from Adtran Netvanta 3305 routers


Jeremy
can you please capture some netflow packets (full size) and mail them
to me so I can see what happens?

Thanks Luca

On Jun 15, 2009, at 4:46 PM, Jeremy Campbell wrote:


It looks as though consistently 75-85% of flows get dropped with  "Unknown Template" across all 20 of my Adtran Netvanta 3305's.

My Cisco's don't drop any...

I've checked AOS (Adtran software) updates and errata and nothing is mentioned about NetFlow problems...

Would someone be willing to take a look at a pcap and see if the  Adtran is formatting out of spec or if nTop is handling something  incorrectly?

Can someone recommend another NetFlow server to try out and see if  it has the same problem?

Any other suggestions?

Thanks...

V9 Data Flows Received
83,919
V9 Option Flows Received
2,623
Total V9 Templates Received
5,262
V9 Flows with Unknown Templates Received
63,394

V9 Data Flows Received
133,610
V9 Option Flows Received
4,024
Total V9 Templates Received
8,257
Bad V9 Templates Received
6
V9 Flows with Unknown Templates Received
115,003

V9 Data Flows Received
83,688
V9 Option Flows Received
2,417
Total V9 Templates Received
4,875
V9 Flows with Unknown Templates Received
67,080




Jeremy Campbell
Premium Financing Specialists, Inc.

From: ntop-bounces at unipi.it<mailto:ntop-bounces at unipi.it> [mailto:ntop-bounces at unipi.it] On Behalf  Of Gary Gatten
Sent: Friday, June 12, 2009 10:55 AM
To: ntop at unipi.it<mailto:ntop at unipi.it>
Subject: Re: [Ntop] Collecting NetFlow from Adtran Netvanta 3305  routers

I can try v9 flows from Cisco on 3.3.10 and see what happens.  My  GUESS is Adtran is not formatting the records correctly.

----- Original Message -----
From: ntop-bounces at unipi.it<mailto:ntop-bounces at unipi.it> <ntop-bounces at unipi.it><mailto:ntop-bounces at unipi.it>
To: ntop at listgateway.unipi.it<mailto:ntop at listgateway.unipi.it> <ntop at listgateway.unipi.it><mailto:ntop at listgateway.unipi.it>
Sent: Fri Jun 12 09:29:40 2009
Subject: [Ntop] Collecting NetFlow from Adtran Netvanta 3305 routers

I'm running nTop v3.3.9 and getting many Unknown Templates  collecting from an Adtran NetVanta 3305 using Netflow V9 (Only  version supported by this router).  There is no configurability on  the Netvanta, so I'm looking for ways on the nTop side to get it to  recognize the templates.

Example statistics:

Flow Senders
192.168.253.38 [9,919 pkts]

Packets Received
9,919
Packets with Bad Version
0
Packets Processed
9,919
Valid Flows Received
16,674
Average Number of Flows per Packet
3.2
V1 Flows Received
0
V5 Flows Received
0
V7 Flows Received
0
V9 Data Flows Received
16,674
V9 Option Flows Received
496
Total V9 Templates Received
1,015
V9 Flows with Unknown Templates Received
15,365
Discarded Flows
Flows with Zero Packet Count
0
Flows with Zero Byte Count
0
Flows with Bad Data
0
Flows with Unknown Template
15,365
Total Number of Flows Processed
16,674

Configuration on the NetVanta is very basic:

ip flow export destination 10.100.0.143 2014 source eth 0/1

nTop debug output:

Jun 12 09:26:21 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 2660 [displ=64][len=16488]
Jun 12 09:26:22 pfc-flow ntop[43246]:   NETFLOW_DEBUG: Received  NetFlow packet(len=556)(deviceId=3)
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=20]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 258 [displ=20][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=64]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 257 [displ=64][len=72]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=136]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 258 [displ=136][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=180]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 257 [displ=180][len=40]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=220]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 258 [displ=220][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=264]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 257 [displ=264][len=40]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=304]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 258 [displ=304][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=348]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 257 [displ=348][len=40]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=388]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 258 [displ=388][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=432]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 257 [displ=432][len=40]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=472]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 258 [displ=472][len=44]
Jun 12 09:26:22 pfc-flow ntop[43246]:   Found FlowSet [displ=516]
Jun 12 09:26:22 pfc-flow ntop[43246]:   >>>>> Rcvd flow with UNKNOWN template 257 [displ=516][len=40]

Any suggestions?  I'm willing to put effort into helping nTop  recognize the Netvanta templates if someone can point me in the  right direction...

Thanks...

_______________________________________________
Ntop mailing list
Ntop at unipi.it<mailto:Ntop at unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

"This email is intended to be reviewed by only the intended  recipient and may contain information that is privileged and/or  confidential. If you are not the intended recipient, you are hereby  notified that any review, use, dissemination, disclosure or copying  of this email and its attachments, if any, is strictly prohibited.  If you have received this email in error, please immediately notify  the sender by return email and delete this email from your system."
_______________________________________________
Ntop mailing list
Ntop at unipi.it<mailto:Ntop at unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop at unipi.it<mailto:Ntop at unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop







________________________________






_______________________________________________

Ntop mailing list

Ntop at unipi.it<mailto:Ntop at unipi.it>

http://listgateway.unipi.it/mailman/listinfo/ntop

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listgateway.unipi.it/pipermail/ntop/attachments/20090616/fe6fb250/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NetVanta3305netflow.zip
Type: application/x-zip-compressed
Size: 93329 bytes
Desc: NetVanta3305netflow.zip
URL: <http://listgateway.unipi.it/pipermail/ntop/attachments/20090616/fe6fb250/attachment-0001.bin>

More information about the Ntop mailing list