[netsa-tools-discuss] netsa-tools-discuss post

Emily Sarneso ecoff at sei.cmu.edu
Mon Jun 16 10:47:30 EDT 2014


Hello Tom,

Thanks for contacting netsa-tools-discuss and for your interest in our tools.  Sorry it took me a few days to respond, but I wanted to familiarize myself with nfcap and nfdump.  I was able to reproduce the problem you are seeing with nfcap/nfdump.

Unfortunately, this seems to be a problem with nfcap.  nfcap does not have support for variable-length elements in IPFIX.  Starting in YAF 2.0, YAF’s base flow template and data records contain a variable-length element.  In IPFIX the length of variable-length elements is encoded as 65535 in the template. Since nfcap in not aware of these elements, it uses that length, 65535, instead of reading the actual length of the data which is encoded in the IPFIX data record.  I’m sure you have noticed that you sometimes get valid flow data, this is because nfcap can process the first data record in a flow set, but the invalid length is throwing off the offset calculations of the subsequent data records.

You may want to submit a bug to the nfcap/nfdump author.  In the meantime, you could download and use yaf-1.3.2, which does not use variable-length information elements in the default flow template/flow record. However, if you try to enable any extra features that use variable-length information elements (payload-export or p0f), you will run into the same issue as yaf-2.x.  I quickly tested yaf-1.3.2 and nfcap seemed to work as expected.

Hope that helps,

Emily

------------------
Emily Sarneso
CERT
ecoff at cert.org<mailto:ecoff at cert.org>







Hi All,

We’ve been trying to use YAF to send IPFIX data to nfdump/nfsen, but we’ve been having some problems with incorrect data arriving (see the screenshot). We think it might be a templates problem, is this an issue that has been seen before? Does anyone have any idea how we can fix the problem? We’ve also seen the same issue sending data to nTop.

Thanks in advance.

Regards

Tom Gibson | Advanced Engineer (Software) | AMInstP
L-3 TRL Technology
Head Office, 11 Shannon Way, Tewkesbury, Gloucestershire GL20 8ND

Switchboard: +44(0) 1684 278700 | Fax: +44 (0) 1684 850 406
Website: www.L-3Com.com/TRL<http://www.l-3com.com/TRL>

<Screenshot from 2014-06-09 17_16_59.png>

This message is intended for the use only of the person(s) (‘Intended Recipient’) to whom it is addressed. It may contain information that is privileged and confidential. Accordingly any dissemination, distribution, copying or other use of this message or any of its content by any person other than the Intended Recipient may constitute a breach of civil or criminal law and is strictly prohibited. If you are not the Intended Recipient, please contact the sender as soon as possible.

TRL Technology Limited is a private limited company registered in England and Wales with the company number 1705039 whose registered office is at Sigma Close, Shannon Way, Tewkesbury. GLOS GL20 8ND, UK



-------------- next part --------------
HTML attachment scrubbed and removed


More information about the netsa-tools-discuss mailing list