phaag
commented
3 years ago If you could share the pcap with the sample I'd happily would track this. You may send it to my email in the author's file.
Closed lisaens closed 3 years ago
phaag
commented
3 years ago If you could share the pcap with the sample I'd happily would track this. You may send it to my email in the author's file.
lisaens
commented
3 years ago Thanks! I'll send you something
phaag
commented
3 years ago Fix in master branch applied. Fixed bug in sflow code extended field parsing.
I am trying to track down an issue with incorrect ASNs in sflow data. We are seeing cases where the ASs of the IPs (as given by ipinfo.io, for example) differ from the ASs given in the flow data (in nfcapd files using nfdump).
Using tcpdump and wireshark, I've found an example where the sflow samples between a given source and destination have no Extended Gateway Data section at all. This is presumably due to those flows not using BGP routing. However, nfdump DOES list ASs for those flows, and they vary! There are a handful of src and dst combinations, including 0 to 0; a src AS is always paired with the same dst AS.
Could there be a bug in nfsen/nfdump in cases where there is no AS info in the flow data? Any other ideas? We are using version 1.6.17.