phaag
commented
1 year ago Can you explain, what's wrong with the output and why it's an nfdump issue?
Closed thezoggy closed 1 year ago
phaag
commented
1 year ago Can you explain, what's wrong with the output and why it's an nfdump issue?
thezoggy
commented
1 year ago The asn reported in the output is not a valid asn? 4294967295
phaag
commented
1 year ago Well, it’s a private and valid AS. Why do you think it’s an nfdump issue? You did not explain the setup and the command line you used as well why you thing, this could be a bug.
phaag
commented
1 year ago It's 0xFFFFFFFF the max value for a 32bit ASN number.
thezoggy
commented
1 year ago it was just looking at traffic towards a prefix with nfsen, but topN towards dst asn
nfdump -M /data/nfsen/profiles-data/live/<routers>:<routers+> -T -R 2023/07/09/nfcapd.202307090000:2023/07/09/nfcapd.202307090030 -n 10 -s dstas/flows 'proto udp and dst net 185.230.60.0/22'and as noted sadly I do not have the nfcapd data to pull out to verify more info to dig into.
mainly just bringing it up in case others see it or you've seen of it before as I've personally never seen it show up exepct that I know we drop bogon asn on ingress (which of course wouldnt matter for netflow ingress)
policy-statement bogon-asn-in {
term drop-bogon-asns {
from {
as-path-group bogon-asns;
}
then reject;
}
} as-path-group bogon-asns {
as-path reserved0 ".* 0 .*";
as-path as_trans ".* 23456 .*";
as-path reserved1 ".* [64496-131071] .*";
as-path reserved2 ".* [4200000000-4294967295] .*";
}Just looking at network wide for dst as gt 4200000000 for earlier time bucket I do see quite a few flows..
... -r 2023/07/30/nfcapd.202307300835 -o 'fmt:%ts %ra - %pr %sas -> %das %fl' -c 50000 'dst as gt 4200000000'
Date first seen Router IP Proto Src AS Dst AS Flows
2023-07-30 08:34:47.680 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:34:47.936 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:34:49.216 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:34:49.984 129.250.1.2 - TCP 208136 -> 4294967295 1
2023-07-30 08:34:52.800 129.250.1.2 - TCP 39572 -> 4294967295 1
2023-07-30 08:34:48.448 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:34:54.080 129.250.1.2 - UDP 12353 -> 4294967295 1
2023-07-30 08:34:43.072 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:35:00.224 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:35:01.760 129.250.1.2 - UDP 24309 -> 4294967295 1
2023-07-30 08:35:05.344 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:35:06.368 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:35:08.672 129.250.1.2 - TCP 16509 -> 4294967295 1
...
2023-07-30 08:39:08.032 129.250.1.2 - ICMP6 16509 -> 4294967295 1
2023-07-30 08:39:05.216 129.250.1.2 - UDP 4812 -> 4294967295 1
2023-07-30 08:39:09.568 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:39:10.080 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:09.824 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:10.336 129.250.1.2 - TCP 1136 -> 4294967295 1
2023-07-30 08:39:14.176 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:39:13.408 129.250.1.2 - TCP 174 -> 4294967295 1
2023-07-30 08:39:16.992 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:18.272 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 08:38:56.000 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:16.224 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 08:39:10.848 129.250.1.2 - TCP 20940 -> 4294967295 1
...looking at another time bucket, seeing some odd ones
-r 2023/07/30/nfcapd.202307302035 -o 'fmt:%ts %ra - %pr %sas -> %das %fl' -c 5000 'dst as gt 4200000000'
Date first seen Router IP Proto Src AS Dst AS Flows
2023-07-30 20:34:52.544 129.250.0.190 - UDP 4294967295 -> 4294967295 1
2023-07-30 20:35:11.232 129.250.0.190 - UDP 4294967295 -> 4294967295 1
2023-07-30 20:37:10.016 129.250.1.11 - UDP 4294967295 -> 4294967295 1
2023-07-30 20:37:11.552 129.250.1.11 - UDP 4294967295 -> 4294967295 1
2023-07-30 20:37:01.312 129.250.0.54 - ICMP 136907 -> 4294967295 1
2023-07-30 20:34:49.984 129.250.1.2 - TCP 20940 -> 4294967295 1
2023-07-30 20:34:49.216 129.250.1.2 - TCP 16509 -> 4294967295 1
2023-07-30 20:34:48.192 129.250.1.2 - TCP 20940 -> 4294967295 1
...I will run some tcpdump and capture flows to fact check if what nfsen is seeing is actually correct
thezoggy
commented
1 year ago looking around it looks like its only some v6<>v6 traffic that shows up this way.
taking packet capture of netflow coming in, I see the same thing there as well
even in the pcap i see stuff from this asn v6 to other v6 just fine as well as other src asn v6<>v6 with it. tomorrow will take some pcaps from the vendor itself to see from there
ok it looks like its traffic that goes to v6 customer that doesnt use bgp, just v6 na/nd setup so there is no actual dst asn... so guessing the value is just used a placeholder or something.
phaag
commented
1 year ago ok - I see then, it's a general question and not a bug of nfdump :) I guess you have to check that with your router vendor unless someone else has an answer. Please add general questions to the discussion board and not to the issue section, as this is meant to deal with nfdump issues. I will move this to the discussion board.
was looking at some data and saw this erroneous src as:
sadly i do not have the data anymore because of limited retention. I'm running some queries on newer data to try and replicate. but wanted to toss it up here in case you had an idea what it might be