search

phaag / nfdump

Netflow processing tools
Other
765 stars 201 forks source link

Organisation always showing not found #547

Closed thezoggy closed 1 month ago

thezoggy commented 1 month ago 
nfdump -V
nfdump: Version: 1.7.4-b6179a6 Options: ZSTD BZIP2 Date: 2024-07-22 19:50:00 +0200

Went to try out the new dstasn/srcasn/asn -s options and the org always shows "not found"

example with srcasn:

netflow4:/data/nfsen/profiles-data/live/router11/2024/07/19> nfdump -r nfcapd.202407192030 -o gline -s srcasn 'src net 199.232.18.0/24'
Top 10                                  Organisation (AS num) ordered by flows:
Date first seen             Duration     Proto                                  Organisation (AS num)    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2024-07-19 20:28:59.130     00:05:53.572 any                                       not found ( 54113)    50624(100.0)  319.7 M(100.0)  437.5 G(100.0)   904186    9.9 G  1368
Summary: total flows: 50624, total bytes: 437.5 G, total packets: 319.7 M, avg bps: 9.9 G, avg pps: 904186, avg bpp: 1368

netflow4:/data/nfsen/profiles-data/live/router11/2024/07/22> nfdump -r nfcapd.202407222030 -o gline -s srcasn 'src net 199.232.18.0/24'
Top 10                                  Organisation (AS num) ordered by flows:
Date first seen             Duration     Proto                                  Organisation (AS num)    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2024-07-22 20:29:00.775     00:05:39.228 any                                       not found ( 54113)    47774(100.0)  296.6 M(100.0)  405.1 G(100.0)   874411    9.6 G  1365
Summary: total flows: 47774, total bytes: 405.1 G, total packets: 296.6 M, avg bps: 9.6 G, avg pps: 874411, avg bpp: 1365

looking up ip manually with geolookup it shows:

netflow4:/data/nfsen/profiles-data/live/router11/2024/07/19> geolookup 199.232.18.73
54113   | 199.232.18.73            | FASTLY                           | EU/AT/Vienna long/lat:  48.2049/16.3662  | sat: 0

updateGeoDB.sh cron runs daily, and can confirm has updated info:

ls -alh mmdb*
-rw-r--r-- 1 netflow netflow 56M Jul 22 11:11 mmdb.nf
phaag commented 1 month ago

Make sure, there is no other maxmind DB in the search path of nfdump. If the maxmind DB is updated and valid, it can be verified and tested with the new AS lookup:

% ./geolookup -G mmdb.nf as54113
54113   | FASTLY
thezoggy commented 1 month ago

confirmed it was the only geolookup but was not working..

geolookup -G mmdb.nf as54113
54113   | not found

came back a day later and tried and now its working

geolookup -G mmdb.nf as54113
54113   | FASTLY

guessing it just needed another maxmind update post upgrade.

phaag commented 1 month ago

I guess you created the mmdb with the old geolookup binary. The next run picked up the new binary and it worked.