nfdump
nfdump copied to clipboard
phaag
nbar ID length error
Hi,
Thank you for the correction, the master is good now after I added the backslashes to the multiline commands
RUN \
apk add --no-cache build-base gcc abuild binutils make && \
apk add --no-cache libtool bzip2-dev libpcap-dev flex bison && \
apk add --no-cache autoconf automake m4 pkgconfig
RUN \
tar zxf v$NFDUMP_VERSION.tar.gz && \
cd /tmp/nfdump-$NFDUMP_VERSION && \
./autogen.sh && \
./configure --enable-maxmind --enable-nfpcapd --enable-sflow && \
make && \
cd /tmp/nfdump-$NFDUMP_VERSION && make install && \
cd .. && \
rm -rf nfdump-v$NFDUMP_VERSION && \
rm /tmp/v$NFDUMP_VERSION.tar.gz && \
apk del build-base gcc flex bison autoconf automake m4 pkgconfig
Now that it has been built successfully and there is flow collection when I check the data with nfdump -R /data I get the following warning/error for all flows and in the case of -s before the results show it is showing this infinite times:
nbar application ID length 13 > 8 bytes not supported
Unknown extension '20'
Unknown extension '22'
What are these warnings refer to? Is it an issue with the build or app?
Originally posted by @RichardMore in https://github.com/phaag/nfdump/issues/360#issuecomment-1263824483
These "unknown" extensions are nsel extension. As I wrote above, if you know, you have event logging devices, then you need to build nfdump with --enable-nsel. The reason for this compile time option is, because nfdump uses substantially more memory. However, I should be more clear with the error message. I will fix that.
As of the nbar error message - nbar is implemented according the CISCO spec https://www.cisco.com/c/en/us/td/docs/routers/access/ISRG2/AVC/api/guide/AVC_Metric_Definition_Guide/5_AVC_Metric_Def.html @RichardMore: I would need to have a pcap of the data stream sent to the collector. If you could send it to my email address in the AUTHERS file, I will check, what's going wrong.
Build from the master doesn't give errors anymore, the issue can be closed. Thank you!
