[Nfdump-discuss] Cisco ASA Bytes and Packets

[M87tech [Jon] <jo...@m8...>]

Hi All

I've got an ASA firewall running 9.1(5) sending netflow data to a linux VM
running nfsen

I've compiled the latest nfdump with the --enable-nfsen option and
installed it.

I also uncommented the $extensions = 'all';     in nfsen.conf when
installing it.

Nfsen only shows the flows with fixed packets and Byte counts. (See bottom
of email)

I can't really see much use for viewing the flow data without accurate
bandwidth readouts as I would be using it for troubleshooting performance
issues.

I'm wondering if there are some more flags that I need to set to get this
working?

In a wireshark capture I cant seem to see any field which would indicate
the amount of bytes?  I see initiator octets and responder octets change
but I don't know what these fields are used for.

Many thanks,

Jon.

** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03  -T  -R
2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20
nfdump filter:
any
Date flow start          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port   Packets    Bytes Flows
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8593
<http://127.0.0.1:8888/nfsen/index.php#null>  ->
157.55.235.168:40016 <http://127.0.0.1:8888/nfsen/index.php#null>
1.1 M  167.8 M     1
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8594
<http://127.0.0.1:8888/nfsen/index.php#null>  ->
91.190.218.65:12350 <http://127.0.0.1:8888/nfsen/index.php#null>
1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8637
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8638
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>    ->
10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M
 167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>    ->
10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M
 167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717
<http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717
<http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8650
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8651
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8698
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    72.26.232.209:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727
<http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727
<http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8707
<http://127.0.0.1:8888/nfsen/index.php#null>  ->   191.233.92.204:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8599
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    173.194.66.94:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.635     0.000 TCP         10.4.71.16:8710
<http://127.0.0.1:8888/nfsen/index.php#null>  ->   173.194.66.138:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M,
avg bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151
Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56
Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932
Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 201342.3



** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03  -T  -R
2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20
nfdump filter:
any
Date flow start          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port   Packets    Bytes Flows
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8593
<http://127.0.0.1:8888/nfsen/index.php#null>  ->
157.55.235.168:40016 <http://127.0.0.1:8888/nfsen/index.php#null>
1.1 M  167.8 M     1
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8594
<http://127.0.0.1:8888/nfsen/index.php#null>  ->
91.190.218.65:12350 <http://127.0.0.1:8888/nfsen/index.php#null>
1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8637
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8638
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>    ->
10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M
 167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>    ->
10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M
 167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717
<http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717
<http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8650
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8651
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8698
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    72.26.232.209:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727
<http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727
<http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8707
<http://127.0.0.1:8888/nfsen/index.php#null>  ->   191.233.92.204:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8599
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    173.194.66.94:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.635     0.000 TCP         10.4.71.16:8710
<http://127.0.0.1:8888/nfsen/index.php#null>  ->   173.194.66.138:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M,
avg bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151
Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56
Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932
Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 201342.3