Re: [Nfdump-discuss] Cisco ASA Bytes and Packets
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfdump-discuss] Cisco ASA Bytes and Packets
|
From: M87tech [Jon] <jo...@m8...> - 2015-02-03 11:34:16
|
Here are the dumps in a more clear format... ** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03 -T -R 2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20 nfdump filter: any Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2015-02-03 10:30:56.068 0.000 TCP 10.4.71.16:8593 -> 157.55.235.168:40016 1.1 M 167.8 M 1 2015-02-03 10:30:56.068 0.000 TCP 10.4.71.16:8594 -> 91.190.218.65:12350 1.1 M 167.8 M 1 2015-02-03 10:30:56.552 0.000 TCP 10.4.71.16:8637 -> 81.144.170.91:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.552 0.000 TCP 10.4.71.16:8638 -> 81.144.170.91:443 1.1 M 167.8 M 1 2015-02-03 10:30:55.898 0.000 UDP 10.4.71.16:58765 -> 8.8.8.8:53 1.1 M 167.8 M 1 2015-02-03 10:30:55.898 0.000 UDP 10.4.71.16:58765 -> 8.8.8.8:53 1.1 M 167.8 M 1 2015-02-03 10:30:55.898 0.000 UDP 8.8.8.8:53 -> 10.4.71.16:58765 1.0 M 167.8 M 1 2015-02-03 10:30:55.898 0.000 UDP 8.8.8.8:53 -> 10.4.71.16:58765 1.0 M 167.8 M 1 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8717 -> 184.169.159.196:443 1.1 M 167.8 M 1 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8717 -> 184.169.159.196:443 1.1 M 167.8 M 1 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8650 -> 81.144.170.91:443 1.1 M 167.8 M 1 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8651 -> 81.144.170.91:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8698 -> 72.26.232.209:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 UDP 10.4.71.16:63912 -> 8.8.8.8:53 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 UDP 10.4.71.16:63912 -> 8.8.8.8:53 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8727 -> 166.98.6.70:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8727 -> 166.98.6.70:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8707 -> 191.233.92.204:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8599 -> 173.194.66.94:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.635 0.000 TCP 10.4.71.16:8710 -> 173.194.66.138:443 1.1 M 167.8 M 1 Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M, avg bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151 Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56 Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932 Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 201342.3 ** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03 -T -R 2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20 nfdump filter: any Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2015-02-03 10:30:56.068 0.000 TCP 10.4.71.16:8593 -> 157.55.235.168:40016 1.1 M 167.8 M 1 2015-02-03 10:30:56.068 0.000 TCP 10.4.71.16:8594 -> 91.190.218.65:12350 1.1 M 167.8 M 1 2015-02-03 10:30:56.552 0.000 TCP 10.4.71.16:8637 -> 81.144.170.91:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.552 0.000 TCP 10.4.71.16:8638 -> 81.144.170.91:443 1.1 M 167.8 M 1 2015-02-03 10:30:55.898 0.000 UDP 10.4.71.16:58765 -> 8.8.8.8:53 1.1 M 167.8 M 1 2015-02-03 10:30:55.898 0.000 UDP 10.4.71.16:58765 -> 8.8.8.8:53 1.1 M 167.8 M 1 2015-02-03 10:30:55.898 0.000 UDP 8.8.8.8:53 -> 10.4.71.16:58765 1.0 M 167.8 M 1 2015-02-03 10:30:55.898 0.000 UDP 8.8.8.8:53 -> 10.4.71.16:58765 1.0 M 167.8 M 1 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8717 -> 184.169.159.196:443 1.1 M 167.8 M 1 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8717 -> 184.169.159.196:443 1.1 M 167.8 M 1 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8650 -> 81.144.170.91:443 1.1 M 167.8 M 1 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8651 -> 81.144.170.91:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8698 -> 72.26.232.209:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 UDP 10.4.71.16:63912 -> 8.8.8.8:53 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 UDP 10.4.71.16:63912 -> 8.8.8.8:53 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8727 -> 166.98.6.70:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8727 -> 166.98.6.70:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8707 -> 191.233.92.204:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8599 -> 173.194.66.94:443 1.1 M 167.8 M 1 2015-02-03 10:30:56.635 0.000 TCP 10.4.71.16:8710 -> 173.194.66.138:443 1.1 M 167.8 M 1 Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M, avg bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151 Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56 Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932 Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 201342.3 On 3 February 2015 at 11:28, M87tech [Jon] <jo...@m8...> wrote: > Hi All > > I've got an ASA firewall running 9.1(5) sending netflow data to a linux VM > running nfsen > > I've compiled the latest nfdump with the --enable-nfsen option and > installed it. > > I also uncommented the $extensions = 'all'; in nfsen.conf when > installing it. > > Nfsen only shows the flows with fixed packets and Byte counts. (See bottom > of email) > > I can't really see much use for viewing the flow data without accurate > bandwidth readouts as I would be using it for troubleshooting performance > issues. > > I'm wondering if there are some more flags that I need to set to get this > working? > > In a wireshark capture I cant seem to see any field which would indicate > the amount of bytes? I see initiator octets and responder octets change > but I don't know what these fields are used for. > > Many thanks, > > Jon. > > ** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03 -T -R 2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20 > nfdump filter: > any > Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows > 2015-02-03 10:30:56.068 0.000 TCP 10.4.71.16:8593 <http://127.0.0.1:8888/nfsen/index.php#null> -> 157.55.235.168:40016 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.068 0.000 TCP 10.4.71.16:8594 <http://127.0.0.1:8888/nfsen/index.php#null> -> 91.190.218.65:12350 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.552 0.000 TCP 10.4.71.16:8637 <http://127.0.0.1:8888/nfsen/index.php#null> -> 81.144.170.91:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.552 0.000 TCP 10.4.71.16:8638 <http://127.0.0.1:8888/nfsen/index.php#null> -> 81.144.170.91:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.898 0.000 UDP 10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null> -> 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.898 0.000 UDP 10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null> -> 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.898 0.000 UDP 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> -> 10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null> 1.0 M 167.8 M 1 > 2015-02-03 10:30:55.898 0.000 UDP 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> -> 10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null> 1.0 M 167.8 M 1 > 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8717 <http://127.0.0.1:8888/nfsen/index.php#null> -> 184.169.159.196:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8717 <http://127.0.0.1:8888/nfsen/index.php#null> -> 184.169.159.196:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8650 <http://127.0.0.1:8888/nfsen/index.php#null> -> 81.144.170.91:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8651 <http://127.0.0.1:8888/nfsen/index.php#null> -> 81.144.170.91:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8698 <http://127.0.0.1:8888/nfsen/index.php#null> -> 72.26.232.209:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 UDP 10.4.71.16:63912 <http://127.0.0.1:8888/nfsen/index.php#null> -> 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 UDP 10.4.71.16:63912 <http://127.0.0.1:8888/nfsen/index.php#null> -> 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8727 <http://127.0.0.1:8888/nfsen/index.php#null> -> 166.98.6.70:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8727 <http://127.0.0.1:8888/nfsen/index.php#null> -> 166.98.6.70:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8707 <http://127.0.0.1:8888/nfsen/index.php#null> -> 191.233.92.204:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8599 <http://127.0.0.1:8888/nfsen/index.php#null> -> 173.194.66.94:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.635 0.000 TCP 10.4.71.16:8710 <http://127.0.0.1:8888/nfsen/index.php#null> -> 173.194.66.138:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M, avg bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151 > Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56 > Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932 > Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 201342.3 > > > > ** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03 -T -R 2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20 > nfdump filter: > any > Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows > 2015-02-03 10:30:56.068 0.000 TCP 10.4.71.16:8593 <http://127.0.0.1:8888/nfsen/index.php#null> -> 157.55.235.168:40016 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.068 0.000 TCP 10.4.71.16:8594 <http://127.0.0.1:8888/nfsen/index.php#null> -> 91.190.218.65:12350 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.552 0.000 TCP 10.4.71.16:8637 <http://127.0.0.1:8888/nfsen/index.php#null> -> 81.144.170.91:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.552 0.000 TCP 10.4.71.16:8638 <http://127.0.0.1:8888/nfsen/index.php#null> -> 81.144.170.91:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.898 0.000 UDP 10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null> -> 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.898 0.000 UDP 10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null> -> 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.898 0.000 UDP 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> -> 10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null> 1.0 M 167.8 M 1 > 2015-02-03 10:30:55.898 0.000 UDP 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> -> 10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null> 1.0 M 167.8 M 1 > 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8717 <http://127.0.0.1:8888/nfsen/index.php#null> -> 184.169.159.196:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8717 <http://127.0.0.1:8888/nfsen/index.php#null> -> 184.169.159.196:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8650 <http://127.0.0.1:8888/nfsen/index.php#null> -> 81.144.170.91:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:55.815 0.000 TCP 10.4.71.16:8651 <http://127.0.0.1:8888/nfsen/index.php#null> -> 81.144.170.91:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8698 <http://127.0.0.1:8888/nfsen/index.php#null> -> 72.26.232.209:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 UDP 10.4.71.16:63912 <http://127.0.0.1:8888/nfsen/index.php#null> -> 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 UDP 10.4.71.16:63912 <http://127.0.0.1:8888/nfsen/index.php#null> -> 8.8.8.8:53 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8727 <http://127.0.0.1:8888/nfsen/index.php#null> -> 166.98.6.70:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8727 <http://127.0.0.1:8888/nfsen/index.php#null> -> 166.98.6.70:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8707 <http://127.0.0.1:8888/nfsen/index.php#null> -> 191.233.92.204:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.372 0.000 TCP 10.4.71.16:8599 <http://127.0.0.1:8888/nfsen/index.php#null> -> 173.194.66.94:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > 2015-02-03 10:30:56.635 0.000 TCP 10.4.71.16:8710 <http://127.0.0.1:8888/nfsen/index.php#null> -> 173.194.66.138:443 <http://127.0.0.1:8888/nfsen/index.php#null> 1.1 M 167.8 M 1 > Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M, avg bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151 > Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56 > Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932 > Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 201342.3 > > > > > -- *Jon M. Clayton* *M87 Tech* Technical Services | Cisco Networking | Voice and Data | Virtualisation | Linux Cisco Wireless - Deployment, controllers 55xx, 44xx, WCS Cisco Voice - UCCM, UCCX, Unity Messaging Cisco Nexus NX-OS (7000, 5000), Switching IOS Cat3750, Cat3560, Cat2960, Cat4506, 4500-X Cisco End to End QoS for Voice / Video / VC and troubleshooting Cisco ASA - 5520, 5510, 5505 Juniper SRX / JunOS HP Procurve *E*: Jo...@M8... *M1*: 00 44* (0)774 828 3150* *T1*: 00 44 *(0) 560 368 9545* |
