Re: [Nfdump-discuss] nfdump and v9 netlows in ASA
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfdump-discuss] nfdump and v9 netlows in ASA
|
From: Brian C. <b.c...@po...> - 2015-03-16 08:40:40
|
On 15/02/2015 14:32, Rui Ribeiro wrote:
>
> I have been setting up nfsen+nfdump in Debian 8. Cutting a story
> short, one of my current problems is that somehow nfcapd and nfdump
> have problems reading v9 neflows from my ASA.
>
> In the 1.6.6-1 version that comes with Debian, clearly packets and
> bytes were mangled; in the last. 1.6.13 version of the source code
> Bytes are already ok, but Packets always come as 0. Duration also
> comes as 0, albeit I am not needing that field.
>
> Would you be able to shed some light on this?
>
1. Did you compile nfdump with --enable-nsel?
This is required to parse the ASA's variant of netflow ("Netflow
Security Event Logging")
2. What version of ASA firmware are you running?
Periodic byte counters were introduced in 8.4(5) and 9.1(2)
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html
Checking here, the standard nfdump output gives the following headers:
Date first seen Event XEvent Proto Src IP
Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP
Addr:Port In Byte Out Byte
Using '-o raw' I see only (in)packets = 0 for all flows, but the "out
bytes" and "(in)bytes" look reasonable. There's no duration.
I think this is just a limitation of NSEL. Perhaps they expect to you
work out durations by correlating CREATE and DELETE events.
Regards,
Brian.
|
