By invalid, do you mean that: 1) flows are all discarded by the backend and nothing is displayed on the frontend, or 2) flows are recorded and displayed on the frontend, but they all appear as unidirectional (red background color)?
In the first case, it's probably due to incorrect subnet definition. Make sure you correctly configured your network definition in the Nfsight section of nfsen.conf.
In the second case, I would need to see more information about the flow. Could you send me flow traces or Nfsight logs? Thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
Anonymous
-
2012-05-04
Hi Robin,
the flows are all listed as unidirectional.
Could it be that the version of nfdump that I am using (which is the only one that supports Cisco ASAs) doesn't support bidirectional flows (i.e. it doesn't support the -B option)? Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Nfsight doesn't (yet) support the -B option either, and takes care of generating bidirectional flows automatically.
The rules used by Nfsight to create valid bidirectional flows are:
- For UDP: to find 2 unidirectional flows with reversed source/destination IP/port.
- For TCP: same rule, but in addition there should be at least 2 packets for both request and reply flows, and the ACK flag.
So if Cisco ASA doesn't populate the TCP flag field, or if request/reply flows are not exported during the same batch, then Nfsight may not be able to generate bidirectional flows.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've got the same issue. On the main page I see only unanswered activities in red.
NfSen version: 1.3.5 with nfsight-beta-20110908
Syslog says:
Aug 23 13:50:16 nfsen[10198]: Plugin Cycle: Time: 201208231345, Profile: test, Group: ., Module: nfsight,
Aug 23 13:50:16 nfsen[10198]: nfsight plugin: 4 out of 4 service(s) imported into MySQL
In the plugin/nfsight dir. I see *.service files with data.
The .biflow files are all empty
No other errors showed up. How should I proceed in finding a solution?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
Anonymous
-
2012-10-31
same problem, i'm trying to use a WAN subnet as an internal network. Everything seems to be configured properly but nothing shows up. NetFlow v5
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
Anonymous
-
2012-11-05
I solved my problem. Someone changed the router config and i did not realize it. Make sure all interfaces have "ip flow ingress" (for Cisco IOS) configured properly otherwise IT WILL FAIL.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Greetings.
I have an ASA5510 with 8.2(3) and have installed nfdump--1.5.8-2-NSEL. At first it seems working ok, but when added a router as netflow server, i noticed the source and destination ip values are interchanged. There is a way to fix it?.
Thanks in advance
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Are source and destination IP values interchanged at the level of nfdump or Nfsight?
(meaning that if you look at nfdump data used as input by Nfsight, are the IP values already interchanged, or is Nfsight interchanging them later when processing flows?)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I checked and the values are interchanged at level of nfdump. It's confusing because with the flows collected from a router cisco 1941 the source and destiny IP are correct.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
By invalid, do you mean that: 1) flows are all discarded by the backend and nothing is displayed on the frontend, or 2) flows are recorded and displayed on the frontend, but they all appear as unidirectional (red background color)?
In the first case, it's probably due to incorrect subnet definition. Make sure you correctly configured your network definition in the Nfsight section of nfsen.conf.
In the second case, I would need to see more information about the flow. Could you send me flow traces or Nfsight logs? Thanks.
Hi Robin,
the flows are all listed as unidirectional.
Could it be that the version of nfdump that I am using (which is the only one that supports Cisco ASAs) doesn't support bidirectional flows (i.e. it doesn't support the -B option)? Thanks
Nfsight doesn't (yet) support the -B option either, and takes care of generating bidirectional flows automatically.
The rules used by Nfsight to create valid bidirectional flows are:
- For UDP: to find 2 unidirectional flows with reversed source/destination IP/port.
- For TCP: same rule, but in addition there should be at least 2 packets for both request and reply flows, and the ACK flag.
So if Cisco ASA doesn't populate the TCP flag field, or if request/reply flows are not exported during the same batch, then Nfsight may not be able to generate bidirectional flows.
I've got the same issue. On the main page I see only unanswered activities in red.
NfSen version: 1.3.5 with nfsight-beta-20110908
Syslog says:
Aug 23 13:50:16 nfsen[10198]: Plugin Cycle: Time: 201208231345, Profile: test, Group: ., Module: nfsight,
Aug 23 13:50:16 nfsen[10198]: nfsight plugin: 4 out of 4 service(s) imported into MySQL
In the plugin/nfsight dir. I see *.service files with data.
The .biflow files are all empty
No other errors showed up. How should I proceed in finding a solution?
same problem, i'm trying to use a WAN subnet as an internal network. Everything seems to be configured properly but nothing shows up. NetFlow v5
I solved my problem. Someone changed the router config and i did not realize it. Make sure all interfaces have "ip flow ingress" (for Cisco IOS) configured properly otherwise IT WILL FAIL.
I plan to create a new page on the wiki to be able to debug this kind of issue (flows not being processed or activity invalid).
Greetings.
I have an ASA5510 with 8.2(3) and have installed nfdump--1.5.8-2-NSEL. At first it seems working ok, but when added a router as netflow server, i noticed the source and destination ip values are interchanged. There is a way to fix it?.
Thanks in advance
Are source and destination IP values interchanged at the level of nfdump or Nfsight?
(meaning that if you look at nfdump data used as input by Nfsight, are the IP values already interchanged, or is Nfsight interchanging them later when processing flows?)
I checked and the values are interchanged at level of nfdump. It's confusing because with the flows collected from a router cisco 1941 the source and destiny IP are correct.
Ok, then you should contact the Nfdump-discuss mailing list: https://sourceforge.net/mailarchive/forum.php?forum_name=nfdump-discuss. They should be able to help you diagnose and fix this issue.