Issue in Cisco Netflow logs

Unanswered Question
Feb 17th, 2010

Hi,

I have Cisco ASA in my environment. I enabled netflow option and then started collecting netflow packets using Wireshark. When I analyze the packets collected, I found the below discrepancies.

1. Private Enterprise Number(PEN) field is not expected as per the Cisco documentation http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028700 is present. Refer attached image PEN.bmp.

2. Netflow V9 format for Cisco IOS is defined in http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm#wp1002063

Netflow V9 format for Cisco ASA is defined in http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028700

I get fields IPv4_SRC_ADDR, IP_DST_ADDR against the expected NF_F_SRC_ADDR_IPV4, NF_F_DST_ADDR_IPV4 fields

3. The fields IP_SRC_ADDR, L4_SRC_PORT, INPUT-SNMP are repeated within the same flowset. Refer attached image repeated.bmp.

I will be excited to get a comment on this.

Senthil.S

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
senthil085 Wed, 03/03/2010 - 06:46

Hi All,

Finally I found the cause for these issues. Sorry, if I have made you worried about these.

I was using Wireshark version 1.2.2 to analyze a pcap file that has Cisco V9 packets. Wireshark had issue in presenting the V9 packets. It shows some irrelevant or junk information.

When I viewed the same pcap file in Ethereal version 0.99.0, its all fine. So if you are analyzing V9 packets, use Ethereal instead of Wireshark.

- Senthil -

Actions

This Discussion