I have Cisco ASA in my environment. I enabled netflow option and then started collecting netflow packets using Wireshark. When I analyze the packets collected, I found the below discrepancies.
1. Private Enterprise Number(PEN) field is not expected as per the Cisco documentation http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028700 is present. Refer attached image PEN.bmp.
2. Netflow V9 format for Cisco IOS is defined in http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm#wp1002063
Netflow V9 format for Cisco ASA is defined in http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028700
I get fields IPv4_SRC_ADDR, IP_DST_ADDR against the expected NF_F_SRC_ADDR_IPV4, NF_F_DST_ADDR_IPV4 fields
3. The fields IP_SRC_ADDR, L4_SRC_PORT, INPUT-SNMP are repeated within the same flowset. Refer attached image repeated.bmp.
I will be excited to get a comment on this.