Issue in Cisco Netflow logs

Unanswered Question
Feb 17th, 2010

Hi,


I have Cisco ASA in my environment. I enabled netflow option and then started collecting netflow packets using Wireshark. When I analyze the packets collected, I found the below discrepancies.


1. Private Enterprise Number(PEN) field is not expected as per the Cisco documentation http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028700 is present. Refer attached image PEN.bmp.


2. Netflow V9 format for Cisco IOS is defined in http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm#wp1002063

Netflow V9 format for Cisco ASA is defined in http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028700


I get fields IPv4_SRC_ADDR, IP_DST_ADDR against the expected NF_F_SRC_ADDR_IPV4, NF_F_DST_ADDR_IPV4 fields


3. The fields IP_SRC_ADDR, L4_SRC_PORT, INPUT-SNMP are repeated within the same flowset. Refer attached image repeated.bmp.


I will be excited to get a comment on this.


Senthil.S

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
senthil085 Wed, 03/03/2010 - 06:46

Hi All,


Finally I found the cause for these issues. Sorry, if I have made you worried about these.


I was using Wireshark version 1.2.2 to analyze a pcap file that has Cisco V9 packets. Wireshark had issue in presenting the V9 packets. It shows some irrelevant or junk information.


When I viewed the same pcap file in Ethereal version 0.99.0, its all fine. So if you are analyzing V9 packets, use Ethereal instead of Wireshark.


- Senthil -

Actions

This Discussion