Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue in Cisco Netflow logs


I have Cisco ASA in my environment. I enabled netflow option and then started collecting netflow packets using Wireshark. When I analyze the packets collected, I found the below discrepancies.

1. Private Enterprise Number(PEN) field is not expected as per the Cisco documentation is present. Refer attached image PEN.bmp.

2. Netflow V9 format for Cisco IOS is defined in

Netflow V9 format for Cisco ASA is defined in

I get fields IPv4_SRC_ADDR, IP_DST_ADDR against the expected NF_F_SRC_ADDR_IPV4, NF_F_DST_ADDR_IPV4 fields

3. The fields IP_SRC_ADDR, L4_SRC_PORT, INPUT-SNMP are repeated within the same flowset. Refer attached image repeated.bmp.

I will be excited to get a comment on this.


New Member

Re: Issue in Cisco Netflow logs

We have been getting a few calls with questions on the uniqueness of the NetFlows exported by the Cisco ASA. Check out this PDF:  I hope it helps.

New Member

Re: Issue in Cisco Netflow logs

Hi All,

Finally I found the cause for these issues. Sorry, if I have made you worried about these.

I was using Wireshark version 1.2.2 to analyze a pcap file that has Cisco V9 packets. Wireshark had issue in presenting the V9 packets. It shows some irrelevant or junk information.

When I viewed the same pcap file in Ethereal version 0.99.0, its all fine. So if you are analyzing V9 packets, use Ethereal instead of Wireshark.

- Senthil -