Netflow Reporting Devices

racquel.mays · ‎10-20-2010

Hello,

How can I view Netflow messages in Cisco Mars?

mwinnett · ‎10-26-2010

Hello Racquel,

You cannot explicitly view netflow messages within MARS. Once the MARS starts to see a flow of netflow messages it will collect and collate the information for 7 days (including a weekend). This will then produce a baseline for this netflow source. After 7 days MARS will switch from collecting to monitoring. In monitoring state MARS will, using predefined internal metrics, determine if newer netflow records indicate exceptional traffic. If this is the case, then the MARS will generate an incident on the GUI. Over time, the MARS will adjust the baseline values using the received netflow records.

If you select to store IOS or ASA netflow records (admin -> system setup -> netflow configuration), then the records will be written to the internal database and archived (if configured). This will impact disk usage but would mean that if you needed to recover the MARS from archive after failure (re-image or RMA) then you could recover the baseline settings. Also, if you write them to disk, you can then export the raw netflow records to a file (admin -> system maintenance -> retrieve raw messages), but you need will to provide some external means of processing them.

Matthew

racquel.mays · ‎10-26-2010

Thanks for your response Matt. The problem is that I have to prove to my boss that MARS is collecting Netflow data and that I my problem. At my previous job once I installed netflow cards in the 4510's I could then see the messages between switches or devices on the same network. Where as before I could only see traffic between different network segments due them being segmented by firewall. So in essence, in MARS I could only see data that traversed the firewall until I installed the netflow cards at which point I could see all traffic whether it went through the firewall or not. However, now that I'm typing this I remembered that as a result the MARS database filled up exponentially which must have meant that we storing the netflow details? Therefore I could query them as any any other event in MARS.

If this be the case, since I know that at my present job we are not storing the netflow details, how can I prove that MARS is collecting Netflow details without 1st storing them in the database?

mwinnett · ‎10-27-2010

Raquel, looks like I might be wrong about about be able to gather the netflow records via the raw messages. I'll leave it running overnight and check tomorrow, but I cant see any such records from my lab ASA. You can prove that the netflow records are arriving via the cli

pnadmin]$ tcpdump -x -s 1500 -i eth0 ip host 10.48.67.44 and udp port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
17:25:53.913946 IP bsns-asa5505-21.cisco.com.34537 > bsns-mars50-1.2055: UDP, length 484
0x0000: 4500 0200 8256 0000 fe11 8af8 0a30 432c E....V.......0C,
0x0010: 0a30 5612 86e9 0807 01ec c8e5 0009 0006 .0V.............
...

17:26:02.922852 IP bsns-asa5505-21.cisco.com.34537 > bsns-mars50-1.2055: UDP, length 236
0x0000: 4500 0108 d1b0 0000 fe11 3c96 0a30 432c E.........<..0C,
0x0010: 0a30 5612 86e9 0807 00f4 6362 0009 0003 .0V.......cb....
...

etc

Matthew

racquel.mays · ‎10-27-2010

Matthew,

Thanks for your reply. I came to the same conclusion. The only way to see the messages in real-time if you are not writing to the database. So I did a capture from a test device and I was able to see the Netflow leaving and going to a Netflow collector. Problem is that I did not see the collector relaying the information to MARS. however, doing a real-time capture in MARS I did see the collector sending Netflow from another device. I hate middlemen! I wish we could send it all to MARS directly. That would make things easier, but I'm sure they have a reason for this.