Re: [Nfsen-discuss] asa and nfdump 1.6.1.....only seeing flow data.

Vilberg Eiríksson Mon, 16 Aug 2010 13:31:53 -0700

Hello peter and thanks for the reply,

        ...i have removed the 1.6 version and managed to compile the nsel 
version by copying the Makefile from the standard 1.5.7 version and also had to 
manually move the files over to /usr/bin.


After that i am getting more details in the netflow data as you can see below 
but still not seeing all the data needed.

Date flow start          Duration Proto      Src IP Addr:Port          Dst IP 
Addr:Port   Flags Tos  Packets    Bytes      pps      bps    Bpp Flows
2010-08-07 13:14:52.729     0.000     0     10.10.50.129:512   ->       
10.10.10.1:0     ......   0        0       88        0        0      0     2
2010-08-07 13:14:52.729     0.000     0    192.168.255.2:1998  ->       
10.10.10.1:53    ......   0        0       88        0        0      0     2
2010-08-07 13:14:52.729     0.000     0    192.168.255.2:1999  ->       
10.10.10.1:389   ......   0        0       44        0        0      0     1
2010-08-07 13:14:52.729     0.000     0      10.10.10.89:2054  ->    
207.46.124.29:1863  ......   0        0       44        0        0      0     1
2010-08-07 13:14:52.729     0.000     0     10.10.10.166:4256  ->  
192.168.254.250:515   ......   0        0       44        0        0      0     
1
2010-08-07 13:14:52.777     0.000     0     10.10.30.144:4104  ->       
10.10.10.2:8080  ......   0        0       44        0        0      0     1

After reading questions and answers in the list i am a little confused.  Do i 
have to follow the instructions in INSTALL_NSELTracker and run do_compile or is 
it enough to just compile the nsel version and use the files from that (as it 
looked like in one of your answers to a similar question)?  If i have to use 
the do_compile script than i am getting an error about these files being 
missing and i can't find them anywhere?

nsel_rrd.c
nftrack_stat.c
nselstat.c
nseld.c

thanks for your help.

Regards,
        Vilberg


-----Original Message-----
From: Peter Haag [mailto:peter.h...@switch.ch] 
Sent: 9. August 2010 05:30
To: Vilberg Eiríksson
Cc: nfsen-discuss@lists.sourceforge.net
Subject: Re: [Nfsen-discuss] asa and nfdump 1.6.1.....only seeing flow data.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all users of CISCO ASA,

On 8/6/10 13:35, Vilberg Eiríksson wrote:
> Hello all,
> 
>                 ....i am using nfdump version 1.6.1 and using ASA 5510 to 
> export the netflow traffic.  I am only seeing flow data but no traffic or 
> data.

CISCO ASA is not standard netflow! Although is uses netflow v9 to export 
information, it has it's very own set of very specific templates. nfdump 1.6.1 
does not yet support ASA flows. There is a nfdump-1.5.7-nsel version on 
sourceforge, with patches form CISCO, to process ASA flows. ASA is subject to 
be integrated into nfdump-1.6.x in upcoming releases.

        - Peter
> 
> While looking this up on Mr. google i see that there was a patch for version 
> 1.5.7 to have this working with asa but it also says that it is supposed to 
> be included in version 1.6.
> 
> Is there someting else i need to to to have this working with my ASA 
> 5510.  I am pretty sure i have the ASA config correct but maybe there 
> is someting i need to tweak there also
> 
> Any ideas??
> 
> Regards,
> 
> Vilberg Eiríksson
> Network and Security
> Tel: +354 563 3125
> Mobile: +354 664 3125
> 
> [cid:image001.jpg@01CB355B.7EE64F70][cid:image002....@01cb355b.7ee64f7
> 0]
> 
> [cid:image003.gif@01CB355B.7EE64F70]
> Homepage: www.ejs.is<http://www.ejs.is/>
> 
> Grensásvegur 10, 108 Reykjavík, Iceland
> Tel: +354 563 3000 Fax: +354 568 8487
> 
> 
> 
> 
> 
> ----------------------------------------------------------------------
> --------
> This SF.net email is sponsored by
> 
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge 
> http://p.sf.net/sfu/RIM-dev2dev
> 
> 
> 
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

- --
_______ SWITCH - The Swiss Education and Research Network ______ Peter Haag,  
Security Engineer,  Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 
BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.h...@switch.ch Web: http://www.switch.ch/ -----BEGIN PGP 
SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBTF+SOv5AbZRALNr/AQJcIgP+ISR7pgGigQyJOBuAom8OMLi4x5PJFbGR
6tNPix8MPgEyl8EsZHVfvk13GmMdb06uiqxdvr3BmSolHSeeX6Utdbyj8PoIU1bT
Nz8dxeJb4j6MBIXr9RVmDK9cY9JDhCt2rhRdVGUVOLKLDUKv2fB55CtQyxf/TcPQ
w2a1Oj6hbwU=
=t0b+
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] asa and nfdump 1.6.1.....only seeing flow data.

Reply via email to