Hi Alex, On 4/23/13 W17 9:45, Wilkinson, Alex wrote: > Hi all, > > Firstly superb piece of software Peter!
Thanks for the flowers :) > > I have two questions: > > Question one: > ~~~~~~~~~~~~~ > > I am successfully using nfdump-1.6.9/nfsen-1.3.6p1 on FreeBSD 9.1-STABLE to > monitor ASAs running Version 8.2(5)33. Things seem to work well, except for > the fact > that "Packets(%)", "pps" and "bpp" are all zero and never increment e.g > > Top 10 IP Addr ordered by packets: > Date first seen Duration Proto IP Addr Flows(%) > Packets(%) Bytes(%) pps bps bpp > 2013-04-23 17:08:53.859 191.039 any x.x.x.x 11( 0.0) > 0( 0.0) 73797( 0.0) 0 3090 0 > 2013-04-23 17:04:23.717 71.253 any x.x.x.x 7( 0.0) > 0( 0.0) 33930( 0.0) 0 3809 0 > 2013-04-23 17:04:58.374 195.439 any x.x.x.x 9( 0.0) > 0( 0.0) 906003( 0.1) 0 37085 0 > 2013-04-23 17:18:13.639 313.166 any x.x.x.x 15( 0.1) > 0( 0.0) 528703( 0.1) 0 13506 0 > 2013-04-23 17:13:18.240 29.137 any x.x.x.x 2( 0.0) > 0( 0.0) 287( 0.0) 0 78 0 > 2013-04-23 17:11:57.899 0.000 any x.x.x.x 1( 0.0) > 0( 0.0) 203( 0.0) 0 0 0 > 2013-04-23 17:12:04.468 233.405 any x.x.x.x 14( 0.1) > 0( 0.0) 531998( 0.1) 0 18234 0 > 2013-04-23 17:12:34.695 62.923 any x.x.x.x 3( 0.0) > 0( 0.0) 131622( 0.0) 0 16734 0 > 2013-04-23 17:05:26.531 246.503 any x.x.x.x 21( 0.1) > 0( 0.0) 4735( 0.0) 0 153 0 > 2013-04-23 17:08:34.931 64.883 any x.x.x.x 4( 0.0) > 0( 0.0) 56680( 0.0) 0 6988 0 > > I was under the impression that the NSEL fork is no longer needed since it > has been merged into nfdump-1.6.9 ? That's correct! > (The reason I ask this is because I have seen in the archives others with > same problem and the solution was the NSEL fork). > > So can anyone suggest how I can troubleshoot the aforementioned issue ? First of all, it's important to be aware, that CISCO ASA are no flows in the term of flows as you are used too. ASA sends "events" in the format of flows. Depending on the ASA version you are running, it contains more or less information. Some ASA do not send packet information in their events - just bytes. Newer ASA can even split in/out. THerefore packet may be 0. Old 1.5.8-NSEL release could not cope with packets 0 - from the logic point of view good old flows always contain packets :) 1.6.9 can handle events more properly. A 'create' event for example notifies a creation of a connecting, which does not necessarily needs packets to be logged. A 'delete' event may contain packets. Long story short: It all depends :) Check your raw record ./nfdump -o raw, what you really have collected. This shows the full record with everything included. Furthermore, do not forget to enable all those extensions you want to have in your data. If you are in doubt, test with -Tall and test nfcapd on the command line ( *no* -D ) ./nfcapd -Tall -E -l ... > > Question two: > ~~~~~~~~~~~~~ > > Apparently Cisco wrote and released a plugin called "NSELTracker", however, I > cannot see it here: http://sourceforge.net/apps/trac/nfsen-plugins/. > > Is the "NSELTracker" plugin still relevant ? If yes, can someone tell me > where to get it from ? That's not yet ported to 1.6.9, as I had no feedback from people using this. Would it be useful to port? What are the benefits from this plugin? - Peter > > Regards > > -Alex > > > ************** IMPORTANT MESSAGE ***************************** > This e-mail message is intended only for the addressee(s) and contains > information which may be > confidential. > If you are not the intended recipient please advise the sender by return > email, do not use or > disclose the contents, and delete the message and any attachments from your > system. Unless > specifically indicated, this email does not constitute formal advice or > commitment by the sender > or the Commonwealth Bank of Australia (ABN 48 123 123 124) or its > subsidiaries. > We can be contacted through our web site: commbank.com.au. > If you no longer wish to receive commercial electronic messages from us, > please reply to this > e-mail by typing Unsubscribe in the subject line. > ************************************************************** > > > > > ------------------------------------------------------------------------------ > Try New Relic Now & We'll Send You this Cool Shirt > New Relic is the only SaaS-based application performance monitoring service > that delivers powerful full stack analytics. Optimize and monitor your > browser, app, & servers with just a few lines of code. Try New Relic > and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > -- -- Be nice to your netflow data ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
