0n Tue, Apr 23, 2013 at 08:04:12PM +1000, Peter Haag wrote:
>> I am successfully using nfdump-1.6.9/nfsen-1.3.6p1 on FreeBSD 9.1-STABLE
to
>> monitor ASAs running Version 8.2(5)33. Things seem to work well, except
for the fact
>> that "Packets(%)", "pps" and "bpp" are all zero and never increment e.g
>>
>> Top 10 IP Addr ordered by packets:
>> Date first seen Duration Proto IP Addr Flows(%)
Packets(%) Bytes(%) pps bps bpp
>> 2013-04-23 17:08:53.859 191.039 any x.x.x.x 11( 0.0)
0( 0.0) 73797( 0.0) 0 3090 0
>> 2013-04-23 17:04:23.717 71.253 any x.x.x.x 7( 0.0)
0( 0.0) 33930( 0.0) 0 3809 0
>> 2013-04-23 17:04:58.374 195.439 any x.x.x.x 9( 0.0)
0( 0.0) 906003( 0.1) 0 37085 0
>> 2013-04-23 17:18:13.639 313.166 any x.x.x.x 15( 0.1)
0( 0.0) 528703( 0.1) 0 13506 0
>> 2013-04-23 17:13:18.240 29.137 any x.x.x.x 2( 0.0)
0( 0.0) 287( 0.0) 0 78 0
>> 2013-04-23 17:11:57.899 0.000 any x.x.x.x 1( 0.0)
0( 0.0) 203( 0.0) 0 0 0
>> 2013-04-23 17:12:04.468 233.405 any x.x.x.x 14( 0.1)
0( 0.0) 531998( 0.1) 0 18234 0
>> 2013-04-23 17:12:34.695 62.923 any x.x.x.x 3( 0.0)
0( 0.0) 131622( 0.0) 0 16734 0
>> 2013-04-23 17:05:26.531 246.503 any x.x.x.x 21( 0.1)
0( 0.0) 4735( 0.0) 0 153 0
>> 2013-04-23 17:08:34.931 64.883 any x.x.x.x 4( 0.0)
0( 0.0) 56680( 0.0) 0 6988 0
>>
>> I was under the impression that the NSEL fork is no longer needed since
it has been merged into nfdump-1.6.9 ?
>
>That's correct!
>
>> (The reason I ask this is because I have seen in the archives others
with same problem and the solution was the NSEL fork).
>>
>> So can anyone suggest how I can troubleshoot the aforementioned issue ?
>
>First of all, it's important to be aware, that CISCO ASA are no flows in
the term of flows as you are used too. ASA
>sends "events" in the format of flows. Depending on the ASA version you
are running, it contains more or less information.
>Some ASA do not send packet information in their events - just bytes.
Newer ASA can even split in/out. THerefore packet
>may be 0. Old 1.5.8-NSEL release could not cope with packets 0 - from the
logic point of view good old flows always
>contain packets :)
>1.6.9 can handle events more properly. A 'create' event for example
notifies a creation of a connecting, which does not
>necessarily needs packets to be logged. A 'delete' event may contain
packets.
>Long story short: It all depends :) Check your raw record ./nfdump -o raw,
what you really have collected. This shows the
>full record with everything included. Furthermore, do not forget to enable
all those extensions you want to have in your
>data. If you are in doubt, test with -Tall and test nfcapd on the command
line ( *no* -D ) ./nfcapd -Tall -E -l ...
Yeah, you are correct:
#nfdump -o raw -R /path/to/flow/data/nfcapd.201304231750
....
Summary: total flows: 353250, total bytes: 11.0 G, total packets: 0, avg
bps: 4.0 M, avg pps: 0, avg bpp: 0
^^^^^^^^^^
^^^^^^^^^^ ^^^^^^^^^^
>> Question two:
>> ~~~~~~~~~~~~~
>>
>> Apparently Cisco wrote and released a plugin called "NSELTracker",
however, I cannot see it here: http://sourceforge.net/apps/trac/nfsen-plugins/.
>>
>> Is the "NSELTracker" plugin still relevant ? If yes, can someone tell me
where to get it from ?
>
>That's not yet ported to 1.6.9, as I had no feedback from people using
this. Would it be useful to port? What are the
>benefits from this plugin?
Well I don't know all that much about the plugin, but looking at the screenshot
here:
http://meefirst.blogspot.com.au/2012/02/installing-nfsen-on-freebsd-9.html it
provides all sorts of goodies. I would most definitely appreciate it!
-Alex
************** IMPORTANT MESSAGE *****************************
This e-mail message is intended only for the addressee(s) and contains
information which may be
confidential.
If you are not the intended recipient please advise the sender by return email,
do not use or
disclose the contents, and delete the message and any attachments from your
system. Unless
specifically indicated, this email does not constitute formal advice or
commitment by the sender
or the Commonwealth Bank of Australia (ABN 48 123 123 124) or its subsidiaries.
We can be contacted through our web site: commbank.com.au.
If you no longer wish to receive commercial electronic messages from us, please
reply to this
e-mail by typing Unsubscribe in the subject line.
**************************************************************
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
