Do you have a non asa netflow exporter to test? Maybe the asa code is whacked? What version of asa - I could test this as well. Also, do you "need" v9 flows?
________________________________ From: ntop-boun...@unipi.it To: Ntop@unipi.it Sent: Sat Jun 13 04:00:58 2009 Subject: [Ntop] Cisco ASA Netflow Template Support Hello ntop list! Cisco has recently opened up Netflow support on the entire range of their ASA firewalls (previously only available on the top-end gear) and since I've got an ASA firewall here I thought I'd give it a whirl. It looks like ntop is receiving the flow, but it is discarding a large number of the datagrams. Particularly, it seems to not understand 2/3s of the templates that are sent. It seems that the system is not collecting any network data from this flow, as no data is viewable on any of the report pages. I have sniffed the traffic and made sure that the traffic really is getting to ntop. Below is the Netflow Statistics page. It seems interesting that the Valid Flows Received is the same number as the Flows with Zero Packet Count number - these definitely increase together over time so it isn't a coincidence that they're the same. Flow Senders 192.168.2.1 [82 pkts] Packets Received 82 Packets with Bad Version 0 Packets Processed 82 Valid Flows Received 134 Average Number of Flows per Packet 3.9 V1 Flows Received 0 V5 Flows Received 0 V7 Flows Received 0 V9 Data Flows Received 134 V9 Option Flows Received 0 Total V9 Templates Received 61 Bad V9 Templates Received 3 V9 Flows with Unknown Templates Received 55 Discarded Flows Flows with Zero Packet Count 134 Flows with Zero Byte Count 0 Flows with Bad Data 0 Flows with Unknown Template 55 Total Number of Flows Processed 0 I've compiled version 3.3.10, running on Ubuntu 9.04. I actually had intended to run this same configuration on an older machine of mine - a Ubuntu 7.10 host running 3.2 - it also shows these same results. I've got a non-production system here to test with if someone can help aim me in a direction. Thanks! pw <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
