subject:"\[Nfsen\-discuss\] nfdump\-1.6.9 \+ ASA \(8.2\) \- Packets\(%\) \- Empty \(zero\) ... \?"

[Nfsen-discuss] nfdump-1.6.9 + ASA (8.2) - Packets(%) - Empty (zero) ... ?

2013-04-23 Thread Wilkinson, Alex

Hi all,

Firstly superb piece of software Peter!

I have two questions:

Question one:
~

I am successfully using nfdump-1.6.9/nfsen-1.3.6p1 on FreeBSD 9.1-STABLE to
monitor ASAs running Version 8.2(5)33. Things seem to work well, except for the 
fact
that Packets(%), pps and bpp are all zero and never increment e.g

  Top 10 IP Addr ordered by packets:
  Date first seen  Duration Proto   IP AddrFlows(%) 
Packets(%)   Bytes(%) pps  bps   bpp
  2013-04-23 17:08:53.859   191.039 any   x.x.x.x   11( 0.0)0( 
0.0)73797( 0.0)0 3090 0
  2013-04-23 17:04:23.71771.253 any   x.x.x.x7( 0.0)0( 
0.0)33930( 0.0)0 3809 0
  2013-04-23 17:04:58.374   195.439 any   x.x.x.x9( 0.0)0( 
0.0)   906003( 0.1)037085 0
  2013-04-23 17:18:13.639   313.166 any   x.x.x.x   15( 0.1)0( 
0.0)   528703( 0.1)013506 0
  2013-04-23 17:13:18.24029.137 any   x.x.x.x2( 0.0)0( 
0.0)  287( 0.0)0   78 0
  2013-04-23 17:11:57.899 0.000 any   x.x.x.x1( 0.0)0( 
0.0)  203( 0.0)00 0
  2013-04-23 17:12:04.468   233.405 any   x.x.x.x   14( 0.1)0( 
0.0)   531998( 0.1)018234 0
  2013-04-23 17:12:34.69562.923 any   x.x.x.x3( 0.0)0( 
0.0)   131622( 0.0)016734 0
  2013-04-23 17:05:26.531   246.503 any   x.x.x.x   21( 0.1)0( 
0.0) 4735( 0.0)0  153 0
  2013-04-23 17:08:34.93164.883 any   x.x.x.x4( 0.0)0( 
0.0)56680( 0.0)0 6988 0

I was under the impression that the NSEL fork is no longer needed since it has 
been merged into nfdump-1.6.9 ?
(The reason I ask this is because I have seen in the archives others with same 
problem and the solution was the NSEL fork).

So can anyone suggest how I can troubleshoot the aforementioned issue ?

Question two:
~

Apparently Cisco wrote and released a plugin called NSELTracker, however, I 
cannot see it here: http://sourceforge.net/apps/trac/nfsen-plugins/.

Is the NSELTracker plugin still relevant ? If yes, can someone tell me where 
to get it from ?

Regards

  -Alex


** IMPORTANT MESSAGE *   
This e-mail message is intended only for the addressee(s) and contains 
information which may be
confidential. 
If you are not the intended recipient please advise the sender by return email, 
do not use or
disclose the contents, and delete the message and any attachments from your 
system. Unless
specifically indicated, this email does not constitute formal advice or 
commitment by the sender
or the Commonwealth Bank of Australia (ABN 48 123 123 124) or its subsidiaries. 
We can be contacted through our web site: commbank.com.au. 
If you no longer wish to receive commercial electronic messages from us, please 
reply to this
e-mail by typing Unsubscribe in the subject line. 
**




--
Try New Relic Now  We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app,  servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
___
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] nfdump-1.6.9 + ASA (8.2) - Packets(%) - Empty (zero) ... ?

2013-04-23 Thread Peter Haag

Hi Alex,

On 4/23/13 W17 9:45, Wilkinson, Alex wrote:
 Hi all,
 
 Firstly superb piece of software Peter!

Thanks for the flowers :)

 
 I have two questions:
 
 Question one:
 ~
 
 I am successfully using nfdump-1.6.9/nfsen-1.3.6p1 on FreeBSD 9.1-STABLE to
 monitor ASAs running Version 8.2(5)33. Things seem to work well, except for 
 the fact
 that Packets(%), pps and bpp are all zero and never increment e.g
 
   Top 10 IP Addr ordered by packets:
   Date first seen  Duration Proto   IP AddrFlows(%) 
 Packets(%)   Bytes(%) pps  bps   bpp
   2013-04-23 17:08:53.859   191.039 any   x.x.x.x   11( 0.0)
 0( 0.0)73797( 0.0)0 3090 0
   2013-04-23 17:04:23.71771.253 any   x.x.x.x7( 0.0)
 0( 0.0)33930( 0.0)0 3809 0
   2013-04-23 17:04:58.374   195.439 any   x.x.x.x9( 0.0)
 0( 0.0)   906003( 0.1)037085 0
   2013-04-23 17:18:13.639   313.166 any   x.x.x.x   15( 0.1)
 0( 0.0)   528703( 0.1)013506 0
   2013-04-23 17:13:18.24029.137 any   x.x.x.x2( 0.0)
 0( 0.0)  287( 0.0)0   78 0
   2013-04-23 17:11:57.899 0.000 any   x.x.x.x1( 0.0)
 0( 0.0)  203( 0.0)00 0
   2013-04-23 17:12:04.468   233.405 any   x.x.x.x   14( 0.1)
 0( 0.0)   531998( 0.1)018234 0
   2013-04-23 17:12:34.69562.923 any   x.x.x.x3( 0.0)
 0( 0.0)   131622( 0.0)016734 0
   2013-04-23 17:05:26.531   246.503 any   x.x.x.x   21( 0.1)
 0( 0.0) 4735( 0.0)0  153 0
   2013-04-23 17:08:34.93164.883 any   x.x.x.x4( 0.0)
 0( 0.0)56680( 0.0)0 6988 0
 
 I was under the impression that the NSEL fork is no longer needed since it 
 has been merged into nfdump-1.6.9 ?

That's correct!

 (The reason I ask this is because I have seen in the archives others with 
 same problem and the solution was the NSEL fork).
 
 So can anyone suggest how I can troubleshoot the aforementioned issue ?

First of all, it's important to be aware, that CISCO ASA are no flows in the 
term of flows as you are used too. ASA
sends events in the format of flows. Depending on the ASA version you are 
running, it contains more or less information.
Some ASA do not send packet information in their events - just bytes. Newer ASA 
can even split in/out. THerefore packet
may be 0. Old 1.5.8-NSEL release could not cope with packets 0 - from the logic 
point of view good old flows always
contain packets :)
1.6.9 can handle events more properly. A 'create' event for example notifies a 
creation of a connecting, which does not
necessarily needs packets to be logged. A 'delete' event may contain packets.
Long story short: It all depends :) Check your raw record ./nfdump -o raw, what 
you really have collected. This shows the
full record with everything included. Furthermore, do not forget to enable all 
those extensions you want to have in your
data. If you are in doubt, test with -Tall and test nfcapd on the command line 
( *no* -D )  ./nfcapd -Tall -E -l  ...


 
 Question two:
 ~
 
 Apparently Cisco wrote and released a plugin called NSELTracker, however, I 
 cannot see it here: http://sourceforge.net/apps/trac/nfsen-plugins/.
 
 Is the NSELTracker plugin still relevant ? If yes, can someone tell me 
 where to get it from ?

That's not yet ported to 1.6.9, as I had no feedback from people using this. 
Would it be useful to port? What are the
benefits from this plugin?

- Peter

 
 Regards
 
   -Alex
 
 
 ** IMPORTANT MESSAGE *   
 This e-mail message is intended only for the addressee(s) and contains 
 information which may be
 confidential. 
 If you are not the intended recipient please advise the sender by return 
 email, do not use or
 disclose the contents, and delete the message and any attachments from your 
 system. Unless
 specifically indicated, this email does not constitute formal advice or 
 commitment by the sender
 or the Commonwealth Bank of Australia (ABN 48 123 123 124) or its 
 subsidiaries. 
 We can be contacted through our web site: commbank.com.au. 
 If you no longer wish to receive commercial electronic messages from us, 
 please reply to this
 e-mail by typing Unsubscribe in the subject line. 
 **
 
 
 
 
 --
 Try New Relic Now  We'll Send You this Cool Shirt
 New Relic is the only SaaS-based application performance monitoring service 
 that delivers powerful full stack analytics. Optimize and monitor your
 browser, app,  servers with just a few lines of code. Try New Relic
 and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

[Nfsen-discuss] nfdump-1.6.9 + ASA (8.2) - Packets(%) - Empty (zero) ... ?

Re: [Nfsen-discuss] nfdump-1.6.9 + ASA (8.2) - Packets(%) - Empty (zero) ... ?

2 matches

Site Navigation

Mail list logo

Footer information