Re: [Nfsen-discuss] asa and nfdump 1.6.1.....only seeing flow data.
Hello peter and thanks for the reply, ...i have removed the 1.6 version and managed to compile the nsel version by copying the Makefile from the standard 1.5.7 version and also had to manually move the files over to /usr/bin. After that i am getting more details in the netflow data as you can see below but still not seeing all the data needed. Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos PacketsBytes pps bpsBpp Flows 2010-08-07 13:14:52.729 0.000 0 10.10.50.129:512 - 10.10.10.1:0 .. 00 8800 0 2 2010-08-07 13:14:52.729 0.000 0192.168.255.2:1998 - 10.10.10.1:53.. 00 8800 0 2 2010-08-07 13:14:52.729 0.000 0192.168.255.2:1999 - 10.10.10.1:389 .. 00 4400 0 1 2010-08-07 13:14:52.729 0.000 0 10.10.10.89:2054 - 207.46.124.29:1863 .. 00 4400 0 1 2010-08-07 13:14:52.729 0.000 0 10.10.10.166:4256 - 192.168.254.250:515 .. 00 4400 0 1 2010-08-07 13:14:52.777 0.000 0 10.10.30.144:4104 - 10.10.10.2:8080 .. 00 4400 0 1 After reading questions and answers in the list i am a little confused. Do i have to follow the instructions in INSTALL_NSELTracker and run do_compile or is it enough to just compile the nsel version and use the files from that (as it looked like in one of your answers to a similar question)? If i have to use the do_compile script than i am getting an error about these files being missing and i can't find them anywhere? nsel_rrd.c nftrack_stat.c nselstat.c nseld.c thanks for your help. Regards, Vilberg -Original Message- From: Peter Haag [mailto:peter.h...@switch.ch] Sent: 9. August 2010 05:30 To: Vilberg Eiríksson Cc: nfsen-discuss@lists.sourceforge.net Subject: Re: [Nfsen-discuss] asa and nfdump 1.6.1.only seeing flow data. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all users of CISCO ASA, On 8/6/10 13:35, Vilberg Eiríksson wrote: Hello all, i am using nfdump version 1.6.1 and using ASA 5510 to export the netflow traffic. I am only seeing flow data but no traffic or data. CISCO ASA is not standard netflow! Although is uses netflow v9 to export information, it has it's very own set of very specific templates. nfdump 1.6.1 does not yet support ASA flows. There is a nfdump-1.5.7-nsel version on sourceforge, with patches form CISCO, to process ASA flows. ASA is subject to be integrated into nfdump-1.6.x in upcoming releases. - Peter While looking this up on Mr. google i see that there was a patch for version 1.5.7 to have this working with asa but it also says that it is supposed to be included in version 1.6. Is there someting else i need to to to have this working with my ASA 5510. I am pretty sure i have the ASA config correct but maybe there is someting i need to tweak there also Any ideas?? Regards, Vilberg Eiríksson Network and Security Tel: +354 563 3125 Mobile: +354 664 3125 [cid:image001.jpg@01CB355B.7EE64F70][cid:image002@01cb355b.7ee64f7 0] [cid:image003.gif@01CB355B.7EE64F70] Homepage: www.ejs.ishttp://www.ejs.is/ Grensásvegur 10, 108 Reykjavík, Iceland Tel: +354 563 3000 Fax: +354 568 8487 -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss - -- ___ SWITCH - The Swiss Education and Research Network __ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: peter.h...@switch.ch Web: http://www.switch.ch/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBTF+SOv5AbZRALNr/AQJcIgP+ISR7pgGigQyJOBuAom8OMLi4x5PJFbGR 6tNPix8MPgEyl8EsZHVfvk13GmMdb06uiqxdvr3BmSolHSeeX6Utdbyj8PoIU1bT Nz8dxeJb4j6MBIXr9RVmDK9cY9JDhCt2rhRdVGUVOLKLDUKv2fB55CtQyxf/TcPQ w2a1Oj6hbwU= =t0b+ -END PGP SIGNATURE- -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen
Re: [Nfsen-discuss] asa and nfdump 1.6.1.....only seeing flow data.
Ok so obviously I (for one) am confused. I thought the point of v9 was that the flow-sender defined the templates as part of the flow datastream. So any flow-receiver needs to accept, recognize, and interpret the flow-templates from within the flow-datastream itself. The intention being that any flow-receiver which is v9 compatible is *always* compatible with whatever is being sent. or am I completely misunderstanding something? Phil P On Mon, Aug 9, 2010 at 3:29 PM, Peter Haag peter.h...@switch.ch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all users of CISCO ASA, On 8/6/10 13:35, Vilberg Eiríksson wrote: Hello all, i am using nfdump version 1.6.1 and using ASA 5510 to export the netflow traffic. I am only seeing flow data but no traffic or data. CISCO ASA is not standard netflow! Although is uses netflow v9 to export information, it has it's very own set of very specific templates. nfdump 1.6.1 does not yet support ASA flows. There is a nfdump-1.5.7-nsel version on sourceforge, with patches form CISCO, to process ASA flows. ASA is subject to be integrated into nfdump-1.6.x in upcoming releases. - Peter While looking this up on Mr. google i see that there was a patch for version 1.5.7 to have this working with asa but it also says that it is supposed to be included in version 1.6. Is there someting else i need to to to have this working with my ASA 5510. I am pretty sure i have the ASA config correct but maybe there is someting i need to tweak there also Any ideas?? Regards, Vilberg Eiríksson Network and Security Tel: +354 563 3125 Mobile: +354 664 3125 [cid:image001.jpg@01CB355B.7EE64F70][cid:image002@01cb355b.7ee64f70] [cid:image003.gif@01CB355B.7EE64F70] Homepage: www.ejs.ishttp://www.ejs.is/ Grensásvegur 10, 108 Reykjavík, Iceland Tel: +354 563 3000 Fax: +354 568 8487 -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss - -- ___ SWITCH - The Swiss Education and Research Network __ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: peter.h...@switch.ch Web: http://www.switch.ch/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBTF+SOv5AbZRALNr/AQJcIgP+ISR7pgGigQyJOBuAom8OMLi4x5PJFbGR 6tNPix8MPgEyl8EsZHVfvk13GmMdb06uiqxdvr3BmSolHSeeX6Utdbyj8PoIU1bT Nz8dxeJb4j6MBIXr9RVmDK9cY9JDhCt2rhRdVGUVOLKLDUKv2fB55CtQyxf/TcPQ w2a1Oj6hbwU= =t0b+ -END PGP SIGNATURE- -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Re: [Nfsen-discuss] asa and nfdump 1.6.1.....only seeing flow data.
Phil, I think that if you read up on the differences between Netflow v9 and NSEL (what Cisco ASA uses) the issues will become apparent. For now you must either use nfdump-1.5.7-nsel or wait until NSEL support is fully fleshed out in a future 1.6.x release. This link provides some interesting reading and points out the inherent differences within NSEL: http://www.plixer.com/blog/netflow/what-is-nsel-a-deeper-look-part-1/ Further details on the issues with NSEL here: http://netflowninjas.typepad.com/blog/2009/05/firewalls-and-netflow-it-could-be-heaven.html I hope this information helps and I'm sorry there is no immediate solution. I too would love to be able to fully interpret flow data from our ASAs. Regards, Bryan VanDivier Communications Manager University of North Texas Data Communications From: Phil Pierotti [mailto:phil.piero...@gmail.com] Sent: Monday, August 09, 2010 4:32 PM To: peter.h...@switch.ch Cc: nfsen-discuss@lists.sourceforge.net Subject: Re: [Nfsen-discuss] asa and nfdump 1.6.1.only seeing flow data. Ok so obviously I (for one) am confused. I thought the point of v9 was that the flow-sender defined the templates as part of the flow datastream. So any flow-receiver needs to accept, recognize, and interpret the flow-templates from within the flow-datastream itself. The intention being that any flow-receiver which is v9 compatible is *always* compatible with whatever is being sent. or am I completely misunderstanding something? Phil P On Mon, Aug 9, 2010 at 3:29 PM, Peter Haag peter.h...@switch.chmailto:peter.h...@switch.ch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all users of CISCO ASA, On 8/6/10 13:35, Vilberg Eiríksson wrote: Hello all, i am using nfdump version 1.6.1 and using ASA 5510 to export the netflow traffic. I am only seeing flow data but no traffic or data. CISCO ASA is not standard netflow! Although is uses netflow v9 to export information, it has it's very own set of very specific templates. nfdump 1.6.1 does not yet support ASA flows. There is a nfdump-1.5.7-nsel version on sourceforge, with patches form CISCO, to process ASA flows. ASA is subject to be integrated into nfdump-1.6.x in upcoming releases. - Peter While looking this up on Mr. google i see that there was a patch for version 1.5.7 to have this working with asa but it also says that it is supposed to be included in version 1.6. Is there someting else i need to to to have this working with my ASA 5510. I am pretty sure i have the ASA config correct but maybe there is someting i need to tweak there also Any ideas?? Regards, Vilberg Eiríksson Network and Security Tel: +354 563 3125 Mobile: +354 664 3125 [cid:image001.jpg@01CB355B.7EE64F70][cid:image002@01cb355b.7ee64f70] [cid:image003.gif@01CB355B.7EE64F70] Homepage: www.ejs.ishttp://www.ejs.ishttp://www.ejs.is/ Grensásvegur 10, 108 Reykjavík, Iceland Tel: +354 563 3000 Fax: +354 568 8487 -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.netmailto:Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss - -- ___ SWITCH - The Swiss Education and Research Network __ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: peter.h...@switch.chmailto:peter.h...@switch.ch Web: http://www.switch.ch/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBTF+SOv5AbZRALNr/AQJcIgP+ISR7pgGigQyJOBuAom8OMLi4x5PJFbGR 6tNPix8MPgEyl8EsZHVfvk13GmMdb06uiqxdvr3BmSolHSeeX6Utdbyj8PoIU1bT Nz8dxeJb4j6MBIXr9RVmDK9cY9JDhCt2rhRdVGUVOLKLDUKv2fB55CtQyxf/TcPQ w2a1Oj6hbwU= =t0b+ -END PGP SIGNATURE- -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.netmailto:Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Re: [Nfsen-discuss] asa and nfdump 1.6.1.....only seeing flow data.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all users of CISCO ASA, On 8/6/10 13:35, Vilberg Eiríksson wrote: Hello all, i am using nfdump version 1.6.1 and using ASA 5510 to export the netflow traffic. I am only seeing flow data but no traffic or data. CISCO ASA is not standard netflow! Although is uses netflow v9 to export information, it has it's very own set of very specific templates. nfdump 1.6.1 does not yet support ASA flows. There is a nfdump-1.5.7-nsel version on sourceforge, with patches form CISCO, to process ASA flows. ASA is subject to be integrated into nfdump-1.6.x in upcoming releases. - Peter While looking this up on Mr. google i see that there was a patch for version 1.5.7 to have this working with asa but it also says that it is supposed to be included in version 1.6. Is there someting else i need to to to have this working with my ASA 5510. I am pretty sure i have the ASA config correct but maybe there is someting i need to tweak there also Any ideas?? Regards, Vilberg Eiríksson Network and Security Tel: +354 563 3125 Mobile: +354 664 3125 [cid:image001.jpg@01CB355B.7EE64F70][cid:image002@01cb355b.7ee64f70] [cid:image003.gif@01CB355B.7EE64F70] Homepage: www.ejs.ishttp://www.ejs.is/ Grensásvegur 10, 108 Reykjavík, Iceland Tel: +354 563 3000 Fax: +354 568 8487 -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss - -- ___ SWITCH - The Swiss Education and Research Network __ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: peter.h...@switch.ch Web: http://www.switch.ch/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBTF+SOv5AbZRALNr/AQJcIgP+ISR7pgGigQyJOBuAom8OMLi4x5PJFbGR 6tNPix8MPgEyl8EsZHVfvk13GmMdb06uiqxdvr3BmSolHSeeX6Utdbyj8PoIU1bT Nz8dxeJb4j6MBIXr9RVmDK9cY9JDhCt2rhRdVGUVOLKLDUKv2fB55CtQyxf/TcPQ w2a1Oj6hbwU= =t0b+ -END PGP SIGNATURE- -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
