Re: [Nfdump-discuss] Version 9 netflow templates

Wed, 21 Apr 2010 23:34:57 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 4/20/10 16:38, Riza Kamalie wrote:
> Thanks Peter, is support for this on your roadmap? 

Yes - it's on the roadmap. In the meantime you may want to try the version 
nfdump-1.5.7-nsel which includes patches from
CISCO to support ASA.

> 
> Or alternatively will nfdump support "user configurable" fields for variable 
> flow data/templates as version 9 as intended for in the near future?  

I don't know, what you mean by that.

        - Peter
> 
> Regards
> Riza
> 
> -----Original Message-----
> From: Peter Haag [mailto:[email protected]] 
> Sent: Tuesday, April 20, 2010 4:03 PM
> To: Riza Kamalie
> Cc: [email protected]
> Subject: Re: [Nfdump-discuss] Version 9 netflow templates
> 
> 
> This looks like a CISCO ASA.
> Please note: Although nfdump supports netflow v9, it does not yet support ASA 
> templates.
> ASA templates are *VERY* different from standard v9 netflow data.
> 
>       - Peter
> 
> On 4/20/10 15:01, Riza Kamalie wrote:
>> Hi,
> 
>> I am currently using a netflow version 9 to record the firewall flows from a 
>> Cisco ASR1K.
>> Does NFDUMP support version 9 templates cause I'm not seeing the data in the 
>> flows that I require?
> 
>> Snippet of the firewall netflow template ID's below.
> 
> 
>> FW_SRC_INTF_ID
> 
>> 10
> 
>> 2
> 
>> Ingress SNMP IF Index
> 
>> FW_DST_INTF_ID
> 
>> 14
> 
>> 2
> 
>> Egress SNMP IF Index
> 
>> FW_SRC_VRF_ID
> 
>> 234
> 
>> 4
> 
>> Ingress (Initiator) Virtual Routing/Forwarding Identifier (vrf id)
> 
>> FW_DST_VRF_ID
> 
>> 235
> 
>> 4
> 
>> Egress (Responder) Virtual Routing/Forwarding Identifier (vrf id)
> 
>> FW_VRF_NAME
> 
>> 236
> 
>> 32
> 
>> VRF Name
> 
>> FW_XLATE_SRC_ADDR_IPV4
> 
>> 225
> 
>> 4
> 
>> Mapped Source IPv4 Address
> 
>> FW_XLATE_DST_ADDR_IPV4
> 
>> 226
> 
>> 4
> 
>> Mapped Destination IPv4 Address
> 
>> FW_XLATE_SRC_PORT
> 
>> 227
> 
>> 2
> 
>> Mapped Source Port
> 
>> FW_XLATE_DST_PORT
> 
>> 228
> 
>> 2
> 
>> Mapped Destination Port
> 
>> FW_EVENT
> 
>> 233
> 
>> 1
> 
>> High level event code
>> 0 - Ignore (invalid)
>> 1 - Flow Created
>> 2 - Flow Deleted
>> 3 - Flow Denied
>> 4 - Flow Alert (Need to add to standard)
> 
>> FW_EXT_EVENT
> 
>> 35001
> 
>> 2
> 
>> Extended Event code.  These values provided additional information 
>> about the event (TBD on values - value descriptions may be sent as 
>> options records.) Enterprise private
> 
>> FW_EVENT_TIME_MSEC
> 
>> 323
> 
>> 8
> 
>> Time event occurred in milliseconds since 0000 UTC Jan 1st 1970 (use 
>> 324 if micro or 325 if nano)
> 
> 
> 
> 
>> Riza Kamalie
> 
>> Core Data Networks
>> Vodacom SA
>> Email:  
>> [email protected]<mailto:[email protected]>
>> Phone: 021 940 9295
>> Mobile: 082 998 3360
>> Fax:     021 940 9102
> 
>> [cid:[email protected]]
> 
>> This e-mail is classified C2 - Vodacom Restricted. The information is 
>> for use internally in Vodacom, and may also be shared with authorised 
>> third-parties
> 
> 
> 
> 
>> ?This e-mail is sent on the Terms and Conditions that can be accessed by 
>> Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
> 
> 
> 
> 
>> ----------------------------------------------------------------------
>> -------- Download Intel&#174; Parallel Studio Eval Try the new 
>> software tools for yourself. Speed compiling, find bugs proactively, 
>> and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
> 
> 
> 
>> _______________________________________________
>> Nfdump-discuss mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 
?This e-mail is sent on the Terms and Conditions that can be accessed by 
Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "

- -- 
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBS8/t7v5AbZRALNr/AQJ/BQP8DzchKojIy53gcmosWtoJ3M0nmcidIIBB
V4MCPhOJKJrPrNfjHK5NYIZlMIJHgVnc+WR1uXmfl2wM4YkmM01RR6vU4VGDWmUI
i6/ITc7YSpCb+WPHNQjDq1dj8ipgPzMd5OsQLdDYID4wLRjbRgD/C9wtW/nV3eig
N6O2W3G88Ro=
=k46a
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to