Hi Jim and all other ASA users,
It seems as the patched 1.5.7 does not properly with some ASA equipment.
Due the the increasing demand for ASA support, I'll port ASA into the 1.6 tree.
As I have no ASA equipment at all, it would be nice if ASA users could
supply me with tcpdump captured netflow stream such as:
./tcpdump -i <eth> -s 1600 -w asa.raw
This gives me some raw material I can work with and test the implementation.
I perfectly understand, that it contains iP addresses which may be considered
as private data. I hereby guarantee the confidentiality of all data sent to me.
Many thanks and regards
- Peter
On 12/11/10 10:34 PM, Jim Cusick wrote:
> Hello all.
>
> Wondering if anyone has had success capturing netflow off an ASA. I am
> running a 5510 with version 8.3.2. I see the same results others have
> reported. Specifically, I get flows and can graph the number of flows
> with nfsen. The time and date are way off in the flow data, but are
> correct on both the sending ASA and the receiving host.
>
> I have tried the nfdump 1.5.7 with patches previously mentioned and
> seem to get the same results as with other versions.
>
> The dump data seems to have valid port and protocol information. Here
> is an example taken 2010-10-07
>
> Flow Record:
> Flags = 0x00000000
> size = 44
> mark = 0
> srcaddr = 192.168.201.64
> dstaddr = 192.168.101.22
> first = 1284249453 [2010-09-11 18:57:33]
> last = 1284249453 [2010-09-11 18:57:33]
> msec_first = 504
> msec_last = 504
> dir = 0
> tcp_flags = 0x 0 ......
> prot = 17
> tos = 0
> input = 13
> output = 11
> srcas = 0
> dstas = 0
> srcport = 32808
> dstport = 53
> dPkts = 0
> dOctets = 44
>
> Summary: total flows: 2664, total bytes: 117172, total packets: 0, avg
> bps: 943034, avg pps: 0, avg bpp: 0
> Time window: 2010-09-11 18:57:33 - 2010-09-11 18:57:34
> Total flows processed: 2664, Records skipped: 0, Bytes read: 117228
> Sys: 0.057s flows/second: 45938.2 Wall: 1.540s flows/second: 1729.5
>
> The ASA is dumping flows every 5 minutes so the time window, besides
> being in the past, is too short.
>
> Any feedback greatly appreciated.
>
> -jim
>
> ------------------------------------------------------------------------------
> Centralized Desktop Delivery: Dell and VMware Reference Architecture
> Simplifying enterprise desktop deployment and management using
> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
> client virtualization framework. Read more!
> http://p.sf.net/sfu/dell-eql-dev2dev
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
