[Nfdump-discuss] Excessive numbers in flow data

Wed, 20 Jun 2012 19:53:43 -0700 

Hi

 

I have recently begun to export flows from a Cisco ASA version 8.2(5).

 

My flow records are coming through as "unsampled" and the number of
packets is way too big. Here is an example:

 

[root@xxxxxxx ~]# nfdump -M
/usr/local/var/nfsen/profiles-data/live/xxxxxxSSL01  -T  -r
2012/06/21/nfcapd.201206210000 -n 10 -s record/flows -o raw

Aggregated flows 99

Top 10 flows ordered by flows:

 

<snip>

 

Flow Record:

  Flags        =              0x00 Unsampled

  size         =                40

  first        =        1337755062 [2012-05-23 16:37:42]

  last         =        1337755063 [2012-05-23 16:37:43]

  msec_first   =               241

  msec_last    =                16

  src addr     =     x.x.176.41

  dst addr     =    x.x.101.101

  src port     =             54429

  dst port     =               389

  fwd status   =                 0

  tcp flags    =              0x00 ......

  proto        =                17

  (src)tos     =                 0

  (in)packets  =           1310738

  (in)bytes    =           5242882

  input        =                 0

  output       =                 0

 

 

Summary: total flows: 126, total bytes: 327.7 M, total packets: 103.1 G,
avg bps: 2.7 G, avg pps: 104.8 G, avg bpp: 0

Time window: 2012-05-23 16:37:42 - 2012-05-23 16:37:43

Total flows processed: 126, Blocks skipped: 0, Bytes read: 5208

Sys: 0.002s flows/second: 57481.8    Wall: 0.000s flows/second: 146853.1

 

 

As you can see from the (in)packets and in(bytes) the traffic is really
high (especially for UDP/389, which is LDAP). In reality this device is
virtually unused and MRTG graphs show just a trickle of data through it.


 

I believe that Cisco ASA's send in v9. There is no option I can find for
setting a sample rate.

 

Any thoughts on what might be going wrong? All my other devices are
Juniper firewalls and their flows come in as "Sampled", and they graph
correctly. All devices export to the same collector on the same port
(9995).

 

Nick

 


_________________________________________________________________________________________
This email has been scanned by the MessageLabs Email Security System on behalf 
of Medibank Health Solutions.
For more information please visit http://www.symanteccloud.com
_________________________________________________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to