Platform: nfdump-1.6.8p1 from source, on Ubuntu 12.04 x86_64. (Also nfsen-1.3.6p1, but I don't need it to demonstrate this problem)
I have configured a Cisco ASA5505 to send Netflow packets. nfcapd receives them, but nfdump shows all flows as having 0 bytes, 0 packets and 0 duration. ---- Sample nfdump output ---- # nfdump -M /var/nfsen/profiles-data/live/lch-asa1 -T -r 2013/01/15/nfcapd.201301150645 -c 10 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2013-01-15 00:00:33.367 0.000 TCP 10.y.y.69:49555 -> 10.x.x.242:445 0 0 1 2013-01-15 00:00:33.367 0.000 TCP 10.y.y.69:49556 -> 10.x.x.242:139 0 0 1 2013-01-15 00:00:33.367 0.000 ICMP 10.y.y.15:0 -> 10.x.x.98:3.0 0 0 1 2013-01-15 00:00:33.367 0.000 ICMP 10.x.x.30:0 -> 192.168.z.110:31.233 0 0 1 2013-01-15 00:00:33.367 0.000 TCP 10.x.x.241:54817 -> 10.y.y.35:5022 0 0 1 2013-01-15 00:00:33.367 0.000 ICMP 10.x.x.30:0 -> 192.168.z.110:31.233 0 0 1 2013-01-15 00:00:33.367 0.000 ICMP 10.x.x.30:0 -> 192.168.z.110:31.233 0 0 1 2013-01-15 00:00:33.367 0.000 UDP 10.x.x.234:123 -> J.J.J.2:123 0 0 1 2013-01-15 00:00:33.367 0.000 ICMP 10.y.y.15:0 -> 10.x.x.98:3.0 0 0 1 2013-01-15 00:00:33.367 0.000 TCP 10.y.y.15:21556 -> 10.x.x.98:139 0 0 1 Summary: total flows: 10, total bytes: 0, total packets: 0, avg bps: 0, avg pps: 0, avg bpp: 0 Time window: 2013-01-15 00:00:33 - 2013-01-15 00:00:34 Total flows processed: 1742, Blocks skipped: 0, Bytes read: 97752 Sys: 0.004s flows/second: 435500.0 Wall: 0.001s flows/second: 977553.3 I was running ASA firmware 8.4(3) originally. I have now updated this to 8.4(5) because of this note: http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp95483 "NSEL : Flow-update events have been introduced to provide periodic byte counters for flow traffic. You can change the time interval at which flow-update events are sent to the NetFlow collector." Now if I look at the Netflow packets with tshark after the update, I see two new fields: "Initiator Octets" and "Responder Octets" - but still no field which looks like a packet count. There's no duration field, although perhaps it can be derived from "Start time" and "Observation time". tshark output is at end of this mail. I see the nfcapd command line is as follows: netflow 23506 0.0 0.0 24356 1812 ? S Jan14 0:07 /usr/bin/nfcapd -w -D -p 9996 -u netflow -g www-data -B 20000 -S 1 -P /var/nfsen/var/run/p9996.pid -z -I lch-asa1 -l /var/nfsen/profiles-data/live/lch-asa1 I tried setting $EXTENSIONS = 'all'; in nfsen.conf, and I expected nfcapd to get -Tall, but it didn't. So I tried killing nfcapd, restarting it with -Tall plus the same command line options. However the next nfdump file still shows all zeros. Seeing the flows without the byte counts is not particularly useful. Any suggestions for where to go next? Thanks, Brian. ---- ASA 5505 netflow config ---- flow-export destination inside 10.x.x.30 9996 flow-export template timeout-rate 1 flow-export delay flow-create 10 access-list NETFLOW extended permit ip any any class-map NetFlow-traffic match access-list NETFLOW policy-map global_policy class NetFlow-traffic flow-export event-type all destination 10.x.x.30 ---- sample tshark output ---- # tshark -i eth0 -nnV -s0 udp port 9996 ... wait for flow template to be received ... Frame 81: 1494 bytes on wire (11952 bits), 1494 bytes captured (11952 bits) Arrival Time: Jan 15, 2013 16:39:42.341861000 GMT Epoch Time: 1358267982.341861000 seconds [Time delta from previous captured frame: 0.300491000 seconds] [Time delta from previous displayed frame: 0.300491000 seconds] [Time since reference or first frame: 37.685442000 seconds] Frame Number: 81 Frame Length: 1494 bytes (11952 bits) Capture Length: 1494 bytes (11952 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:udp:cflow] Ethernet II, Src: 00:22:bd:e6:xx:xx (00:22:bd:e6:xx:xx), Dst: 00:30:18:a4:yy:yy (00:30:18:a4:yy:yy) Destination: 00:30:18:a4:yy:yy (00:30:18:a4:yy:yy) Address: 00:30:18:a4:yy:yy (00:30:18:a4:yy:yy) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: 00:22:bd:e6:xx:xx (00:22:bd:e6:xx:xx) Address: 00:22:bd:e6:xx:xx (00:22:bd:e6:xx:xx) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.x.x.1 (10.x.x.1), Dst: 10.x.x.30 (10.x.x.30) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 1480 Identification: 0xea70 (60016) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 255 Protocol: UDP (17) Header checksum: 0xXXXX [correct] [Good: True] [Bad: False] Source: 10.x.x.1 (10.x.x.1) Destination: 10.x.x.30 (10.x.x.30) User Datagram Protocol, Src Port: 4760 (4760), Dst Port: 9996 (9996) Source port: 4760 (4760) Destination port: 9996 (9996) Length: 1460 Checksum: 0xYYYY [validation disabled] [Good Checksum: False] [Bad Checksum: False] Cisco NetFlow/IPFIX Version: 9 Count: 15 SysUptime: 59928101 Timestamp: Jan 15, 2013 16:39:26.000000000 GMT CurrentSecs: 1358267966 FlowSequence: 50126 SourceId: 0 FlowSet 1 FlowSet Id: (Data) (265) FlowSet Length: 324 Flow 1 Flow Id: 367972 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56770 InputInt: 14 DstAddr: A.A.A.177 (A.A.A.177) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: A.A.A.177 (A.A.A.177) Post NAPT Source Transport Port: 56770 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:25.737000000 GMT Initiator Octets: 757 Responder Octets: 586 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.677000000 GMT Flow 2 Flow Id: 367970 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56768 InputInt: 14 DstAddr: C.C.C.169 (C.C.C.169) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: C.C.C.169 (C.C.C.169) Post NAPT Source Transport Port: 56768 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:25.797000000 GMT Initiator Octets: 821 Responder Octets: 1696 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.677000000 GMT Flow 3 Flow Id: 367955 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56758 InputInt: 14 DstAddr: F.F.F.20 (F.F.F.20) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: D.D.D.20 (D.D.D.20) Post NAPT Source Transport Port: 56758 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:25.807000000 GMT Initiator Octets: 1131 Responder Octets: 9831 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.127000000 GMT Padding (2 bytes) FlowSet 2 FlowSet Id: (Data) (256) FlowSet Length: 104 Flow 1 Flow Id: 367686 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56555 InputInt: 14 DstAddr: E.E.E.30 (E.E.E.30) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: E.E.E.30 (E.E.E.30) Post NAPT Source Transport Port: 56555 Post NAPT Destination Transport Port: 80 Firewall Event: Flow created (1) Extended firewall event code: ignore (0) Observation Time Milliseconds: Jan 15, 2013 16:39:25.837000000 GMT Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:15.794000000 GMT Padding (2 bytes) FlowSet 3 FlowSet Id: (Data) (265) FlowSet Length: 324 Flow 1 Flow Id: 367975 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56773 InputInt: 14 DstAddr: C.C.C.169 (C.C.C.169) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: C.C.C.169 (C.C.C.169) Post NAPT Source Transport Port: 56773 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:25.837000000 GMT Initiator Octets: 835 Responder Octets: 557 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.797000000 GMT Flow 2 Flow Id: 367976 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56774 InputInt: 14 DstAddr: C.C.C.244 (C.C.C.244) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: C.C.C.244 (C.C.C.244) Post NAPT Source Transport Port: 56774 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:25.857000000 GMT Initiator Octets: 428 Responder Octets: 293 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.827000000 GMT Flow 3 Flow Id: 367977 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56775 InputInt: 14 DstAddr: C.C.C.169 (C.C.C.169) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: C.C.C.169 (C.C.C.169) Post NAPT Source Transport Port: 56775 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:25.907000000 GMT Initiator Octets: 652 Responder Octets: 420 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.857000000 GMT Padding (2 bytes) FlowSet 4 FlowSet Id: (Data) (256) FlowSet Length: 104 Flow 1 Flow Id: 367694 SrcAddr: G.G.G.2 (G.G.G.2) SrcPort: 43976 InputInt: 15 DstAddr: Z.Z.Z.155 (Z.Z.Z.155) DstPort: 33385 OutputInt: 65535 Protocol: 50 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: G.G.G.2 (G.G.G.2) Post NAT Destination IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAPT Source Transport Port: 43976 Post NAPT Destination Transport Port: 33385 Firewall Event: Flow created (1) Extended firewall event code: ignore (0) Observation Time Milliseconds: Jan 15, 2013 16:39:25.937000000 GMT Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:15.914000000 GMT Padding (2 bytes) FlowSet 5 FlowSet Id: (Data) (265) FlowSet Length: 324 Flow 1 Flow Id: 367971 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56769 InputInt: 14 DstAddr: H.H.H.25 (H.H.H.25) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: H.H.H.25 (H.H.H.25) Post NAPT Source Transport Port: 56769 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:25.967000000 GMT Initiator Octets: 375 Responder Octets: 714 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.677000000 GMT Flow 2 Flow Id: 367979 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56776 InputInt: 14 DstAddr: C.C.C.169 (C.C.C.169) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: C.C.C.169 (C.C.C.169) Post NAPT Source Transport Port: 56776 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:25.997000000 GMT Initiator Octets: 779 Responder Octets: 701 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.897000000 GMT Flow 3 Flow Id: 367980 SrcAddr: 10.x.x.57 (10.x.x.57) SrcPort: 56777 InputInt: 14 DstAddr: I.I.I.138 (I.I.I.138) DstPort: 80 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: I.I.I.138 (I.I.I.138) Post NAPT Source Transport Port: 34877 Post NAPT Destination Transport Port: 80 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2027) Observation Time Milliseconds: Jan 15, 2013 16:39:26.037000000 GMT Initiator Octets: 695 Responder Octets: 328 Ingress ACL ID: 000000000000000000000000 Egress ACL ID: 000000000000000000000000 AAA username: StartTime: Jan 15, 2013 16:39:25.997000000 GMT Padding (2 bytes) FlowSet 6 FlowSet Id: (Data) (263) FlowSet Length: 252 Flow 1 Flow Id: 366127 SrcAddr: 10.x.x.113 (10.x.x.113) SrcPort: 57883 InputInt: 14 DstAddr: B.B.B.129 (B.B.B.129) DstPort: 443 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: B.B.B.129 (B.B.B.129) Post NAPT Source Transport Port: 57883 Post NAPT Destination Transport Port: 443 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2030) Observation Time Milliseconds: Jan 15, 2013 16:39:26.037000000 GMT Initiator Octets: 36479 Responder Octets: 709040 StartTime: Jan 15, 2013 16:37:29.476000000 GMT Flow 2 Flow Id: 366151 SrcAddr: 10.x.x.113 (10.x.x.113) SrcPort: 57898 InputInt: 14 DstAddr: B.B.B.129 (B.B.B.129) DstPort: 443 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: B.B.B.129 (B.B.B.129) Post NAPT Source Transport Port: 57898 Post NAPT Destination Transport Port: 443 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2030) Observation Time Milliseconds: Jan 15, 2013 16:39:26.037000000 GMT Initiator Octets: 13541 Responder Octets: 3355 StartTime: Jan 15, 2013 16:37:31.066000000 GMT Flow 3 Flow Id: 366135 SrcAddr: 10.x.x.113 (10.x.x.113) SrcPort: 57891 InputInt: 14 DstAddr: B.B.B.129 (B.B.B.129) DstPort: 443 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: B.B.B.129 (B.B.B.129) Post NAPT Source Transport Port: 57891 Post NAPT Destination Transport Port: 443 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2030) Observation Time Milliseconds: Jan 15, 2013 16:39:26.037000000 GMT Initiator Octets: 29039 Responder Octets: 168650 StartTime: Jan 15, 2013 16:37:29.556000000 GMT Flow 4 Flow Id: 366124 SrcAddr: 10.x.x.113 (10.x.x.113) SrcPort: 57882 InputInt: 14 DstAddr: B.B.B.129 (B.B.B.129) DstPort: 443 OutputInt: 15 Protocol: 6 IPv4 ICMP Type: 0 IPv4 ICMP Code: 0 Post NAT Source IPv4 Address: Z.Z.Z.155 (Z.Z.Z.155) Post NAT Destination IPv4 Address: B.B.B.129 (B.B.B.129) Post NAPT Source Transport Port: 57882 Post NAPT Destination Transport Port: 443 Firewall Event: Flow deleted (2) Extended firewall event code: Unknown (2030) Observation Time Milliseconds: Jan 15, 2013 16:39:26.037000000 GMT Initiator Octets: 16298 Responder Octets: 98699 StartTime: Jan 15, 2013 16:37:29.106000000 GMT ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512 _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
