Re: [Nfdump-discuss] Cisco ASA Bytes and Packets

Tue, 03 Feb 2015 03:35:41 -0800 

Here are the dumps in a more clear format...

** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03  -T  -R
2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20
nfdump filter:
any
Date flow start          Duration Proto      Src IP Addr:Port          Dst
IP Addr:Port   Packets    Bytes Flows
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8593  ->
157.55.235.168:40016    1.1 M  167.8 M     1
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8594  ->
91.190.218.65:12350    1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8637  ->
81.144.170.91:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8638  ->
81.144.170.91:443      1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765 ->
8.8.8.8:53       1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765 ->
8.8.8.8:53       1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53    ->
10.4.71.16:58765    1.0 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53    ->
10.4.71.16:58765    1.0 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717  ->
184.169.159.196:443      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717  ->
184.169.159.196:443      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8650  ->
81.144.170.91:443      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8651  ->
81.144.170.91:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8698  ->
72.26.232.209:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912 ->
8.8.8.8:53       1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912 ->
8.8.8.8:53       1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727  ->
166.98.6.70:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727  ->
166.98.6.70:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8707  ->
191.233.92.204:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8599  ->
173.194.66.94:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.635     0.000 TCP         10.4.71.16:8710  ->
173.194.66.138:443      1.1 M  167.8 M     1
Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M, avg
bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151
Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56
Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932
Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 201342.3


** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03  -T  -R
2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20
nfdump filter:
any
Date flow start          Duration Proto      Src IP Addr:Port          Dst
IP Addr:Port   Packets    Bytes Flows
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8593  ->
157.55.235.168:40016    1.1 M  167.8 M     1
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8594  ->
91.190.218.65:12350    1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8637  ->
81.144.170.91:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8638  ->
81.144.170.91:443      1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765 ->
8.8.8.8:53       1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765 ->
8.8.8.8:53       1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53    ->
10.4.71.16:58765    1.0 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53    ->
10.4.71.16:58765    1.0 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717  ->
184.169.159.196:443      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717  ->
184.169.159.196:443      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8650  ->
81.144.170.91:443      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8651  ->
81.144.170.91:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8698  ->
72.26.232.209:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912 ->
8.8.8.8:53       1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912 ->
8.8.8.8:53       1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727  ->
166.98.6.70:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727  ->
166.98.6.70:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8707  ->
191.233.92.204:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8599  ->
173.194.66.94:443      1.1 M  167.8 M     1
2015-02-03 10:30:56.635     0.000 TCP         10.4.71.16:8710  ->
173.194.66.138:443      1.1 M  167.8 M     1
Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M, avg
bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151
Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56
Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932
Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 201342.3

On 3 February 2015 at 11:28, M87tech [Jon] <j...@m87.co> wrote:

> Hi All
>
> I've got an ASA firewall running 9.1(5) sending netflow data to a linux VM
> running nfsen
>
> I've compiled the latest nfdump with the --enable-nfsen option and
> installed it.
>
> I also uncommented the $extensions = 'all';     in nfsen.conf when
> installing it.
>
> Nfsen only shows the flows with fixed packets and Byte counts. (See bottom
> of email)
>
> I can't really see much use for viewing the flow data without accurate
> bandwidth readouts as I would be using it for troubleshooting performance
> issues.
>
> I'm wondering if there are some more flags that I need to set to get this
> working?
>
> In a wireshark capture I cant seem to see any field which would indicate
> the amount of bytes?  I see initiator octets and responder octets change
> but I don't know what these fields are used for.
>
> Many thanks,
>
> Jon.
>
> ** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03  -T  -R 
> 2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20
> nfdump filter:
> any
> Date flow start          Duration Proto      Src IP Addr:Port          Dst IP 
> Addr:Port   Packets    Bytes Flows
> 2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8593 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->   157.55.235.168:40016 
> <http://127.0.0.1:8888/nfsen/index.php#null>    1.1 M  167.8 M     1
> 2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8594 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    91.190.218.65:12350 
> <http://127.0.0.1:8888/nfsen/index.php#null>    1.1 M  167.8 M     1
> 2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8637 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8638 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765 
> <http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M     1
> 2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765 
> <http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M     1
> 2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>    ->       10.4.71.16:58765 
> <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M  167.8 M     1
> 2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>    ->       10.4.71.16:58765 
> <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M  167.8 M     1
> 2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8650 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8651 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8698 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    72.26.232.209:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912 
> <http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912 
> <http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8707 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->   191.233.92.204:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8599 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    173.194.66.94:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.635     0.000 TCP         10.4.71.16:8710 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->   173.194.66.138:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M, avg bps: 
> 32.7 G, avg pps: 27.0 M, avg bpp: 151
> Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56
> Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932
> Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 201342.3
>
>
>
> ** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03  -T  -R 
> 2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20
> nfdump filter:
> any
> Date flow start          Duration Proto      Src IP Addr:Port          Dst IP 
> Addr:Port   Packets    Bytes Flows
> 2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8593 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->   157.55.235.168:40016 
> <http://127.0.0.1:8888/nfsen/index.php#null>    1.1 M  167.8 M     1
> 2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8594 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    91.190.218.65:12350 
> <http://127.0.0.1:8888/nfsen/index.php#null>    1.1 M  167.8 M     1
> 2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8637 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8638 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765 
> <http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M     1
> 2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765 
> <http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M     1
> 2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>    ->       10.4.71.16:58765 
> <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M  167.8 M     1
> 2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>    ->       10.4.71.16:58765 
> <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M  167.8 M     1
> 2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8650 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8651 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8698 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    72.26.232.209:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912 
> <http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912 
> <http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53 
> <http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8707 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->   191.233.92.204:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8599 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->    173.194.66.94:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> 2015-02-03 10:30:56.635     0.000 TCP         10.4.71.16:8710 
> <http://127.0.0.1:8888/nfsen/index.php#null>  ->   173.194.66.138:443 
> <http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
> Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M, avg bps: 
> 32.7 G, avg pps: 27.0 M, avg bpp: 151
> Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56
> Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932
> Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 201342.3
>
>
>
>
>


-- 
*Jon M. Clayton*
*M87 Tech*
Technical Services | Cisco Networking | Voice and Data | Virtualisation |
Linux
Cisco Wireless - Deployment, controllers 55xx, 44xx, WCS
Cisco Voice - UCCM, UCCX, Unity Messaging
Cisco Nexus NX-OS (7000, 5000), Switching IOS Cat3750, Cat3560, Cat2960,
Cat4506, 4500-X
Cisco End to End QoS for Voice / Video / VC and troubleshooting
Cisco ASA - 5520, 5510, 5505
Juniper SRX / JunOS
HP Procurve

*E*: j...@m87.co
*M1*: 00 44* (0)774 828 3150*
*T1*: 00 44 *(0) 560 368 9545*

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to