On 15/02/2015 14:32, Rui Ribeiro wrote:
I have been setting up nfsen+nfdump in Debian 8. Cutting a story
short, one of my current problems is that somehow nfcapd and nfdump
have problems reading v9 neflows from my ASA.
In the 1.6.6-1 version that comes with Debian, clearly packets and
bytes were mangled; in the last. 1.6.13 version of the source code
Bytes are already ok, but Packets always come as 0. Duration also
comes as 0, albeit I am not needing that field.
Would you be able to shed some light on this?
1. Did you compile nfdump with --enable-nsel?
This is required to parse the ASA's variant of netflow ("Netflow
Security Event Logging")
2. What version of ASA firmware are you running?
Periodic byte counters were introduced in 8.4(5) and 9.1(2)
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html
Checking here, the standard nfdump output gives the following headers:
Date first seen Event XEvent Proto Src IP
Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP
Addr:Port In Byte Out Byte
Using '-o raw' I see only (in)packets = 0 for all flows, but the "out
bytes" and "(in)bytes" look reasonable. There's no duration.
I think this is just a limitation of NSEL. Perhaps they expect to you
work out durations by correlating CREATE and DELETE events.
Regards,
Brian.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
