C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

mjtooley — Tue, 20 Aug 2019 17:31:01 GMT

I have a C9300 running IOS XE v 16.06.03 (CAT9K-IOSXE) and the network-advantage and dna-advantage licenses installed. I am trying to verify that the encrypted traffic analysis, et-analytics, feature is configured and working properly.

I followed the configuration guide for enabling the et-analytics, https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/nmgmt/b_166_nmgmt_9300_cg/b_166_nmgmt_9300_cg_chapter_01000.html

1). Configure an exporter IP and port for the et-analytics

2). Configured the inactive timer value for 10 seconds

3). Enabled threat visibility; e.g. interface gi1/0/1, et-analytics enable

I can see the Netflow with the initial data packet (IDP) and sequence of packet lengths and times (SPLT) fields being sent to the configured destination IP/port. When I examine the Netflow data I never see any of the other et-analytics netflow data fields such as byte distribution, and TLS records.

The Cisco white paper, https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf, says the et-analytics feature will generate Netflow with the additional fields.

Is there something that I am not doing or missing. I was under the impression that the Netflow would include user-defined fields for byte distribution the TLS data. The Cisco Joy, https://github.com/cisco/joy, code is instrumented to process both Netflow v9 and IPFIX data with the additional netflow data fields.

Some additional info from the switch is below.

Cisco9300# show platform software et-analytics interfaces

ET-Analytics interfaces

GigabitEthernet1/0/1

GigabitEthernet1/0/2

GigabitEthernet1/0/3

GigabitEthernet1/0/4

GigabitEthernet1/0/5

GigabitEthernet1/0/6

GigabitEthernet1/0/7

GigabitEthernet1/0/8

GigabitEthernet1/0/9

GigabitEthernet1/0/10

GigabitEthernet1/0/11

GigabitEthernet1/0/12

GigabitEthernet1/0/13

GigabitEthernet1/0/14

GigabitEthernet1/0/15

GigabitEthernet1/0/16

GigabitEthernet1/0/17

GigabitEthernet1/0/18

GigabitEthernet1/0/19

GigabitEthernet1/0/20

GigabitEthernet1/0/21

GigabitEthernet1/0/22

GigabitEthernet1/0/23

GigabitEthernet1/0/24

ET-Analytics VLANs

Cisco9300#

_______________________

Cisco9300#show flow monitor eta-mon cache

Cache type: Normal (Platform cache)

Cache size: 10000

Current entries: 45

Flows added: 316878

Flows aged: 316833

- Active timeout ( 1800 secs) 82

- Inactive timeout ( 15 secs) 316751

IPV4 DESTINATION ADDRESS: 192.168.5.131

IPV4 SOURCE ADDRESS: 52.84.126.104

IP PROTOCOL: 6

TRNS SOURCE PORT: 443

TRNS DESTINATION PORT: 50972

counter bytes long: 26159

counter packets long: 33

timestamp abs first: 15:11:18.517

timestamp abs last: 15:13:22.517

interface input: Null

interface output: Null

_______________

Cisco9300#$rm software fed switch active fnf et-analytics-flow-dump

ET Analytics Flow dump

=================

Total packets received (3254647)

Excess packets received (120035)

(Index:0) 8.8.8.8, 192.168.5.110, protocol=17, source port=53, dest port=48820, flow done=u

SPLT: len = 3, value = (61184,0)(61184,0)(128,0)

IDP: len = 267, value = 45:20:1:b:96:66:0:0:75:11:

(Index:1) 192.168.5.110, 192.168.5.1, protocol=17, source port=35386, dest port=53, flow done=u

SPLT: len = 2, value = (10240,0)(128,0)

IDP: len = 68, value = 45:0:0:44:68:7d:40:0:40:11:

(Index:2) 72.21.91.29, 192.168.5.131, protocol=6, source port=80, dest port=56426, flow done=u

SPLT: len = 2, value = (5123,1280)(128,0)

IDP: len = 840, value = 45:20:3:48:19:a5:0:0:35:6:

(Index:3) 72.21.91.29, 192.168.5.131, protocol=6, source port=80, dest port=56422, flow done=u

SPLT: len = 2, value = (5123,768)(128,0)

IDP: len = 840, value = 45:20:3:48:e1:85:0:0:35:6:

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

brford — Mon, 29 Oct 2018 16:36:03 GMT

What's showing up at your Flow Collector?

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

mjtooley — Mon, 29 Oct 2018 16:43:41 GMT

My Netflow Collector shows that is receiving Netflow messages with the following data types: IP_DST_ADDR, IP_SRC_ADDR, PROTOCOL, L4_SRC_PORT, L4_DST_PORT, BYTES, PACKETS, flow start-mill, flowed-milli, user-defined(44940), and user-defined(44941).

44940 is the Initial Data Packet (IDP) and 44941 is the Sequence Packet Length Time(SPLT). I never see any that have 44944 nor any of the ones associated with TLS (44945 - 44951)

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

brford — Mon, 29 Oct 2018 16:46:40 GMT

I should have asked what your Stealthwatch Flow Collector was reporting.

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

mjtooley — Mon, 29 Oct 2018 16:51:58 GMT

I don't have StealthWatch. I am using the NFv9 collector that is part of the Cisco Joy code on Github (https://github.com/cisco/joy). I added some "printfs" to the code to tell what data types it was receiving and processing. I compared my Wireshark capture with what the Joy code is seeing and the two are consistent.

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

brford — Mon, 29 Oct 2018 17:29:45 GMT

Sorry. I would suggest that since this is a Cisco Stealthwatch Support forum you might try running the Stealthwatch Flow Collector. It works and we have some diagnostic capabilities there. You should request support for that open source Joy project via the email alias defined on Github.

topic Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields? in Security Analytics

C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

Re: C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?