06-30-2024 10:14 PM - edited 06-30-2024 10:17 PM
We run a 3rd party netflow collector, NtopNG with nProbe.
Our switches were running a netflow template we have had for years. I decided to wipe it and allow Catalyst Centre to input its own netflow config so I can also get some app info in Catalyst Centre.
I notice the fields that have been provisioned in the netflow record are all different, and I am not seeing anything in ntop.
I did some digging and found I can enable the IPFIX fields in the nprobe template, but I need to know which ones it's receiving, by matching from the list here: https://www.ntop.org/guides/nprobe/cli_options.html#netflow-v9-ipfix-format-t or maybe even the extender file here: https://github.com/ntop/nProbe/blob/master/custom_fields/Cisco/avc_custom_fields.txt
The flow record config is:
match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect timestamp absolute first
collect timestamp absolute last
collect flow direction
collect connection initiator
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect connection new-connections
collect datalink mac source address input
Does anyone know specifically which match/collect fields line up with which IPFIX labels in the list provided in link?
For reference, the old flow record config was:
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match ipv4 tos
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
Which was used when we had Scrutinizer and it worked with Ntop when we moved to that, using the following default template fields:
%IN_SRC_MAC
%OUT_DST_MAC
%SRC_VLAN
%IPV4_SRC_ADDR
%IPV4_DST_ADDR
%L4_SRC_PORT
%L4_DST_PORT
%IPV6_SRC_ADDR
%IPV6_DST_ADDR
%IP_PROTOCOL_VERSION
%PROTOCOL
%L7_PROTO
%IN_BYTES
%IN_PKTS
%OUT_BYTES
%OUT_PKTS
%FIRST_SWITCHED
%LAST_SWITCHED
%FLOW_TO_APPLICATION_ID
%FLOW_TO_USER_ID
%INITIATOR_GW_IP_ADDR
%EXPORTER_IPV4_ADDRESS
Edit: Would be nice if Cisco made a document that explained what netflow commands lines up with what element ID is provided here https://www.iana.org/assignments/ipfix/ipfix.xml#ipfix-set-ids
If they did, then I can't find it
07-01-2024 05:57 PM
I found the field ID's by doing the following command:
sh flow exporter dnacexporter templates details
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide