Re: Issue in Cisco Netflow logs

senthil085 · ‎02-17-2010

Hi,

I have Cisco ASA in my environment. I enabled netflow option and then started collecting netflow packets using Wireshark. When I analyze the packets collected, I found the below discrepancies.

1. Private Enterprise Number(PEN) field is not expected as per the Cisco documentation http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028700 is present. Refer attached image PEN.bmp.

2. Netflow V9 format for Cisco IOS is defined in http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm#wp1002063

Netflow V9 format for Cisco ASA is defined in http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028700

I get fields IPv4_SRC_ADDR, IP_DST_ADDR against the expected NF_F_SRC_ADDR_IPV4, NF_F_DST_ADDR_IPV4 fields

3. The fields IP_SRC_ADDR, L4_SRC_PORT, INPUT-SNMP are repeated within the same flowset. Refer attached image repeated.bmp.

I will be excited to get a comment on this.

Senthil.S

jakewilson · ‎02-26-2010

We have been getting a few calls with questions on the uniqueness of the NetFlows exported by the Cisco ASA. Check out this PDF:

http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf I hope it helps.

senthil085 · ‎03-03-2010

Hi All,

Finally I found the cause for these issues. Sorry, if I have made you worried about these.

I was using Wireshark version 1.2.2 to analyze a pcap file that has Cisco V9 packets. Wireshark had issue in presenting the V9 packets. It shows some irrelevant or junk information.

When I viewed the same pcap file in Ethereal version 0.99.0, its all fine. So if you are analyzing V9 packets, use Ethereal instead of Wireshark.

- Senthil -