10-20-2010 08:07 AM
10-26-2010 04:51 AM
Hello Racquel,
You cannot explicitly view netflow messages within MARS. Once the MARS starts to see a flow of netflow messages it will collect and collate the information for 7 days (including a weekend). This will then produce a baseline for this netflow source. After 7 days MARS will switch from collecting to monitoring. In monitoring state MARS will, using predefined internal metrics, determine if newer netflow records indicate exceptional traffic. If this is the case, then the MARS will generate an incident on the GUI. Over time, the MARS will adjust the baseline values using the received netflow records.
If you select to store IOS or ASA netflow records (admin -> system setup -> netflow configuration), then the records will be written to the internal database and archived (if configured). This will impact disk usage but would mean that if you needed to recover the MARS from archive after failure (re-image or RMA) then you could recover the baseline settings. Also, if you write them to disk, you can then export the raw netflow records to a file (admin -> system maintenance -> retrieve raw messages), but you need will to provide some external means of processing them.
Matthew
10-26-2010 07:31 AM
Thanks for your response Matt. The problem is that I have to prove to my boss that MARS is collecting Netflow data and that I my problem. At my previous job once I installed netflow cards in the 4510's I could then see the messages between switches or devices on the same network. Where as before I could only see traffic between different network segments due them being segmented by firewall. So in essence, in MARS I could only see data that traversed the firewall until I installed the netflow cards at which point I could see all traffic whether it went through the firewall or not. However, now that I'm typing this I remembered that as a result the MARS database filled up exponentially which must have meant that we storing the netflow details? Therefore I could query them as any any other event in MARS.
If this be the case, since I know that at my present job we are not storing the netflow details, how can I prove that MARS is collecting Netflow details without 1st storing them in the database?
10-27-2010 12:58 AM
Raquel, looks like I might be wrong about about be able to gather the netflow records via the raw messages. I'll leave it running overnight and check tomorrow, but I cant see any such records from my lab ASA. You can prove that the netflow records are arriving via the cli
pnadmin]$ tcpdump -x -s 1500 -i eth0 ip host 10.48.67.44 and udp port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
17:25:53.913946 IP bsns-asa5505-21.cisco.com.34537 > bsns-mars50-1.2055: UDP, length 484
0x0000: 4500 0200 8256 0000 fe11 8af8 0a30 432c E....V.......0C,
0x0010: 0a30 5612 86e9 0807 01ec c8e5 0009 0006 .0V.............
...
17:26:02.922852 IP bsns-asa5505-21.cisco.com.34537 > bsns-mars50-1.2055: UDP, length 236
0x0000: 4500 0108 d1b0 0000 fe11 3c96 0a30 432c E.........<..0C,
0x0010: 0a30 5612 86e9 0807 00f4 6362 0009 0003 .0V.......cb....
...
etc
Matthew
10-27-2010 07:30 AM
Matthew,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide