I have a C9300 running IOS XE v 16.06.03 (CAT9K-IOSXE) and the network-advantage and dna-advantage licenses installed. I am trying to verify that the encrypted traffic analysis, et-analytics, feature is configured and working properly.
I followed the configuration guide for enabling the et-analytics, https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/nmgmt/b_166_nmgmt_9300_cg/b_166_nmgmt_9300_cg_chapter_01000.html
1). Configure an exporter IP and port for the et-analytics
2). Configured the inactive timer value for 10 seconds
3). Enabled threat visibility; e.g. interface gi1/0/1, et-analytics enable
I can see the Netflow with the initial data packet (IDP) and sequence of packet lengths and times (SPLT) fields being sent to the configured destination IP/port. When I examine the Netflow data I never see any of the other et-analytics netflow data fields such as byte distribution, and TLS records.
The Cisco white paper, https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf, says the et-analytics feature will generate Netflow with the additional fields.
Is there something that I am not doing or missing. I was under the impression that the Netflow would include user-defined fields for byte distribution the TLS data. The Cisco Joy, https://github.com/cisco/joy, code is instrumented to process both Netflow v9 and IPFIX data with the additional netflow data fields.
Some additional info from the switch is below.
Cisco9300# show platform software et-analytics interfaces
Cisco9300#show flow monitor eta-mon cache
Cache type: Normal (Platform cache)
Cache size: 10000
Current entries: 45
Flows added: 316878
Flows aged: 316833
- Active timeout ( 1800 secs) 82
- Inactive timeout ( 15 secs) 316751
IPV4 DESTINATION ADDRESS: 192.168.5.131
IPV4 SOURCE ADDRESS: 22.214.171.124
IP PROTOCOL: 6
TRNS SOURCE PORT: 443
TRNS DESTINATION PORT: 50972
counter bytes long: 26159
counter packets long: 33
timestamp abs first: 15:11:18.517
timestamp abs last: 15:13:22.517
interface input: Null
interface output: Null
Cisco9300#$rm software fed switch active fnf et-analytics-flow-dump
ET Analytics Flow dump
Total packets received (3254647)
Excess packets received (120035)
(Index:0) 126.96.36.199, 192.168.5.110, protocol=17, source port=53, dest port=48820, flow done=u
SPLT: len = 3, value = (61184,0)(61184,0)(128,0)
IDP: len = 267, value = 45:20:1:b:96:66:0:0:75:11:
(Index:1) 192.168.5.110, 192.168.5.1, protocol=17, source port=35386, dest port=53, flow done=u
SPLT: len = 2, value = (10240,0)(128,0)
IDP: len = 68, value = 45:0:0:44:68:7d:40:0:40:11:
(Index:2) 188.8.131.52, 192.168.5.131, protocol=6, source port=80, dest port=56426, flow done=u
SPLT: len = 2, value = (5123,1280)(128,0)
IDP: len = 840, value = 45:20:3:48:19:a5:0:0:35:6:
(Index:3) 184.108.40.206, 192.168.5.131, protocol=6, source port=80, dest port=56422, flow done=u
SPLT: len = 2, value = (5123,768)(128,0)
IDP: len = 840, value = 45:20:3:48:e1:85:0:0:35:6:
What's showing up at your Flow Collector?
My Netflow Collector shows that is receiving Netflow messages with the following data types: IP_DST_ADDR, IP_SRC_ADDR, PROTOCOL, L4_SRC_PORT, L4_DST_PORT, BYTES, PACKETS, flow start-mill, flowed-milli, user-defined(44940), and user-defined(44941).
44940 is the Initial Data Packet (IDP) and 44941 is the Sequence Packet Length Time(SPLT). I never see any that have 44944 nor any of the ones associated with TLS (44945 - 44951)
I don't have StealthWatch. I am using the NFv9 collector that is part of the Cisco Joy code on Github (https://github.com/cisco/joy). I added some "printfs" to the code to tell what data types it was receiving and processing. I compared my Wireshark capture with what the Joy code is seeing and the two are consistent.