cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3092
Views
0
Helpful
5
Replies

C9300 Encrypted Traffic Analysis (et-analytics) - Missing Netflow Data Fields?

mjtooley
Level 1
Level 1

I have a C9300 running IOS XE v 16.06.03 (CAT9K-IOSXE) and the network-advantage and dna-advantage licenses installed.  I am trying to verify that the encrypted traffic analysis, et-analytics, feature is configured and working properly.

 

I followed the configuration guide for enabling the et-analytics, https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/nmgmt/b_166_nmgmt_9300_cg/b_166_nmgmt_9300_cg_chapter_01000.html

1).  Configure an exporter IP and port for the et-analytics

2).  Configured the inactive timer value for 10 seconds

3).  Enabled threat visibility; e.g. interface gi1/0/1, et-analytics enable

 

I can see the Netflow with the initial data packet (IDP) and sequence of packet lengths and times (SPLT) fields being sent to the configured destination IP/port.  When I examine the Netflow data I never see any of the other et-analytics netflow data fields such as byte distribution, and TLS records.  

 

The Cisco white paper, https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf, says the et-analytics feature will generate Netflow with the additional fields.

 

Is there something that I am not doing or missing.  I was under the impression that the Netflow would include user-defined fields for byte distribution the TLS data.  The Cisco Joy, https://github.com/cisco/joy, code is instrumented to process both Netflow v9 and IPFIX data with the additional netflow data fields.

 

 

Some additional info from the switch is below.

 

Cisco9300# show platform software et-analytics interfaces 

ET-Analytics interfaces

 GigabitEthernet1/0/1

 GigabitEthernet1/0/2

 GigabitEthernet1/0/3

 GigabitEthernet1/0/4

 GigabitEthernet1/0/5

 GigabitEthernet1/0/6

 GigabitEthernet1/0/7

 GigabitEthernet1/0/8

 GigabitEthernet1/0/9

 GigabitEthernet1/0/10

 GigabitEthernet1/0/11

 GigabitEthernet1/0/12

 GigabitEthernet1/0/13

 GigabitEthernet1/0/14

 GigabitEthernet1/0/15

 GigabitEthernet1/0/16

 GigabitEthernet1/0/17

 GigabitEthernet1/0/18

 GigabitEthernet1/0/19

 GigabitEthernet1/0/20

 GigabitEthernet1/0/21

 GigabitEthernet1/0/22

 GigabitEthernet1/0/23

 GigabitEthernet1/0/24

 

ET-Analytics VLANs

 

Cisco9300#

_______________________

Cisco9300#show flow monitor eta-mon cache 

  Cache type:                               Normal (Platform cache)

  Cache size:                                10000

  Current entries:                              45

 

  Flows added:                              316878

  Flows aged:                               316833

    - Active timeout      (  1800 secs)         82

    - Inactive timeout    (    15 secs)     316751

 

IPV4 DESTINATION ADDRESS:  192.168.5.131

IPV4 SOURCE ADDRESS:       52.84.126.104

IP PROTOCOL:               6

TRNS SOURCE PORT:          443

TRNS DESTINATION PORT:     50972

counter bytes long:        26159

counter packets long:      33

timestamp abs first:       15:11:18.517

timestamp abs last:        15:13:22.517

interface input:           Null

interface output:          Null

_______________

Cisco9300#$rm software fed switch active fnf et-analytics-flow-dump 

 

ET Analytics Flow dump

 

=================

Total packets received (3254647)

Excess packets received (120035)

 

(Index:0) 8.8.8.8, 192.168.5.110, protocol=17, source port=53, dest port=48820, flow done=u 

SPLT: len = 3, value = (61184,0)(61184,0)(128,0)

IDP: len = 267, value = 45:20:1:b:96:66:0:0:75:11:

 

(Index:1) 192.168.5.110, 192.168.5.1, protocol=17, source port=35386, dest port=53, flow done=u 

SPLT: len = 2, value = (10240,0)(128,0)

IDP: len = 68, value = 45:0:0:44:68:7d:40:0:40:11:

 

(Index:2) 72.21.91.29, 192.168.5.131, protocol=6, source port=80, dest port=56426, flow done=u 

SPLT: len = 2, value = (5123,1280)(128,0)

IDP: len = 840, value = 45:20:3:48:19:a5:0:0:35:6:

 

(Index:3) 72.21.91.29, 192.168.5.131, protocol=6, source port=80, dest port=56422, flow done=u 

SPLT: len = 2, value = (5123,768)(128,0)

IDP: len = 840, value = 45:20:3:48:e1:85:0:0:35:6:

 

5 Replies 5

brford
Cisco Employee
Cisco Employee

What's showing up at your Flow Collector?

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

My Netflow Collector shows that is receiving Netflow messages with the following data types: IP_DST_ADDR, IP_SRC_ADDR, PROTOCOL, L4_SRC_PORT, L4_DST_PORT, BYTES, PACKETS, flow start-mill, flowed-milli, user-defined(44940), and user-defined(44941).

 

44940 is the Initial Data Packet (IDP) and 44941 is the Sequence Packet Length Time(SPLT).  I never see any that have 44944 nor any of the ones associated with TLS (44945 - 44951)

I should have asked what your Stealthwatch Flow Collector was reporting.
Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

I don't have StealthWatch.  I am using the NFv9 collector that is part of the Cisco Joy code on Github (https://github.com/cisco/joy).  I added some "printfs" to the code to tell what data types it was receiving and processing.    I compared my Wireshark capture with what the Joy code is seeing and the two are consistent.   

Sorry. I would suggest that since this is a Cisco Stealthwatch Support forum you might try running the Stealthwatch Flow Collector. It works and we have some diagnostic capabilities there. You should request support for that open source Joy project via the email alias defined on Github.
Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: