Solved: stealthwatch flow collector - malformed packets - ASA index

CSCO12550173 · ‎04-01-2020

hi experts, hope you are doing well

we have stealthwatch working fine, but in sometimes we stop receiveing flows in the flow collector

after capturing traffic, i see cflow packets, but it shows like malformed, what could be the reason to this?

and a healthy traffic captured it shows all the flows and i can see the ip address and ports

but with the malformed pcap, it doesnt show any ip-port information, i post the wireshak info, can you give me some guidance please, it receives data from ASA contexts,

kyoshiik · ‎04-01-2020

Please open TAC case with the whole pcap file and reproduce the procedure.

TAC team can help to analyze this issue. It looks FC can't understand Expert Info section. If this is as designed, FC or ASA side should change this flow format. TAC team can analyze and search this is an expected issue or defect.

View solution in original post

kyoshiik · ‎04-01-2020

Please open TAC case with the whole pcap file and reproduce the procedure.

TAC team can help to analyze this issue. It looks FC can't understand Expert Info section. If this is as designed, FC or ASA side should change this flow format. TAC team can analyze and search this is an expected issue or defect.

kyoshiik · ‎04-01-2020

Additionally, I search "no template found" and get the pcap side issue. It means Wireshark doesn't understand that field.

This issue includes many factors to analyze. So please open TAC case.

CSCO12550173 · ‎04-02-2020

thanks mate, i'll get a ticket with tac, because this happens sometimes, in other captures when it receives flows, the pcap receives all the flows in the cflows packets

CSCO12550173 · ‎04-02-2020

and the wireshark can decode the template and it shows all the flows and it's the same point in the network that we are getting the captures, that is in the flow collector