cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
1
Helpful
3
Replies

Stealthwatch SNA RRT SRT response times

andrewcisco1
Level 1
Level 1

Has anyone been able to get the response times values in Stealthwatch / SNA to populate?  We're various Cisco switches and routers exporting netflow (most relevant here are Ciscp 3850 (16.9.5) and 9300 (16.9.7) and have followed the netflow config guide for SNA.  We see plenty of data, but nothing in the RTT / SRT columns.

SNA version 7.4.2 on both th flow collector and the SNA appliance (both VMs).  There will also be some netflow data from 3rd party firewalls which likely don't have all the correct fields.

stealthwatchstealthwatch

Below is the netflow config, full config attached.
flow record xxxxx-in
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match transport destination-port
match transport source-port
match ipv4 tos
collect counter bytes long
collect counter packets long
collect timestamp absolute last
collect timestamp absolute first

I checked the correct netflow fields are being sent in a capture (attached).

1 Accepted Solution

Accepted Solutions

jamegill
Cisco Employee
Cisco Employee

Hi @andrewcisco1  -- the 3850 switch you are using cannot generate the necessary information to populate the RTT and SRT fields. 


The first suggestion to populate those fields would be to use a Flow Sensor to inspect that network traffic and generate that data.

Generally, Cisco routers can generate these datapoints.  The CSR 1000v configuration example here demonstrates the use of the `collect connection delay ...` fields in the flow record.  This is also available in ASR and ISR models, depending on other configuration options.

Because the Flow Sensor and CSR 1000v can be deployed as virtual machines, it would be easy to set up a demonstration of this functionality.   Using an ERSPAN from your 3850 to a virtual Flow Sensor could accomplish this with minimal change to the running configuration.   Talk to your Cisco Security SE to get started.

HTH,

--jg

View solution in original post

3 Replies 3

jamegill
Cisco Employee
Cisco Employee

Hi @andrewcisco1  -- the 3850 switch you are using cannot generate the necessary information to populate the RTT and SRT fields. 


The first suggestion to populate those fields would be to use a Flow Sensor to inspect that network traffic and generate that data.

Generally, Cisco routers can generate these datapoints.  The CSR 1000v configuration example here demonstrates the use of the `collect connection delay ...` fields in the flow record.  This is also available in ASR and ISR models, depending on other configuration options.

Because the Flow Sensor and CSR 1000v can be deployed as virtual machines, it would be easy to set up a demonstration of this functionality.   Using an ERSPAN from your 3850 to a virtual Flow Sensor could accomplish this with minimal change to the running configuration.   Talk to your Cisco Security SE to get started.

HTH,

--jg

andrewcisco1
Level 1
Level 1

Thanks!  That's perfect, I'll try creating a VM of a 1000v to test, but I'm sure that'll do the trick.

I was wondering if the "collect timestamp absolute last" would really be able to provide enought to calaculate RTT values.

You are correct. `collect timestamp absolute last` just shows “when did I last see a packet for this flow?” Good luck with that!