Comments on: Wireshark needs templates to decipher Cisco NetFlow v9 http://www.plixer.com/blog/general/wireshark-needs-templates-to-decipher-netflow-v9/ The NetFlow & sFlow Reporting Resource Sat, 13 Mar 2010 23:00:25 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Nate http://www.plixer.com/blog/general/wireshark-needs-templates-to-decipher-netflow-v9/comment-page-1/#comment-12403 Nate Wed, 13 Jan 2010 18:59:08 +0000 http://www.plixer.com/blog/?p=4104#comment-12403 Good question. I haven't seen a PCAP from a Nexus yet, but I do know that it should be exporting the standard NetFlow v9 template. So I would guess that it would still be considered CFLOW. I know that some devices can also export a template as infrequently as once every 30 mins, so it might take a few minutes before Wireshark gets the template to decode those packets. Good question. I haven’t seen a PCAP from a Nexus yet, but I do know that it should be exporting the standard NetFlow v9 template. So I would guess that it would still be considered CFLOW.

I know that some devices can also export a template as infrequently as once every 30 mins, so it might take a few minutes before Wireshark gets the template to decode those packets.

]]> By: Dennis http://www.plixer.com/blog/general/wireshark-needs-templates-to-decipher-netflow-v9/comment-page-1/#comment-12399 Dennis Wed, 13 Jan 2010 18:36:12 +0000 http://www.plixer.com/blog/?p=4104#comment-12399 Nate, thanks for the good information. I'm seeing this "no template found" on a v9 capture from a Nexus 7000 router even after a 5 min capture as you've suggested. Any ideas? Is there a another decode than cflow in Wireshark I should be using? -Dennis Nate, thanks for the good information. I’m seeing this “no template found” on a v9 capture from a Nexus 7000 router even after a 5 min capture as you’ve suggested. Any ideas? Is there a another decode than cflow in Wireshark I should be using?

-Dennis

]]> By: NetFlow v9 vs. NetFlow v5 - NetFlow & sFlow Network Monitoring - Systrax Blog http://www.plixer.com/blog/general/wireshark-needs-templates-to-decipher-netflow-v9/comment-page-1/#comment-4167 NetFlow v9 vs. NetFlow v5 - NetFlow & sFlow Network Monitoring - Systrax Blog Thu, 18 Jun 2009 13:07:26 +0000 http://www.plixer.com/blog/?p=4104#comment-4167 [...] NetFlow v5 is by far the most popular version of NetFlow. I would say over 90% of our customer base uses NetFlow v5. The NetFlow v5 packet format is fixed and is always the same and ultimately easy to decipher for most NetFlow collection and network traffic reporting packages. All flows are calculated when they come into an interface (i.e. inBound). OutBound traffic is reported using inBound flows from the other interfaces. Because of this, it is generally advised that NetFlow v5 be enabled on all interfaces of the device, else outBound utilization on some interfaces may be understated. NetFlow v9 is gaining market share, albeit slowly, and isn’t as deterministic as NetFlow v5. NetFlow v9 templates are the big differentiators here. Read what happens when WireShark doesn’t receive a template before receiving the NetFlow v9 packets. [...] [...] NetFlow v5 is by far the most popular version of NetFlow. I would say over 90% of our customer base uses NetFlow v5. The NetFlow v5 packet format is fixed and is always the same and ultimately easy to decipher for most NetFlow collection and network traffic reporting packages. All flows are calculated when they come into an interface (i.e. inBound). OutBound traffic is reported using inBound flows from the other interfaces. Because of this, it is generally advised that NetFlow v5 be enabled on all interfaces of the device, else outBound utilization on some interfaces may be understated. NetFlow v9 is gaining market share, albeit slowly, and isn’t as deterministic as NetFlow v5. NetFlow v9 templates are the big differentiators here. Read what happens when WireShark doesn’t receive a template before receiving the NetFlow v9 packets. [...]

]]>