I received a WireShark capture from someone else the other day. He said that the default timeout was set for 30 minutes and believes that this is why the earlier capture he gave me had no templates.

He applied the following command on the Cisco ASA5505 running image asa821-k8:

“flow template timeout-rate 1″

His ASA5505 sent out about 20 different Cisco NetFlow v9 flow types and we still only captured about 15 of the ~20 templates.

WireShark needs the templates to go back and decipher the flows captured prior. Else, you will see what is below in the WireShark capture. Notice that template 263 isn’t in the list above and this was in the same packet capture:

Another project for me: What does this mean:

I’m going to have to roll up my sleeves on this one. Time to dig in. Once I have the data collected, we can take a look at what we might be able to report on for network traffic analysis.

If you want to try this with your ASA hardware, here is a page to help you find the necessary enable ASA NetFlow commands .

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter Tags: asa5505, Cisco, flow template timeout-rate 1, NetFlow, NetFlow v9, Network Traffic Analysis, Wireshark

This entry was posted on Monday, July 13th, 2009 at 8:18 pm and is filed under NetFlow Analyzer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.