The woes of capturing Cisco NetFlow v9 packets from a Cisco ASA
Posted in NetFlow on June 14th, 2009 by mike@plixer.com
Since I posted my last blog “Wanted: Cisco ASA NetFlow packet capture” I have received a few files. Thank you.
It was quite a process as those who were kind enough to send me a WireShark capture with lots of v9 packets quickly learned that the file was useless without the Cisco NetFlow v9 templates. Templates are sent out as often as 1-30 minutes. Guess what the default rate is. 
One customer sent us a 5-minute capture from his Cisco ASA 5505. It sent out about 20 different flows types and we still only captured about 15 of the ~20 templates. As you may know, WireShark needs the templates to go back and decipher the flows captured prior. Without the templates, the NetFlow v9 packet capture is pretty much useless.
The default timeout on the Cisco ASA is set for 30 minutes, which is why the screen shot of the capture shown is missing templates.
The customer then applied the following command on the ASA 5505:
hostname(config)# flow-export template timeout-rate 1
The above will force the Cisco ASA to export templates every minute.
NOTE: The template export frequency can be specified by packet rate as well:
The above is the topic of another blog.
Oh, and happy birthday mom. I love you.
Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter
[...] of our defaults. If you are having trouble displaying your unique NetFlow v9 data, please send a WireShark packet trace to me and make sure the capture includes a [...]
[...] ネットフローv9のデータが表示できないときは、わたしにWireShark packet traceをテンプレートがあるキャプチャということを確認して送って下さい。 [...]