« NetFlow version 9: egress vs. ingress
Lovin’ my NETFLOW license plate »

Wireshark needs templates to decipher Cisco NetFlow v9

Posted in General, NetFlow, Network Traffic Analysis on June 5th, 2009 by nathanh
wireshark-needs-templates-to-decipher-cisco-netflow-v9

I got what I was hoping to be a great packet capture from a Cisco ASA device exporting Cisco NetFlow v9. Oh, but you know how it goes in IT sometimes…it’s seldom a simple process.

The capture had 252 Cisco NetFlow v9 packets. When I opened it up though, I noticed that every frame displayed something like this:
template

Where are my flow records?!

With NetFlow v9 the packet analyzer (i.e. WireShark) needs the templates, which are only sent out “every so often”.

So remember, when capturing NetFlow v9 packets with WireShark, a good rule of thumb is to do a five-minute capture. I realize file sizes can be an issue, but if we don’t have the template, we can’t decipher the packets and I’ll have to send an email back asking “ Any chance we can get another capture (e.g. 5 minutes)?”

-Nate

Share and Enjoy:
  • Digg
  • StumbleUpon
  • Reddit
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • Technorati
  • Twitter
  • email
  • Print
Tags: , , ,

This entry was posted on Friday, June 5th, 2009 at 3:55 pm and is filed under General, NetFlow, Network Traffic Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Wireshark needs templates to decipher Cisco NetFlow v9”

  1. NetFlow v9 vs. NetFlow v5 - NetFlow & sFlow Network Monitoring - Systrax Blog Says:
    June 18th, 2009 at 8:07 am

    [...] NetFlow v5 is by far the most popular version of NetFlow. I would say over 90% of our customer base uses NetFlow v5. The NetFlow v5 packet format is fixed and is always the same and ultimately easy to decipher for most NetFlow collection and network traffic reporting packages. All flows are calculated when they come into an interface (i.e. inBound). OutBound traffic is reported using inBound flows from the other interfaces. Because of this, it is generally advised that NetFlow v5 be enabled on all interfaces of the device, else outBound utilization on some interfaces may be understated. NetFlow v9 is gaining market share, albeit slowly, and isn’t as deterministic as NetFlow v5. NetFlow v9 templates are the big differentiators here. Read what happens when WireShark doesn’t receive a template before receiving the NetFlow v9 packets. [...]

  2. Dennis Says:
    January 13th, 2010 at 1:36 pm

    Nate, thanks for the good information. I’m seeing this “no template found” on a v9 capture from a Nexus 7000 router even after a 5 min capture as you’ve suggested. Any ideas? Is there a another decode than cflow in Wireshark I should be using?

    -Dennis

  3. Nate Says:
    January 13th, 2010 at 1:59 pm

    Good question. I haven’t seen a PCAP from a Nexus yet, but I do know that it should be exporting the standard NetFlow v9 template. So I would guess that it would still be considered CFLOW.

    I know that some devices can also export a template as infrequently as once every 30 mins, so it might take a few minutes before Wireshark gets the template to decode those packets.

Leave a Reply