Scrutinizer v7.6 has been released. One of my favorite features is the ability to rename NetFlow v9 templates, IPFIX templates and Flexible NetFlow Templates. We had to provide this feature since Cisco NetFlow does not export the template name. Do you know why this is such a cool feature? Read more »
Michael PattersonSince I posted my last blog “Wanted: Cisco ASA NetFlow packet capture” I have received a few files. Thank you.
It was quite a process as those who were kind enough to send me a WireShark capture with lots of v9 packets quickly learned that the file was useless without the Cisco NetFlow v9 templates. Templates are sent out as often as 1-30 minutes. Guess what the default rate is. 
One customer sent us a 5-minute capture from his Cisco ASA 5505. It sent out about 20 different flows types and we still only captured about 15 of the ~20 templates. As you may know, WireShark needs the templates to go back and decipher the flows captured prior. Without the templates, the NetFlow v9 packet capture is pretty much useless.
Michael Patterson
I got what I was hoping to be a great packet capture from a Cisco ASA device exporting Cisco NetFlow v9. Oh, but you know how it goes in IT sometimes…it’s seldom a simple process.
The capture had 252 Cisco NetFlow v9 packets. When I opened it up though, I noticed that every frame displayed something like this:
Where are my flow records?!
With NetFlow v9 the packet analyzer (i.e. WireShark) needs the templates, which are only sent out “every so often”.
So remember, when capturing NetFlow v9 packets with WireShark, a good rule of thumb is to do a five-minute capture. I realize file sizes can be an issue, but if we don’t have the template, we can’t decipher the packets and I’ll have to send an email back asking “ Any chance we can get another capture (e.g. 5 minutes)?”
-Nate
