Now that everyone has dipped their feet into the NetFlow Collector waters and gotten comfortable, it’s time to shake things up and introduce some more NetFlow config goodness.

Due the rise of multimedia multicast application usage and bandwidth consumption it’s becoming more and more important to monitor these links and traffic types.

But did you know that if you are running with NetFlow v5, not all of your multicast traffic is being counted?

With v5, the router does not count the amount of times that the one multicast packet may have been replicated. Nor does it log the unique outbound IP after replication, since v5 does not support egress monitoring.

As a result, you will be missing a lot of your multicast traffic.

Read more »

I got what I was hoping to be a great packet capture from a Cisco ASA device exporting Cisco NetFlow v9. Oh, but you know how it goes in IT sometimes…it’s seldom a simple process.

The capture had 252 Cisco NetFlow v9 packets. When I opened it up though, I noticed that every frame displayed something like this:

Where are my flow records?!

With NetFlow v9 the packet analyzer (i.e. WireShark) needs the templates, which are only sent out “every so often”.

So remember, when capturing NetFlow v9 packets with WireShark, a good rule of thumb is to do a five-minute capture. I realize file sizes can be an issue, but if we don’t have the template, we can’t decipher the packets and I’ll have to send an email back asking “ Any chance we can get another capture (e.g. 5 minutes)?”

-Nate