We had a customer approach us the other day with an nprobe issue. Apparently, he could see the NetFlow v9 data in Flow View of Scrutinizer, but he couldn’t report on the data. How come?

He sent us a Wireshark packet capture and brought up Flow View. Flow View is a way to see the raw flows (inclusive of all columns) being exported by a device.

Anyway, in Flow View everything looked normal, but then one of our developers spotted the word ‘post’ in front of a couple of import column names. We (and Scrutinizer) expect to see ‘octetDeltaCount’ and instead, the customer had configured nProbe to kick out ‘postOctetDeltaCount’.

Read more »

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

This is part 5 of a 4-part series on the ToS field (i.e. Differentiated Services Field) of IP frames. :) Yes, yes, it is the running joke in the office on how this 4-part blog actually has 5 parts. Heck, it’s a blog… who cares.
Make sure you have already read Part 1, Part 2, Part 3 and Part 4 of this blog.

Once again, I’ll pull in the WireShark capture from my first blog: Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

I received a WireShark capture from someone else the other day. He said that the default timeout was set for 30 minutes and believes that this is why the earlier capture he gave me had no templates.

He applied the following command on the Cisco ASA5505 running image asa821-k8:

“flow template timeout-rate 1″

His ASA5505 sent out about 20 different Cisco NetFlow v9 flow types and we still only captured about 15 of the ~20 templates.

Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

I use Wireshark all the time. In general, I just scratch the surface by using  it to test whether or not NetFlow is coming into Scrutinizer.

Golden Rule: Using an external third-party application, like Wireshark,  to test connectivity helps establish credibility in any situation.

Most people whom I speak with have a general understanding of what a packet capture is. The problem is, they don’t know how to gather or use the data once they have obtained it. So I thought I would do a little homework and find some resources that provide some basic Wireshark training for the busy IT professional.

Read more »

I was looking at a WireShark packet capture of some IPFIX traffic coming from a Nortel switch and quickly saw a few things that puzzled me.  At first, I started splitting hairs because I was thinking that if Nortel is going to market IPFIX support, it should adhere to the standard (RFC 5101).

Then again, it might have better luck working with the various NetFlow traffic analyzer solutions on the market if it makes the exported data look like Cisco NetFlow v9.

Read more »

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

I got back from SharkFest 2009 last night.  The people and training were awesome.  I learned about TCP windows, Nagel, Stevens graphs, and more … wow.  I definitely learned more about how WireShark can Go Deeper.

Check this out, I got to have lunch and discuss some stuff with Gerald Combs, the founder of WireShark.  I can prove it; here I am having my picture taken with him!

Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

Q: What is the difference between Cisco NetFlow v9 and Cisco NetFlow v5?
A: Four versions.

Heh heh, I slay me! Alright, sort of stupid I know. I’ll get serious about this.

NetFlow v5 is by far the most popular version of Cisco NetFlow. I would say over 90% of our customer base uses NetFlow v5.

Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

Since I posted my last blog “Wanted: Cisco ASA NetFlow packet capture” I have received a few files. Thank you.

It was quite a process as those who were kind enough to send me a WireShark capture with lots of v9 packets quickly learned that the file was useless without the Cisco NetFlow v9 templates.  Templates are sent out as often as 1-30 minutes.  Guess what the default rate is. 

One customer sent us a 5-minute capture from his Cisco ASA 5505. It sent out about 20 different flows types and we still only captured about 15 of the ~20 templates. As you may know, WireShark needs the templates to go back and decipher the flows captured prior. Without the templates, the NetFlow v9 packet capture is pretty much useless.

Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

Can anyone help me? We need a good wireshark packet capture of the NetFlow v9 coming from a Cisco ASA device. I have a small capture I used in one of my prior blog posts on this topic, but the packet capture is too short. If possible, we need a 5-10 minute capture so that our developers can pour over the packet structure (e.g. templates).

This would be a great help as we are trying to add some limited support for it in Scrutinizer v7.  Of course I’ll blog on all the good stuff I learn.

I hope to hear from you:  m i k e @ p l i x e r [dot] c o m.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

I got what I was hoping to be a great packet capture from a Cisco ASA device exporting Cisco NetFlow v9. Oh, but you know how it goes in IT sometimes…it’s seldom a simple process.

The capture had 252 Cisco NetFlow v9 packets. When I opened it up though, I noticed that every frame displayed something like this:

Where are my flow records?!

With NetFlow v9 the packet analyzer (i.e. WireShark) needs the templates, which are only sent out “every so often”.

So remember, when capturing NetFlow v9 packets with WireShark, a good rule of thumb is to do a five-minute capture. I realize file sizes can be an issue, but if we don’t have the template, we can’t decipher the packets and I’ll have to send an email back asking “ Any chance we can get another capture (e.g. 5 minutes)?”

-Nate