I received a WireShark capture from someone else the other day. He said that the default timeout was set for 30 minutes and believes that this is why the earlier capture he gave me had no templates.

He applied the following command on the Cisco ASA5505 running image asa821-k8:

“flow template timeout-rate 1”

His ASA5505 sent out about 20 different Cisco NetFlow v9 flow types and we still only captured about 15 of the ~20 templates.

asa5505WireShark
WireShark needs the templates to go back and decipher the flows captured prior. Else, you will see what is below in the WireShark capture. Notice that template 263 isn’t in the list above and this was in the same packet capture:

asa5505WireShark2

Another project for me: What does this mean:

asa5505WireShark3

I’m going to have to roll up my sleeves on this one. Time to dig in. Once I have the data collected, we can take a look at what we might be able to report on for network traffic analysis.

If you want to try this with your ASA hardware, here is a page to help you find the necessary enable ASA NetFlow commands .

May 29th, 2012 Cisco ASA UPDATE:  New Cisco NSEL Reports in Scrutinizer v9.  Check them out.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply