A while ago I had a customer ask me about getting MAC addresses using Flexible NetFlow.  Yes, it is possible but, two issues come into play when getting it to work properly.
• The router must support Flexible NetFlow export
• The collector must accept and display it

Configure The Router
The router must be configured to export MAC addresses.  Here is how we did it:

Step 1: Create a flow record and define fields that you want to export. Give it a name. Called MAC-ATTACK here. I  have also included various other fields. You can ALSO export output MACs. This can show you if the router changed the MAC.

  • flow record MAC_ATTACK
  • description MAC address flow monitor
  • match application name
  • collect ipv4 id
  • collect ipv4 source address
  • collect ipv4 source prefix
  • collect ipv4 source mask
  • collect ipv4 destination address
  • collect ipv4 destination mask
  • collect transport source-port
  • collect transport destination-port
  • collect transport tcp source-port
  • collect transport tcp destination-port
  • collect transport udp source-port
  • collect transport udp destination-port
  • collect interface input
  • collect interface output
  • collect counter bytes
  • collect counter packets
  • collect timestamp sys-uptime first
  • collect timestamp sys-uptime last
  • collect datalink mac source address input
  • collect datalink mac destination address input

Step 2: Create an exporter

  • flow exporter my-happy-funtime-exporter
  • description flexible NF v9
  • destination
  • source FastEthernet0/1
  • transport udp 2055
  • template data timeout 60

Step 3: Create a flow monitor

This tells the router what flow record and exporter to use:

  • flow monitor My-flow-monitor
  • description app traffic analysis
  • record app-traffic-analysis
  • exporter export-to-scrut7

Step 4:  Add Monitor to the desired interfaces

  • interface FastEthernet0/0
    ip flow monitor My-flow-monitor input
  • interface FastEthernet0/1
    ip flow monitor My-flow-monitor  input

Step 5: Enjoy the MAC goodness

The NetFlow Collector Must Accept It
The NetFlow collector must accept these new NetFlow packets containing MAC addresses. What’s more, the NetFlow reporting interface must allow you to view and search for the source and destination MAC addresses.  Here is our initial interface to this data:

Notice to the far right in the image above ‘vlandId’ cool stuff!  You can sort and search on any column, below I’m searching for a MAC address:

I can also see the respective IP address for the MAC and trend the traffic for the IP.  All of this with the free version of Scrutinizer!

“The ability to correlate end-users’ identities, as well as IP and MAC addresses, with anomalous network traffic patterns is important for enterprise IT security professionals,” said Phil Hochmuth, senior analyst with Yankee Group.

Scrutinizer v7 supports Flexible NetFlow and is able to receive and store Cisco NSEL (i.e. NetFlow Security Event Logs) and PSAMP, etc.  Because of this, our collector is able to receive and display anything kicked out that is in a NetFlow v9 format.  However, sometimes we don’t know how to display the data if the information isn’t in the template or if the records aren’t included as one of our defaults.  If you are having trouble displaying your unique NetFlow v9 data, please send a WireShark packet trace to me and make sure the capture includes a template!

Scrutinizer Has It Covered


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply

Your email address will not be published.