Since I posted my last blog “Wanted: Cisco ASA NetFlow packet capture” I have received a few files. Thank you.

It was quite a process as those who were kind enough to send me a WireShark capture with lots of v9 packets quickly learned that the file was useless without the Cisco NetFlow v9 templates.  Templates are sent out as often as 1-30 minutes.  Guess what the default rate is.  🙂

One customer sent us a 5-minute capture from his Cisco ASA 5505. It sent out about 20 different flows types and we still only captured about 15 of the ~20 templates. As you may know, WireShark needs the templates to go back and decipher the flows captured prior. Without the templates, the NetFlow v9 packet capture is pretty much useless.

ciscoasa5505wireshark

The default timeout on the Cisco ASA is set for 30 minutes, which is why the screen shot of the capture shown is missing templates.

The customer then applied the following command on the ASA 5505:
hostname(config)# flow-export template timeout-rate 1

The above will force the Cisco ASA to export templates every minute.
NOTE: The template export frequency can be specified by packet rate as well:

Step 5

export template refresh-rate packets

Example:

Router(config-flow-cache)# export template refresh-rate 10

(Optional) Specifies the refresh rate in number of export packets. packets is an integer from 1 to 600. The default is 20 packets.

Step 6

export template timeout-rate minutes

Example:

Router(config-flow-cache)# export template timeout-rate 60

(Optional) Specifies the timeout rate in minutes. minutes is an integer from 1 to 3600. The default is 30 minutes.

The above is the topic of another blog.

Oh, and happy birthday mom.  I love you.

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply