I got what I was hoping to be a great packet capture from a Cisco ASA device exporting Cisco NetFlow v9. Oh, but you know how it goes in IT sometimes…it’s seldom a simple process.
The capture had 252 Cisco NetFlow v9 packets. When I opened it up though, I noticed that every frame displayed something like this:
Where are my flow records?!
With NetFlow v9 the packet analyzer (i.e. WireShark) needs the templates, which are only sent out “every so often”.
So remember, when capturing NetFlow v9 packets with WireShark, a good rule of thumb is to do a five-minute capture. I realize file sizes can be an issue, but if we don’t have the template, we can’t decipher the packets and I’ll have to send an email back asking “ Any chance we can get another capture (e.g. 5 minutes)?”