I got what I was hoping to be a great packet capture from a Cisco ASA device exporting Cisco NetFlow v9. Oh, but you know how it goes in IT sometimes…it’s seldom a simple process.

The capture had 252 Cisco NetFlow v9 packets. When I opened it up though, I noticed that every frame displayed something like this:
template

Where are my flow records?!

With NetFlow v9 the packet analyzer (i.e. WireShark) needs the templates, which are only sent out “every so often”.

So remember, when capturing NetFlow v9 packets with WireShark, a good rule of thumb is to do a five-minute capture. I realize file sizes can be an issue, but if we don’t have the template, we can’t decipher the packets and I’ll have to send an email back asking “ Any chance we can get another capture (e.g. 5 minutes)?”

 

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.

Related

5 comments on “Wireshark needs templates to decipher Cisco NetFlow v9

  1. Nate, thanks for the good information. I’m seeing this “no template found” on a v9 capture from a Nexus 7000 router even after a 5 min capture as you’ve suggested. Any ideas? Is there a another decode than cflow in Wireshark I should be using?

    -Dennis

  2. Good question. I haven’t seen a PCAP from a Nexus yet, but I do know that it should be exporting the standard NetFlow v9 template. So I would guess that it would still be considered CFLOW.

    I know that some devices can also export a template as infrequently as once every 30 mins, so it might take a few minutes before Wireshark gets the template to decode those packets.

  3. Nate,

    a very simple question really but I downloaded the latest wireshark version and for some reasons it does not interpret the netflow packets. The netflow packets are sent on port 9996…

    I tried to click on the packet and do “decode as…” but I don’t seem to find netflow in the list.

    Any idea?

    Thanks,

Comments are closed.