Re: [Nfdump-discuss] Cisco ASA5505 / Netflow v9: zero bytes and packets

Tue, 15 Jan 2013 09:34:13 -0800 

On Tue, Jan 15, 2013 at 05:02:53PM +0000, Brian Candler wrote:
> Platform: nfdump-1.6.8p1 from source, on Ubuntu 12.04 x86_64.
> (Also nfsen-1.3.6p1, but I don't need it to demonstrate this problem)

I'm afraid I was being dense and didn't see the notice on the download page:

"For CISCO ASA devices, which export Netflow Security Event Loging (NSEL)
records, please use nfdump-1.5.8-2-NSEL."

This is now installed and running. (I notice this version of nfcapd doesn't
support the -T option, so I had to comment out $EXTENSIONS = 'all';)

However, after collecting 5 mins of netflow data:

# nfdump -M /var/nfsen/profiles-data/live/lch-asa1  -T  -r 
2013/01/15/nfcapd.201301151725 -c 10
Date flow start         Proto      Src IP Addr:Port    X-Src IP Addr:Port       
   Dst IP Addr:Port   Event  XEvent    Bytes
2013-01-15 17:25:13.784 TCP        10.x.x.104:51945     10.x.x.104:51945 ->     
  10.y.y.235:9100  IGNORE  Ignore        0
2013-01-15 17:25:13.904 TCP         10.x.x.98:2001  Z.Z.Z.155:2001  ->    
A.A.A.A:443   IGNORE  Ignore        0
2013-01-15 17:25:13.924 ICMP         10.y.y.15:768                NA       ->   
    10.x.x.98:106.244 IGNORE Deleted        0
2013-01-15 17:25:13.984 TCP        10.x.x.242:51014 Z.Z.Z.155:51014 ->    
B.B.B.B:55008 IGNORE Deleted        0
2013-01-15 17:25:14.264 ICMP        10.x.x.30:8169               NA       ->    
192.168.X.110:116.244 IGNORE Deleted        0
2013-01-15 17:25:14.404 TCP         10.x.x.56:49823 Z.Z.Z.155:49823 ->   
C.C.C.C:443   IGNORE  Ignore        0
2013-01-15 17:25:14.404 TCP         10.x.x.55:58596 Z.Z.Z.155:58596 ->   
D.D.D.D:80    IGNORE  Ignore        0
2013-01-15 17:25:14.404 UDP        10.x.x.113:56263     10.x.x.113:56263 ->     
   10.y.y.86:161   IGNORE  Ignore        0
2013-01-15 17:25:14.664 TCP        10.x.x.104:51947 Z.Z.Z.155:51947 ->   
E.E.E.E:443   IGNORE  Ignore        0
2013-01-15 17:25:14.664 TCP        10.x.x.104:51948 Z.Z.Z.155:51948 ->   
F.F.F.F:443   IGNORE  Ignore        0
Summary: total flows: 10, total bytes: 0, total packets: 10, avg bps: 0, avg 
pps: 11, avg bpp: 0
Time window: 2013-01-15 17:25:13 - 2013-01-15 17:29:42
Total flows processed: 5081, Records skipped: 0, Bytes read: 618732
Sys: 0.004s flows/second: 1270250.0  Wall: 0.005s flows/second: 884729.2  

So unfortunately, still no byte counts :-(

Any clues?

Thanks,

Brian.

------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to