[Nfdump-discuss] Cisco ASA Bytes and Packets

M87tech [Jon] Tue, 03 Feb 2015 03:29:41 -0800

Hi All

I've got an ASA firewall running 9.1(5) sending netflow data to a linux VM
running nfsen


I've compiled the latest nfdump with the --enable-nfsen option and
installed it.

I also uncommented the $extensions = 'all';     in nfsen.conf when
installing it.

Nfsen only shows the flows with fixed packets and Byte counts. (See bottom
of email)

I can't really see much use for viewing the flow data without accurate
bandwidth readouts as I would be using it for troubleshooting performance
issues.

I'm wondering if there are some more flags that I need to set to get this
working?

In a wireshark capture I cant seem to see any field which would indicate
the amount of bytes?  I see initiator octets and responder octets change
but I don't know what these fields are used for.

Many thanks,

Jon.

** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03  -T  -R
2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20
nfdump filter:
any
Date flow start          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port   Packets    Bytes Flows
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8593
<http://127.0.0.1:8888/nfsen/index.php#null>  ->
157.55.235.168:40016 <http://127.0.0.1:8888/nfsen/index.php#null>
1.1 M  167.8 M     1
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8594
<http://127.0.0.1:8888/nfsen/index.php#null>  ->
91.190.218.65:12350 <http://127.0.0.1:8888/nfsen/index.php#null>
1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8637
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8638
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>    ->
10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M
 167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>    ->
10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M
 167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717
<http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717
<http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8650
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8651
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8698
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    72.26.232.209:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727
<http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727
<http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8707
<http://127.0.0.1:8888/nfsen/index.php#null>  ->   191.233.92.204:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8599
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    173.194.66.94:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.635     0.000 TCP         10.4.71.16:8710
<http://127.0.0.1:8888/nfsen/index.php#null>  ->   173.194.66.138:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M,
avg bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151
Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56
Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932
Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 201342.3



** nfdump -M /data/nfsen/profiles-data/live/asa-fw-03  -T  -R
2015/02/03/nfcapd.201502031055:2015/02/03/nfcapd.201502031110 -c 20
nfdump filter:
any
Date flow start          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port   Packets    Bytes Flows
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8593
<http://127.0.0.1:8888/nfsen/index.php#null>  ->
157.55.235.168:40016 <http://127.0.0.1:8888/nfsen/index.php#null>
1.1 M  167.8 M     1
2015-02-03 10:30:56.068     0.000 TCP         10.4.71.16:8594
<http://127.0.0.1:8888/nfsen/index.php#null>  ->
91.190.218.65:12350 <http://127.0.0.1:8888/nfsen/index.php#null>
1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8637
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.552     0.000 TCP         10.4.71.16:8638
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:55.898     0.000 UDP         10.4.71.16:58765
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>    ->
10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M
 167.8 M     1
2015-02-03 10:30:55.898     0.000 UDP            8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>    ->
10.4.71.16:58765 <http://127.0.0.1:8888/nfsen/index.php#null>    1.0 M
 167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717
<http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8717
<http://127.0.0.1:8888/nfsen/index.php#null>  ->  184.169.159.196:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8650
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:55.815     0.000 TCP         10.4.71.16:8651
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    81.144.170.91:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8698
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    72.26.232.209:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:56.372     0.000 UDP         10.4.71.16:63912
<http://127.0.0.1:8888/nfsen/index.php#null> ->          8.8.8.8:53
<http://127.0.0.1:8888/nfsen/index.php#null>       1.1 M  167.8 M
1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727
<http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8727
<http://127.0.0.1:8888/nfsen/index.php#null>  ->      166.98.6.70:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8707
<http://127.0.0.1:8888/nfsen/index.php#null>  ->   191.233.92.204:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.372     0.000 TCP         10.4.71.16:8599
<http://127.0.0.1:8888/nfsen/index.php#null>  ->    173.194.66.94:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
2015-02-03 10:30:56.635     0.000 TCP         10.4.71.16:8710
<http://127.0.0.1:8888/nfsen/index.php#null>  ->   173.194.66.138:443
<http://127.0.0.1:8888/nfsen/index.php#null>      1.1 M  167.8 M     1
Summary: total flows: 20, total bytes: 3.4 G, total packets: 22.2 M,
avg bps: 32.7 G, avg pps: 27.0 M, avg bpp: 151
Time window: 2015-02-03 10:30:55 - 2015-02-03 10:30:56
Total flows processed: 30, Blocks skipped: 0, Bytes read: 1932
Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 201342.3

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

[Nfdump-discuss] Cisco ASA Bytes and Packets

Reply via email to