Re: [Nfsen-discuss] ASA Netflow - No packet stats

Tue, 12 Apr 2016 13:25:39 -0700 

On 6/4/2016 7:37 μμ, Mark D. Nagel wrote:

> The ASA reports NSEL, not NetFlow.  The data does not include packet 
> counters.  It also
> does not (or did not) include directionality.

I have had some progress. I re-built nfdump (latest version) with the 
nsel flag (which I realized I should have done):

    # ./configure --enable-nsel --enable-nfprofile --enable-nftrack
    --with-rrdpath=/usr/include
    # make
    # make install

Then I found that things improved, but, interestingly, I started getting 
proper results only after I reversed in/out filters in the respective 
profiles!(Note: all monitored interfaces are virtual, dot1q interfaces, 
over physical LAGs).

BUT, although the bps traffic graphs now look correct (they are close to 
what ASDM graphs report), doing analysis provides strange results: Byte 
counts and rates look correct in graphs, but in analysis they seem 
pretty undervalued.

As an example, I used in nfsen GUI (on the graph of a particular ASA 
virtual interface) a "Time Window" focusing on a period of exactly 4 
hours where activity is (correctly) reported in the graph at around 450 
Mbps (almost continuous), and I requested ("Stat TopN") the Top 10 IP 
Addresses, ordered by bytes. Then, the two top addresses (which 
exchanged a massive quantity of data and should account for the 95% of 
the 810 GB expected to have been transferred), appear to have exchanged 
only 1.1 GB. So, it seems that data exchanged by the two hosts is 
under-calculated by a factor of about 800.

Am I missing something?

Are the above observations and behavior expected? Please clarify!

Thanks,
Nick


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to