-Here is the list of required fields we would look for in a PCAP if we are not seeing flows from the Router..
1 - IN_BYTES InOctets
4 - PROTOCOL Protocol
7 - L4_SRC_PORT Source port
8 - IPV4_SRC_ADDR Source Address
10 - INPUT_SNMP In interface
11 - L4_DST_PORT Dest port
12 - IPV4_DST_ADDR Dest address
14 - OUTPUT_SNMP Out interface
** IMPORTANT **
Verify that the amount of traffic on a given interface is greater than 50KB per 15 minutes. 15 minute data resolution points will not be created for any values less than 50KB.
********************
-To use Wireshark to examine NetFlow packets, follow these steps:
1) If Wireshark is not already installed on the Harvester (or standalone) server that the device you are interested in is sending NetFlow to, download and install it.
2) Launch Wireshark.
3) Open the ‘Capture’ menu at the top and select ‘Interfaces.’
4) Click ‘Options’ next to the correct interface (usually the one with the increasing packet counts).
5) In the “Capture Filter:” field type: udp port 9995 and host x.x.x.x
(where x.x.x.x is the IP address of the router; if you do not care about a specific router, just set the filter to udp port 9995).
6) Click ‘Start.’
7) Wait until you see a sufficient number of packets or have gathered packets for a sufficient timeframe, depending on what issue you’re troubleshooting.
8) Stop the capture by clicking the ‘Stop’ button.
9) Click on any NetFlow packet.
10) Select ‘Analyze’ -> ‘Decode As…’
11) In the drop-down, select “TCP Destination (9995) port(s) as”
12) Select “CFLOW” in the scrolling pane and click ‘OK’
13) Select a packet in the top pane and view the information in the middle and bottom pane.