DX Infrastructure Manager

Expand all | Collapse all

Tech Tips: How to determine if a NetFlow enabled device is sending the correct fields

  • 1.  Tech Tips: How to determine if a NetFlow enabled device is sending the correct fields

    Posted 08-19-2013 11:41 AM

    ** Note if you are having issues viewing images in this document it is also available on Support.ca.com**

     

    Often times we see support issues with NetFlow v9 data not showing up in ReporterAnalyzer/NFA.
    NetFlow v9 uses Templates to send specific in some cases, configurable fields.

    While often times we can use the NFAParser/NASTv11 to determine if we are receiving Netflow data from a router, Wireshark will give us a deeper look into the format of the data to see if it is correct or not and if we are getting the required fields.


    How to determine if a NetFlow enabled device is sending the correct fields and data using WireShark


    Summary
    ReporterAnalyzer(RA) and Network Flow Analysis(NFA) require that certain fields are sent from a NetFlow enabled device in order for the software to display data properly.

    If one or more of these fields are not sent along with the NetFlow data, RA/NFA may either show incorrect data or no data at all from that device.

    Most NetFlow v5 devices send the same fields regardless, however in NetFlow v9 and newer, the device needs to send a template which tells the receiver of the data how to interpret the data. This may still be necessary for troubleshooting some NetFlow v5 devices as well.

    Below are the required fields for NetFlow data to be displayed in RA/NFA:
    1 - IN_BYTES or 85 – IN_PERMANENT_BYTES (NFA Only)
    4 - PROTOCOL
    7 - L4_SRC_PORT
    8 - IPV4_SRC_ADDR
    10 - INPUT_SNMP
    11 - L4_DST_PORT
    12 - IPV4_DST_ADDR
    14 - OUTPUT_SNMP


    Solution
    You can verify that these fields are being sent by running WireShark on the Harvester which the device is sending data to.

    **Note that the steps for the Capture Filter may vary slightly depending on the version of Wireshark this example is based off of version 1.8.6**

    1) Open WireShark on the Harvester server and go to the “Capture” top menu and then “Options”



    2) Double click the Interface which is receiving the NetFlow



    3) In the “Capture Filter” field enter “host x.x.x.x and udp port 9995” where x.x.x.x is the IP address of the device you wish to monitor, and click OK



    4)Click “Capture->Start” to begin capturing data.



    5) Once you have captured enough data click Stop and then “Analyze->Decode As”



    6) Change the drop down menu to “Destination (->9995)” and select “CFLOW” on the right and click OK



    7) To find the datagram that has the Netflow template you can enter “cflow.template_id” in the Filter field and it will filter down to only datagrams that contain a Netflow Template.

    Here you can check to see if the required NetFlow fields are being sent in the template.

    If you expand the section below which says “Template (ID = ….)” You can see a list of the fields being sent and match them up with the required fields from above.



    8) To view the actual values for these fields being sent, clear the cflow.template_id filter and click on any other datagram.

    Expand where it says “Cisco NetFlow/IPFIX” and expand one of the Flowsets until you can see a list of the fields and values like below, make note that the "FlowSet Id: (Data)" value matches the template ID, like in this case it is 256, to ensure you are looking at the correct flow:

     

     

     

    This discussion has also been posted in the Knowledge Base on Support.ca.com TEC597610

    This discussion has also been converted to a Tech Tip document here Tech Tips: How to determine if a NetFlow enabled device is sending the correct fields

     

    *Note, for sFlow you can use Decode as "SFLOW" instead of "CFLOW"

     

    **Note in 9.2.1 we will begin Supporting ASA devices which adds two new supported fields.

     

    In place of 1 - IN_BYTES or 85 - IN_PERMANENT_BYTES, ASA devices use both 231 - FW_INITIATOR_OCTETS and 232 - FW_RESPONDER_OCTETS which we now support.

     

    All other fields must still be present.



  • 2.  RE: How to determine if a NetFlow enabled device is sending the correct fie

    Posted 08-21-2013 10:13 AM
    This has also been posted in the Knowledge Base on Support.ca.com TEC597610


  • 3.  RE: How to determine if a NetFlow enabled device is sending the correct fie

    Posted 04-16-2014 04:48 PM

    Note, for sFlow you can use Decode as "SFLOW" instead of "CFLOW"



  • 4.  Re: Tech Tips: How to determine if a NetFlow enabled device is sending the correct fields

    Posted 10-21-2014 08:32 AM

    Christopher_Walsh, would you please put the link to the community editable document at the top of this post? That way we only have 2 copies of this document instead of one.



  • 5.  Re: Tech Tips: How to determine if a NetFlow enabled device is sending the correct fields

    Posted 06-28-2016 04:56 PM

    Images don't seem to be loading.

     

    When trying to open that link manually I get:

    The content you requested is located on the CA Intranet website.

    Because it’s currently only available within our CA network, please log onto the VPN first and then try to access the link again



  • 6.  Re: Tech Tips: How to determine if a NetFlow enabled device is sending the correct fields

    Posted 06-28-2016 05:16 PM

    Frank try this link for now, it should display the images: http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec597610.aspx

     

    I will try reuploading the images to see if it fixes it here, but the link above has the same information.



  • 7.  Re: Tech Tips: How to determine if a NetFlow enabled device is sending the correct fields

    Posted 06-28-2016 05:34 PM

    Spot on! Many thanks - that one works for me. Makes a lot more sense now!


    Thanks!