How can I determine if a NetFlow enabled device is sending the correct fields and data using WireShark?

Document ID : KB000011095
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

ReporterAnalyzer(RA) and Network Flow Analysis(NFA) require that certain fields are sent from a NetFlow enabled device in order for the software to display data properly.

If one or more of these fields are not sent along with the NetFlow data, RA/NFA may either show incorrect data or no data at all from that device.

Most NetFlow v5 devices send the same fields regardless, however in NetFlow v9 and newer, the device needs to send a template which tells the receiver of the data how to interpret the data. This may still be necessary for troubleshooting some NetFlow v5 devices as well.

Below are the required fields for NetFlow data to be displayed in RA/NFA: 

  • One of the following:
    • 1 - IN_BYTES
    • 85 - IN_PERMANENT_BYTES
    • 231 - FW_INITIATOR_OCTETS  (ASA Devices)
    • 232 - FW_RESPONDER_OCTETS  (ASA Devices)
  • 4 - PROTOCOL
  • 7 - L4_SRC_PORT
  • 8 - IPV4_SRC_ADDR
  • 10 - INPUT_SNMP
  • 11 - L4_DST_PORT
  • 12 - IPV4_DST_ADDR
  • 14 - OUTPUT_SNMP
Answer:

You can verify that these fields are being sent by running WireShark on the Harvester which the device is sending data to.

**Note that the steps for the Capture Filter may vary slightly depending on the version of Wireshark this example is based off of version 1.8.6**

  1. Open WireShark on the Harvester server and go to the "Capture" top menu and then "Options"

    options.png
  2. Click the Interface which is receiving the NetFlow, and then enter the Capture Filter string like below:

     host x.x.x.x and udp port 9995

captureFilterStart.png

3. Click "Capture->Start" to begin capturing data.

 

4. Allow the pcap to run for at least 5 minutes to ensure a Netflow template is received, which is necessary to decode the Netflow data. Click stop to stop the capture.

 

5.  Click Analyze->Decode As... 

decodeAs.png

 

6.  Click the + sign and change the drop down menu to "Destination (->9995)" and select "CFLOW" on the right and click OK.

Note if this is SFLOW data, decode as SFLOW instead of CFLOW.

cflow.png

7. Verify that there is a template and the flows have been decode, by expanding where you see a line like "Cisco Netflow/IPFIX" and see if you can see Flows listed below this.  If there is No Template Found, you will not be able to see the flows below this and you will see a message stating "No Template Found".  If this is the case, you will need to get a longer pcap in order to capture the template.

expandFlows.png

 

8. To find the data gram that has the Netflow template you can enter "cflow.template_id" in the Filter field and it will filter down to only data grams that contain a Netflow Template.


Here you can check to see if the required NetFlow fields are being sent in the template.

If you expand the section below which says "Template (ID = ....)" You can see a list of the fields being sent and match them up with the required fields from above.

Figure 7

 

9. To view the actual values for these fields being sent, clear the cflow.template_id filter and click on any other data gram.


Expand where it says "Cisco NetFlow/IPFIX" and expand one of the Flowsets until you can see a list of the fields and values like below, make note that the "FlowSet Id: (Data)" value matches the template ID, like in this case it is 256, to ensure you are looking at the correct flow:

Figure 8

Additional Information:

The fields in the template correspond to each filed in the actual flows, but the names may be slightly different. 

For example for most Cisco devices:

1 - IN_BYTES in the template is the same as Octets in the flow.

4 - PROTOCOL in the template is the same as Protocol in the flows.

7 - L4_SRC_PORT in the template is the same as SrcPort in the flows.

8 - IPV4_SRC_ADDR in the template is the same as SrcAddr in the flows.

10 - INPUT_SNMP in the templates is the same as InputInt in the flows and will have the raw ifindex of the IN interface.

11 - L4_DST_PORT in the templates is the same as DstPort in the flows.

12 - IPV4_DST_ADDR in the templates is the same as DstAddr in the flows.

14 - OUTPUT_SNMP in the templates is the same as OutputIn in the flows and will have the raw ifindex of the OUT interface.