On 03/02/2015 11:28, nfdump-discuss-requ...@lists.sourceforge.net wrote:
> In a wireshark capture I cant seem to see any field which would
> indicate the amount of bytes? I see initiator octets and responder
> octets change but I don't know what these fields are used for.
>
Periodic byte counters were added as a feature in 8.4(5) and 9.1(2):
http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html
I think the initiator/responder octets are indeed those counters.
Example I see here with ASA 8.4(7):
FlowSet 1
FlowSet Id: (Data) (263)
FlowSet Length: 440
Flow 1
Flow Id: 1877861196
SrcAddr: x.x.x.140 (x.x.x.140)
SrcPort: 33755
InputInt: 2
DstAddr: y.y.y.10 (y.y.y.10)
DstPort: 80
OutputInt: 11
Protocol: 6
IPv4 ICMP Type: 0
IPv4 ICMP Code: 0
Post NAT Source IPv4 Address: x.x.x.140 (x.x.x.140)
Post NAT Destination IPv4 Address: 192.168.10.104
(192.168.10.104)
Post NAPT Source Transport Port: 33755
Post NAPT Destination Transport Port: 80
Firewall Event: Unknown (5)
Extended firewall event code: ignore (0)
Observation Time Milliseconds: Feb 3, 2015
11:43:05.127000000 GMT
Initiator Octets: 838
Responder Octets: 9284
StartTime: Feb 3, 2015 11:42:03.935000000 GMT
I got the above using
tshark -ieth0 -nnV -s0 -d udp.port==9001,cflow udp port 9001
Note: this won't show anything of interest until after the flow template
message has been read. By setting
flow-export template timeout-rate 1
you won't have to wait more than one minute before the "no template
found" messages disappear.
I also have:
flow-export delay flow-create 10
in an attempt to aggregate flow data a bit.
I do get plausible flows (i.e. the "In Byte" and "Out Byte" columns in
nfsen are not all the same). So it seems to me you ought to capture some
tshark data, correlate this with the nfdump output at the same time, and
see if the problem is the data from the ASA or the way it's recorded by
nfcapd and displayed by nfdump.
Note: I believe I built nfdump with:
./configure --enable-nfprofile --enable-nftrack --enable-nsel
$ nfdump -V
nfdump: Version: NSEL-NEL1.6.12 $Date: 2014-04-02 20:08:48 +0200 (Wed,
02 Apr 2014) $
HTH,
Brian.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
