From dm at belkam.com Wed Aug 10 17:32:19 2011 From: dm at belkam.com (Dmitry Melekhov) Date: Wed, 10 Aug 2011 11:32:19 +0400 Subject: [netflow-tools] flowd and cisco asa Message-ID: <4E423403.2050504@belkam.com> Hello! I installed flowd and receives netflow from cisco asa. All is OK except lack of octets and packets info in flowd log. As I heared ASA sends such info. Is there any solution? Thank you! From dm at belkam.com Wed Aug 10 18:51:10 2011 From: dm at belkam.com (Dmitry Melekhov) Date: Wed, 10 Aug 2011 12:51:10 +0400 Subject: [netflow-tools] flowd and cisco asa In-Reply-To: <4E423403.2050504@belkam.com> References: <4E423403.2050504@belkam.com> Message-ID: <4E42467E.70607@belkam.com> On 10.08.2011 11:32, Dmitry Melekhov wrote: > Hello! > > I installed flowd and receives netflow from cisco asa. > All is OK except lack of octets and packets info in flowd log. > As I heared ASA sends such info. > Yes, I looked into netflow packets with wireshark and they have octets info... > Is there any solution? > Thank you! > > From cbexpress1 at gmail.com Fri Aug 12 00:56:11 2011 From: cbexpress1 at gmail.com (CB EXPRESS) Date: Thu, 11 Aug 2011 10:56:11 -0400 Subject: [netflow-tools] Pfflowd startup options Message-ID: ----- Original Message ----- From: CB EXPRESS To: netflow-tools at mindrot.org Sent: Wednesday, August 10, 2011 6:53 AM Subject: Pfflowd startup options I'm running Pfflowd on PFsense 2.0 RC3 I'm using PRTG to collect the flow data. I tried softflowd and it does not report correctly , it seems to count only a fraction of the actual usage using netflow V 9. Pfflowd does seem to so far work correctly with PRTG except for the flow time outs. I get several flow time out errors concerning flows that have an expired time stamp. Below is the config from the pfflowd.sh file on my system. I have searched high and low for the man page that explains what options can be included at startup and found nothing. I can assume -n is the IP and port that's a gimme ,and -s is where the data is sent from. -S any must be the direction of the flows to count and send. and V 9 is netflow version. What can I add to this file to set the flow timeout to 5 minutes? /sbin/ifconfig pfsync0 up /usr/local/sbin/pfflowd -n 192.168.0.4:9996 -s 192.168.25.1 -S any -v 9 Thanks Allan -------------- next part -------------- An HTML attachment was scrubbed... URL: From johnf at zioncluster.ca Tue Aug 23 22:54:12 2011 From: johnf at zioncluster.ca (John Marrett) Date: Tue, 23 Aug 2011 08:54:12 -0400 Subject: [netflow-tools] flowd ASA Support Message-ID: I have been trying to feed data from an ASA to flowd using netflow. Cisco appears to have taken a rather non-standard approach with their implementation of netflows on the ASA. In my flowd.conf I have configured store ALL, so all the information received from the ASA should be recorded. I properly receive the port source and destination information, however the octet and packet counts remain at 0. When I output the records using flowd-reader -vd I form the impression that the additional fields are not being recorded by flowd. Here is an example of output: FLOW recv_time 2011-08-22T15:00:54.124271 proto 6 tcpflags 00 tos 00 agent [172.25.233.25] src [172.16.238.149]:1784 dst [206.167.78.40]:80 in_if 4 out_if 3 sys_uptime_ms 2w17h40m31s.044 time_sec 2011-08-22T15:00:54 time_nanosec 0 netflow ver 9 According to this document [1] on the ASA netflow implementation I should expect field type 85 to contain the number of bytes sent in the flow, this field will only [exist/have a non zero value] on the flow record sent when the connection is torn down. I'd like to be able to record the additional fields that the ASA sends, while I'm most interested in traffic volume it would also be interesting to record translated addresses and some of the other information being sent. I would really appreciate any assistance anyone can offer in helping me to record and make use of the additional information in the ASA flows. Thanks in advance, [1] http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028790 -JohnF From cbexpress1 at gmail.com Wed Aug 24 22:38:21 2011 From: cbexpress1 at gmail.com (CB EXPRESS) Date: Wed, 24 Aug 2011 08:38:21 -0400 Subject: [netflow-tools] ignore interface Message-ID: If a system has more than 2 interfaces is there an option for softflowd or pfflowd to have it ignore traffic from these interfaces? Thanks Allan -------------- next part -------------- An HTML attachment was scrubbed... URL: From johnf at zioncluster.ca Tue Aug 30 22:53:24 2011 From: johnf at zioncluster.ca (John Marrett) Date: Tue, 30 Aug 2011 08:53:24 -0400 Subject: [netflow-tools] flowd ASA Support In-Reply-To: References: Message-ID: I have implemented some extremely basic ASA support in the attached patch; It implements the following ASA functionality: If a packet with field type 85 is received, it will set the octet counter to match the value from that field, this will override any value expressed in the standard octet counter NF9_IN_BYTES, field type 1. If the number of octets is greater than 0 it will also set the packet counter to 1. It would be possible to add other functionality, such as: - recording of translated IPs and ports - recording of the start time of the flow as well as / instead of the termination time - recording of flow denial (flows are created for traffic that is denied) This patch implements the initial support that I need, if I develop anything else I will share it with the list. -JohnF -------------- next part -------------- A non-text attachment was scrubbed... Name: asa_patch.diff Type: text/x-patch Size: 972 bytes Desc: not available URL: From johnf at zioncluster.ca Wed Aug 31 23:22:31 2011 From: johnf at zioncluster.ca (John Marrett) Date: Wed, 31 Aug 2011 09:22:31 -0400 Subject: [netflow-tools] flowd ASA Support In-Reply-To: References: Message-ID: I have updated my patch so that it reports all ASA reported flows as having at least one packet. This allows reporting on blocked traffic with the flow-tools utility flow-report. -JohnF -------------- next part -------------- A non-text attachment was scrubbed... Name: asa_patch_2.diff Type: text/x-patch Size: 939 bytes Desc: not available URL: