[netflow-tools] flowd ASA Support
John Marrett
johnf at zioncluster.ca
Tue Aug 23 22:54:12 EST 2011
I have been trying to feed data from an ASA to flowd using netflow.
Cisco appears to have taken a rather non-standard approach with their
implementation of netflows on the ASA.
In my flowd.conf I have configured store ALL, so all the information
received from the ASA should be recorded. I properly receive the port
source and destination information, however the octet and packet
counts remain at 0. When I output the records using flowd-reader -vd I
form the impression that the additional fields are not being recorded
by flowd.
Here is an example of output:
FLOW recv_time 2011-08-22T15:00:54.124271 proto 6 tcpflags 00 tos 00
agent [172.25.233.25] src [172.16.238.149]:1784 dst [206.167.78.40]:80
in_if 4 out_if 3 sys_uptime_ms 2w17h40m31s.044 time_sec
2011-08-22T15:00:54 time_nanosec 0 netflow ver 9
According to this document [1] on the ASA netflow implementation I
should expect field type 85 to contain the number of bytes sent in the
flow, this field will only [exist/have a non zero value] on the flow
record sent when the connection is torn down.
I'd like to be able to record the additional fields that the ASA
sends, while I'm most interested in traffic volume it would also be
interesting to record translated addresses and some of the other
information being sent.
I would really appreciate any assistance anyone can offer in helping
me to record and make use of the additional information in the ASA
flows.
Thanks in advance,
[1] http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html#wp1028790
-JohnF
More information about the netflow-tools
mailing list