[netflow-tools] issues with flowd and CISCO ASA

John Marrett johnf at zioncluster.ca
Wed Mar 21 11:35:49 EST 2012 

Jonathan,

I think I have an idea of what may have gone wrong. The second patch, as
you refered to it, replaces the first patch. If you apply both patches then
you will probably have a problem applying the second one. You should start
from a clean copy of the source and apply only the second revision of the
patch. I have only tested the patch against version 0.9.1.

If you are still unable to apply the patch please let me know and I'll take
another look at it.

On the subject of my patch, there are two deficiencies, one of which is
fairly critical;
 - It doesn't import packet start/stop time
 - It also doesn't record the NATed address (which also should be available
in the packets from the ASA, as of yet unconfirmed)

It would be pretty interesting to implement these features, especially the
first one. If you do so please update the list :)

-JohnF

On Tue, Mar 20, 2012 at 4:24 PM, Jonathan Fontaine
<jfontaine420 at gmail.com>wrote:

> Hi,
>
>
>
> I have posted an issue on the google code page but it seems this mailing
> list is still used.
>
> So here is the issue I posted :
>
>
> ______________________________________________________________________________________________________________
>
> Hi,
>
>
>
> Collecting netflow v9 data from a CISCO ASA 5505 with flowd
>
>
>
> When I take a look at the collected data, all values are set to 0 for the
> "octects" and "packets" fields.
>
>
>
> I know a patch has been issued to resolved this issue so I successfully
> applied the first patch (asa_patch.diff).
>
>
>
> I had trouble applying the second patch (asa_patch_2.diff). I get the
> following output when trying to patch the netflow.h file :
>
> Hunk #1 FAILED at 162.
>
> 1 out of 1 hunk FAILED -- saving rejects to file
>
>
>
> This is the content of netflow.h.rej :
>
>
>
> --- netflow.h   Sun Oct 31 16:36:52 2010 +0000
>
> +++ netflow.h   Wed Aug 31 09:09:01 2011 -0400
>
> @@ -162,7 +162,10 @@
>
> #define NF9_ENGINE_ID                  39
>
> /* ... */
>
> #define NF9_IPV6_NEXT_HOP              62
>
> -
>
> +/* ... */
>
> +//Cisco ASA Netflow
>
> +#define NF9_ASA_NF_F_FLOW_BYTES                85
>
> +/* ... */
>
> +#define NF9_ASA_NF_F_FW_EVENT          40005
>
>
>
> #endif /* _NETFLOW_H */
>
> -
>
>
>
>
>
> I am using flowd 0.9.1 on CentOS 6.2
>
>
>
> Thanks for the great collector by the way
>
>
>
>
> _______________________________________________
> netflow-tools mailing list
> netflow-tools at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/netflow-tools
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20120320/68cc6d85/attachment.html>

More information about the netflow-tools mailing list