From jfontaine420 at gmail.com Wed Mar 21 07:24:16 2012 From: jfontaine420 at gmail.com (Jonathan Fontaine) Date: Tue, 20 Mar 2012 16:24:16 -0400 Subject: [netflow-tools] issues with flowd and CISCO ASA Message-ID: Hi, I have posted an issue on the google code page but it seems this mailing list is still used. So here is the issue I posted : ______________________________________________________________________________________________________________ Hi, Collecting netflow v9 data from a CISCO ASA 5505 with flowd When I take a look at the collected data, all values are set to 0 for the "octects" and "packets" fields. I know a patch has been issued to resolved this issue so I successfully applied the first patch (asa_patch.diff). I had trouble applying the second patch (asa_patch_2.diff). I get the following output when trying to patch the netflow.h file : Hunk #1 FAILED at 162. 1 out of 1 hunk FAILED -- saving rejects to file This is the content of netflow.h.rej : --- netflow.h Sun Oct 31 16:36:52 2010 +0000 +++ netflow.h Wed Aug 31 09:09:01 2011 -0400 @@ -162,7 +162,10 @@ #define NF9_ENGINE_ID 39 /* ... */ #define NF9_IPV6_NEXT_HOP 62 - +/* ... */ +//Cisco ASA Netflow +#define NF9_ASA_NF_F_FLOW_BYTES 85 +/* ... */ +#define NF9_ASA_NF_F_FW_EVENT 40005 #endif /* _NETFLOW_H */ - I am using flowd 0.9.1 on CentOS 6.2 Thanks for the great collector by the way -------------- next part -------------- An HTML attachment was scrubbed... URL: From johnf at zioncluster.ca Wed Mar 21 11:35:49 2012 From: johnf at zioncluster.ca (John Marrett) Date: Tue, 20 Mar 2012 20:35:49 -0400 Subject: [netflow-tools] issues with flowd and CISCO ASA In-Reply-To: References: Message-ID: Jonathan, I think I have an idea of what may have gone wrong. The second patch, as you refered to it, replaces the first patch. If you apply both patches then you will probably have a problem applying the second one. You should start from a clean copy of the source and apply only the second revision of the patch. I have only tested the patch against version 0.9.1. If you are still unable to apply the patch please let me know and I'll take another look at it. On the subject of my patch, there are two deficiencies, one of which is fairly critical; - It doesn't import packet start/stop time - It also doesn't record the NATed address (which also should be available in the packets from the ASA, as of yet unconfirmed) It would be pretty interesting to implement these features, especially the first one. If you do so please update the list :) -JohnF On Tue, Mar 20, 2012 at 4:24 PM, Jonathan Fontaine wrote: > Hi, > > > > I have posted an issue on the google code page but it seems this mailing > list is still used. > > So here is the issue I posted : > > > ______________________________________________________________________________________________________________ > > Hi, > > > > Collecting netflow v9 data from a CISCO ASA 5505 with flowd > > > > When I take a look at the collected data, all values are set to 0 for the > "octects" and "packets" fields. > > > > I know a patch has been issued to resolved this issue so I successfully > applied the first patch (asa_patch.diff). > > > > I had trouble applying the second patch (asa_patch_2.diff). I get the > following output when trying to patch the netflow.h file : > > Hunk #1 FAILED at 162. > > 1 out of 1 hunk FAILED -- saving rejects to file > > > > This is the content of netflow.h.rej : > > > > --- netflow.h Sun Oct 31 16:36:52 2010 +0000 > > +++ netflow.h Wed Aug 31 09:09:01 2011 -0400 > > @@ -162,7 +162,10 @@ > > #define NF9_ENGINE_ID 39 > > /* ... */ > > #define NF9_IPV6_NEXT_HOP 62 > > - > > +/* ... */ > > +//Cisco ASA Netflow > > +#define NF9_ASA_NF_F_FLOW_BYTES 85 > > +/* ... */ > > +#define NF9_ASA_NF_F_FW_EVENT 40005 > > > > #endif /* _NETFLOW_H */ > > - > > > > > > I am using flowd 0.9.1 on CentOS 6.2 > > > > Thanks for the great collector by the way > > > > > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools > > -------------- next part -------------- An HTML attachment was scrubbed... URL: