[netflow-tools] Cisco ASA OS 9 flowd errors

[John Marrett]

I've updated the patch [1] (it was completely broken), there's no change in
functionality but it should build now.

If you have any issues please let me know on list.

[1] http://zioncluster.ca/netflow/asa-9-patch-1.diff

Thanks,

-JohnF

On Fri, Feb 21, 2014 at 9:38 PM, John Marrett <johnf at zioncluster.ca> wrote:

> I'm somewhat pleased to announce the first version of my patch for ASA 9
> support [1] . Unfortunately it is far from complete. In fact, it's only
> marginally usable.
>
> The initial problems were caused by the ASA 9 templates massively exceeded
> the value of DEFAULT_MAX_TEMPLATES, I have increased it to 1024 and it can
> now process the full template load.
>
> I think there is some confusion between DEFAULT_MAX_TEMPLATES templates,
> which appears to be intended to be a counter of the number of templates,
> however seems to actually be the maximum number of fields. There is also a
> value for DEFAULT_MAX_TEMPLATE_LEN which appears to be intended to be a
> counter of the number of template fields, possibly per template. The first
> template from the ASA in version 9 contains a large number of fields it
> can't be processed and it starts aborting immediately reporting the "forced
> deletion of template 0x0100 from peer" error.
>
> Unfortunately this is where the first ASA 9 patch begins and also ends. It
> will report all flows as 0 packet, 0 bytes. My next update should implement
> processing of update fields as Craig has proposed. It will work based on
> only processing update events [1] and by handling the two new ASA packet
> counters.
>
> Hopefully more to come this weekend.
>
> [1] http://zioncluster.ca/netflow/asa-9-patch-1.diff
> [2]
> http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/system/netflow/netflow.html#wp1028202
>
> -JohnF
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20141108/782dbd15/attachment.html>