Using Wireshark to view netflow data

Normally I don’t use wireshark unless my only option is a windows machine to view traffic.

TCPdump has done everything I’ve ever needed until now. TCPdump does not have a built-in netflow decoder. If you turn on all the verbose logging of tcpdump (-vvv) the best you get is:

netflow# tcpdump -n -s 0 -vvv port 2055

12:17:37.254419 IP (tos 0x0, ttl 254, id 25465, offset 0, flags [none], proto UDP (17), length 1060)
10.202.70.151.56627 > 10.48.2.156.2055: [udp sum ok] UDP, length 1032

Capture this traffic to a file using the -w option and open this using wireshark. When you click on the first flow you will generally see the output below: “no template found”.

image_035

This means that wireshark has not “seen” a template with which it can decode the netflow packet. Keep clicking through each packet till eventually you trip over a template:

image_036

After this, any packet you open (before or after the template) will always be correctly decoded. Here is the wireshark dump of the first packet which had the “no template found” error.

image_037

Cisco devices by default send the a template after every 20 netflow packets. You can change this by using the command below. In this case send a template after every 5 packets.

ip flow-export template options refresh-rate 5
ip flow-export template refresh-rate 5

Increasing the frequency of template means that you can find one really close to the packets you are interested in capturing. You could even choose to drop this to 1 which means send a template with every packet.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s