how can I use wireshark (or Pilot/Cascade) analysis to determine my enterprise netflows per sec? asked 25 May '12, 13:04  Philster |
One Answer:
Can you please try this:
Then use an external tool (a script or Excel) to calculate the number of flows per second. Regards answered 26 May '12, 04:39  Kurt Knochner ♦ I will try this, THX! However, not being able to visualize it without data, what kind of calculation do you make in the spreadsheet? (26 May '12, 12:22) Philster that depends on what you need. If you just need a total value, then summarize all flows and divide it by the duration (seconds) of the capture. If you need the flows for every second/minute, you'll have to summarize all flows during one second/minute. I'm not an excel expert and I would rather use a perl script, so I cannot help you with that calculation in excel. You could try to create a line chart from the data (y-axis: flows, x-axis: time). Another option would be the IO Graphs of Wireshark:
Select Advanced for the Y Axis then Graph 1: Calc: AVG(*) cflow.flows Style: Line If AVG(*) does not deliver what you need, try other calc methods (COUNT). (26 May '12, 14:49) Kurt Knochner ♦ The latter method using the Wireshark IO graphs - that doesn't require any intermediate processing in a spreadsheet, does it? Can't you use that directly on the capture? This sounds easier. (27 May '12, 06:25) Philster Wireshark IO Graphs do not require Excel and it works directly on the capture data. Just follow my explanation. (27 May '12, 11:58) Kurt Knochner ♦ My version 1.4.6 Wireshark doesn't have any advanced options. What am I missing? (29 May '12, 12:01) Philster Please check what you see in the drop down menu for Y Axis - Unit:. The default value is Packets/Tick. If there is no Advanced option in the drop down menu, you need a newer version of wireshark (1.6.8 or 1.7.x). (29 May '12, 20:45) Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
what does that mean?
a) netflow records per second received, which would mean some sort of investigation of the volume of netflow records coming in b) statistical drilldown of flows reported, which would mean "can Wireshark do what a Netflow Collector does?"
So in this case I'm not asking if Wireshark does what a netflow collector does. I'm asking if there's a filter or analysis you can perform on a capture of your netflow collector's input interface that can determine the actual count of netflows being received, in terms of flows per second?
So I'm thinking, if you filter on the netflow traffic port on the flow collector interface - you can get a connection count between there and all of the remote devices sending flow. However, I don't think that a count of netflow connections is the same thing as the number of netflows being sent.