In my enviroment we have cisco nexsus 7k which is configured to send flow records (netflows v9) to flow collector / analyzer. Due to how cisco iso is written, there is not a command (at least in my knowledge) which lets me pull flow record based upon interval (seconds etc). This is important to me as I want to do licensing for the flow exporter/collector. I have options of downloading tools like solar winds/manage-engine / ntop etc to calculate this number but I feel its going over too much hassle of setting up those software to grab a simple value. I'm wondering if the already in market packet sniffer tools e.g tcpdump or wireshark can get me this number. I tried with tcpdump but it seems there is no support to decode such information. In my little research for wireshark I see there is a built in filter cflows but there are hundreds attributes and sub-attributes don't know which will get me information I want. Also, do i need some special configuration on the wireshark end , before I point the flow-records from cisco towards the destinations. I need to have a port opened and a service (flow analyzing) to receive the flow data? I appreciate if someone has a recommendation for flow analyzer software as well thanks. asked 05 Nov '13, 08:07  lazerz |
One Answer:
well, the following command does show flows/sec, however I'm not sure if that is what you need.
It’s hard to talk about numbers, as long as it’s unclear how the vendor of that software defines what “flows/second” means? There are several vendors that license based on flows/sec or flows/minute, however their definition is totally different (one uses Netflows, the other ‘IP flows’, etc.). So, I suggest to contact that vendor and ask
see above. Unless we know how “flows/sec” is defined, it is impossible to tell what you need to look at.
You just need to mirror the switch port of the Netflow collector (where all Netflow traffic of your network devices are sent to).
Then use a PC with Wireshark to capture on the mirrored/monitored port. Regards answered 06 Nov ‘13, 04:34  Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
@Kurt thanks for phrase to phrase response to my queries. I will the matter regarding the definition of terminologies (e.g fps) with the vendor. I just have a comment on last part of your reply, why I need to mirror traffic, can i not use netflow v9 and tell the cisco switch to send flow records to port 2055 then on a flow analyzer / collector running locally on my machine i can use wireshark ? does it make sense.
I assumed you already have a Netflow collector in place. To be able to capture traffic to that collector, you would need a mirror port.
Of course, you can send the Netflwo traffic directly to the Wireshark PC, if that is possible in your environment (re-configuration of routers/switches).
@Kurt. Yes re-configuration is possible in our enviroment,not saying we in any way approve the network admins unhappy faces. Anyhow, I was reading your reply on a question posted on the site. http://ask.wireshark.org/questions/11349/calculating-enterprise-netflow-volume thought it would be helpful in my case as well.But the filter cflows.flow gives me no result. It returns empty. Any suggestions?
It does not show anything on my system either. I’ll have to check that.
any updates?
I did not have a chance to test it yet. Maybe during the next couple of days…