This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark returns empty flow sets for NetFlow v9 packets with SourceId equal zero

0

I am using Tshark to gather information on Flow Sets and found that if the field cflow.source_id == 0 then Tshark returns an empty field for all the fields selected.

I would like to know the reason for this and if there is any workaround or fix available.

I was running a command like this:

tshark -r TWR.pcap -T fields -e frame.number -e cflow.octets -e cflow.packets -e cflow.inputint -e cflow.outputint -e cflow.srcaddr -e cflow.dstaddr -e cflow.protocol -e cflow.tos -e cflow.srcport -e cflow.dstport -e cflow.sampler_id -e cflow.flow_class -e cflow.nexthop -e cflow.dstmask -e cflow.srcmask -e cflow.tcpflags -e cflow.direction -E header=y -E separator=, -E quote=d -E occurrence=a -E aggregator=/s > TWRWFrameNo.txt

A sample of the output file is below.

"8284",,,,,,,,,,,,,,,,,
"8285",,,,,,,,,,,,,,,,,
"8286",,,,,,,,,,,,,,,,,
"8287","1775 2582 168 522 3122 29575 724 500 475 1504 1250 136 73 276 136 319 276 276 276 52 336 56320 276 276 504 358 6350 276 52 276","12 4 2 5 19 211 4 5 2 6 9 2 1 3 2 2 3 3 3 1 2 704 3 3 4 4 44 3 1 3","9 5 3 8 9 2 3 5 8 8 8 8 5 3 8 5 3 3 3 8 8 3 3 3 3 3 8 3 3 3","2 8 8 3 2 8 8 8 5 3 5 5 9 9 3 8 8 9 8 2 3 8 8 8 9 9 2 8 9 8","10.166.4.105 10.5.34.50 10.5.32.103 10.167.0.16 10.166.4.105 10.0.29.30 10.2.133.90 10.0.29.253 10.164.117.204 10.174.22.120 10.172.5.170 10.164.132.126 10.5.32.101 10.2.133.90 10.164.132.125 10.4.18.198 10.2.133.90 10.2.133.90 10.2.133.90 10.152.85.7 10.192.136.1 10.3.100.254 10.2.133.90 10.2.133.90 10.2.133.90 10.2.130.6 10.166.17.62 10.2.133.90 10.2.133.81 10.2.133.90","172.16.2.221 10.172.29.99 10.173.208.60 10.0.29.253 172.16.2.221 10.168.19.12 10.172.29.155 10.167.0.16 10.5.34.50 10.20.3.11 10.2.133.90 10.1.164.100 10.164.116.112 10.142.68.161 10.2.133.82 10.164.64.7 10.171.206.103 10.174.4.112 10.139.17.141 10.0.29.251 10.4.18.198 10.188.5.37 10.171.4.87 10.134.12.152 10.160.25.111 10.160.20.101 10.2.133.90 10.168.26.82 10.164.116.54 10.138.4.172","6 6 17 6 6 17 6 6 6 6 6 6 17 6 6 17 6 6 6 6 17 17 6 6 6 6 6 6 6 6","0x00 0x00 0x00 0x68 0x00 0x00 0x00 0x60 0x28 0x68 0x28 0x28 0x00 0x00 0x28 0x00 0x00 0x00 0x00 0x28 0x28 0x00 0x00 0x00 0x00 0x00 0x28 0x00 0x00 0x00","61589 5061 137 24787 61592 1713 22295 1720 60840 65381 59631 57293 53 45252 49536 42211 45252 45252 45252 50233 161 22186 45252 45252 45252 45349 52168 45252 55950 45252","8080 50529 137 1720 8080 161 53344 24787 5061 22 45252 445 53422 54055 47771 161 56820 57234 50037 2000 34902 32534 53443 60375 65054 57614 29489 60956 52834 49401","0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0","0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0","10.20.1.30 10.4.248.130 10.4.248.130 10.20.1.2 10.20.1.30 10.4.248.130 10.4.248.130 10.4.248.130 10.20.1.54 10.20.1.2 10.20.1.54 10.20.1.54 10.4.248.138 10.4.248.138 10.20.1.2 10.4.248.130 10.4.248.130 10.4.248.138 10.4.248.130 10.20.1.30 10.20.1.2 10.4.248.130 10.4.248.130 10.4.248.130 10.4.248.138 10.4.248.138 10.20.1.30 10.4.248.130 10.4.248.138 10.4.248.130","24 24 24 24 24 24 24 32 24 28 24 24 24 24 24 32 24 24 24 24 24 24 24 24 24 24 24 24 24 24","24 24 24 32 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 32 16 24 24 24 24 24 24 24 24","0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00","0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"

--

asked 12 Jan '15, 07:52

IanRees's gravatar image

IanRees
11112
accept rate: 0%

edited 12 Jan '15, 08:06

grahamb's gravatar image

grahamb ♦
19.8k330206

Ian, would it be possible to make available a capture showing this?

(12 Jan '15, 08:13) MartinM

One Answer:

0

If wireshark is showing the data, but tshark is not, you would need to use two-pass processing in tshark (option "-2"), as flow template record might come after the packet with the flow data, so tshark does not know yet how to interpret the flow data for the specific source ID.

answered 13 Jan '15, 04:19

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 13 Jan '15, 04:21