Wednesday, 13 June 2012

Using Wireshark to view netflow data

Normally I don't use wireshark unless my only option is a windows machine to view traffic.

TCPdump has done everything I've ever needed until now. TCPdump does not have a built-in netflow decoder. If you turn on all the verbose logging of tcpdump (-vvv) the best you get is:

netflow# tcpdump -n -s 0 -vvv port 2055
12:17:37.254419 IP (tos 0x0, ttl 254, id 25465, offset 0, flags [none], proto UDP (17), length 1060)
    10.202.70.151.56627 > 10.48.2.156.2055: [udp sum ok] UDP, length 1032


Capture this traffic to a file using the -w option and open this using wireshark. When you click on the first flow you will generally see the output below: "no template found".






This means that wireshark has not "seen" a template with which it can decode the netflow packet. Keep clicking through each packet till eventually you trip over a template:




After this, any packet you open (before or after the template) will always be correctly decoded. Here is the wireshark dump of the first packet which had the "no template found" error.




Cisco devices by default send the a template after every 20 netflow packets. You can change this by using the command below. In this case send a template after every 5 packets.

ip flow-export template options refresh-rate 5
ip flow-export template refresh-rate 5

Increasing the frequency of template means that you can find one really close to the packets you are interested in capturing. You could even choose to drop this to 1 which means send a template with every packet.




3 comments:

  1. Hi
    I have tried using but nothing is captured. Whereas if I run capture on the interfaced with capture filter it shows the traffic. Please see below

    ~ $ tcpdump -T cnfp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
    ^C
    0 packets captured
    0 packets received by filter
    0 packets dropped by kernel

    ***
    ~ $ tcpdump -nn -vvv -i enp2s0f0 port 9995
    tcpdump: listening on enp2s0f0, link-type EN10MB (Ethernet), capture size 262144 bytes
    16:11:00.583606 IP (tos 0x0, ttl 64, id 47729, offset 0, flags [none], proto UDP (17), length 102)
    172.17.15.72.1897 > 172.17.14.49.9995: [udp sum ok] UDP, length 74
    16:11:01.583879 IP (tos 0x0, ttl 64, id 47730, offset 0, flags [none], proto UDP (17), length 156)
    172.17.15.72.1897 > 172.17.14.49.9995: [udp sum ok] UDP, length 128
    16:11:04.583738 IP (tos 0x0, ttl 64, id 47741, offset 0, flags [none], proto UDP (17), length 156)
    172.17.15.72.1897 > 172.17.14.49.9995: [udp sum ok] UDP, length 128
    16:11:05.583947 IP (tos 0x0, ttl 64, id 47742, offset 0, flags [none], proto UDP (17), length 156)
    172.17.15.72.1897 > 172.17.14.49.9995: [udp sum ok] UDP, length 128

    ReplyDelete