Wireshark-users: [Wireshark-users] Netflow version 9
From: "Chris Rutherford" <chrismrutherford@xxxxxxxxxxxxxx>
Date: Tue, 29 May 2007 11:53:06 +0100
Hi All,
I'm experiencing some issues with successfully extracting all netflow 9 data from the export packets. Im using the following CIL options to decode the data and i get the folowing results, but I don't see all the netflow data. Ive tried searching but there don't seem to be any clear answers. Do you know if it is possible to display all netflow 9 data instead of just "Type X". Ideally I'd be receiving MAC info.
tshark -ni eth0 -R udp.port==10001 -d udp.port==10001,cflow -V
Cisco NetFlow/IPFIX
Version: 9
Count: 19
SysUptime: 10008984
Timestamp: May 25, 2007 21:11:02.000000000
CurrentSecs: 1180123862
FlowSequence: 2568
SourceId: 0
FlowSet 1
Data FlowSet (Template Id): 256
FlowSet Length: 1336
Flow 1
EndTime: 9993.748000000 seconds
StartTime: 9993.748000000 seconds
Octets: 28
Packets: 1
InputInt: 3
OutputInt: 2
SrcAddr: 192.168.0.3 ( 192.168.0.3)
DstAddr: 192.168.48.3 (192.168.48.3)
Protocol: 17
IP ToS: 0x00
SrcPort: 3000
DstPort: 0
Type 48
Type 51
NextHop: 192.168.24.2 (192.168.24.2)
DstMask: 24
SrcMask: 24
TCP Flags: 0x10
Type 61 /*<----Why??
Type 25
Type 26
Type 32
Type 52
Type 53
Type 54
Type 56
Type 57 <----Why?? */
DstAS: 0
SrcAS: 0
blade2:chris# tshark -v
TShark 0.99.4
Copyright 1998-2006 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.12.4, with libpcap 0.9.5, with libz 1.2.3, with libpcre
6.7, without UCD-SNMP or Net-SNMP, with ADNS, without Lua, with GnuTLS 1.4.4,
with Gcrypt 1.2.3, without Kerberos.
Running on Linux 2.6.18 , with libpcap version 0.9.5.
Built using gcc 4.1.2 20061028 (prerelease) (Debian 4.1.1-19).
I'm experiencing some issues with successfully extracting all netflow 9 data from the export packets. Im using the following CIL options to decode the data and i get the folowing results, but I don't see all the netflow data. Ive tried searching but there don't seem to be any clear answers. Do you know if it is possible to display all netflow 9 data instead of just "Type X". Ideally I'd be receiving MAC info.
tshark -ni eth0 -R udp.port==10001 -d udp.port==10001,cflow -V
Cisco NetFlow/IPFIX
Version: 9
Count: 19
SysUptime: 10008984
Timestamp: May 25, 2007 21:11:02.000000000
CurrentSecs: 1180123862
FlowSequence: 2568
SourceId: 0
FlowSet 1
Data FlowSet (Template Id): 256
FlowSet Length: 1336
Flow 1
EndTime: 9993.748000000 seconds
StartTime: 9993.748000000 seconds
Octets: 28
Packets: 1
InputInt: 3
OutputInt: 2
SrcAddr: 192.168.0.3 ( 192.168.0.3)
DstAddr: 192.168.48.3 (192.168.48.3)
Protocol: 17
IP ToS: 0x00
SrcPort: 3000
DstPort: 0
Type 48
Type 51
NextHop: 192.168.24.2 (192.168.24.2)
DstMask: 24
SrcMask: 24
TCP Flags: 0x10
Type 61 /*<----Why??
Type 25
Type 26
Type 32
Type 52
Type 53
Type 54
Type 56
Type 57 <----Why?? */
DstAS: 0
SrcAS: 0
blade2:chris# tshark -v
TShark 0.99.4
Copyright 1998-2006 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.12.4, with libpcap 0.9.5, with libz 1.2.3, with libpcre
6.7, without UCD-SNMP or Net-SNMP, with ADNS, without Lua, with GnuTLS 1.4.4,
with Gcrypt 1.2.3, without Kerberos.
Running on Linux 2.6.18 , with libpcap version 0.9.5.
Built using gcc 4.1.2 20061028 (prerelease) (Debian 4.1.1-19).
- Prev by Date: Re: [Wireshark-users] tshark --print-a-specific-field ?
- Next by Date: [Wireshark-users] Delay-Calculations
- Previous by thread: Re: [Wireshark-users] tshark --print-a-specific-field ?
- Next by thread: [Wireshark-users] Delay-Calculations
- Index(es):