Wireshark-users: Re: [Wireshark-users] decoding netflow

From: Motonori Shindo <mshindo@xxxxxxxxxxx>
Date: Fri, 15 May 2009 11:00:43 +0900 (JST)
Marlon,

Yes, it's quite possible, but there are couple of things you'd better
keep in mind:

 1) To decode NetFlow V9 packets successfully, Template FlowSet must
    be included in the captured packets, so you'd have to capture
    traffic long enough. I can't tell you how long because the timing
    of Template FlowSet exporting is exprorter implementation and/or
    configuration dependent.

 2) There is no standard port number defined for NetFlow. Currently,
    Wireshark assumes 2055/udp and 9996/udp are for NetFlow. If you
    are using a port number other than these two, you have to use
    "decode as" functionaly in Wireshark.

Regards,

---
Motonori Shindo
Chief Technology Officer
Fivefront Corporation
http://www.fivefront.com

From: Marlon Duksa <mduksa@xxxxxxxxx>
Subject: [Wireshark-users] decoding netflow
Date: Thu, 14 May 2009 16:20:38 -0700

> Hi - we are running Netflow 9 on Cisco and would like to run a decode on the
> packets. Is this possible with Wireshark?Thanks,