To view the actual values for these fields being sent, clear the cflow.template_id filter and click on any other data gram.Įxpand where it says "Cisco NetFlow/IPFIX" and expand one of the Flowsets until you can see a list of the fields and values like below, make note that the "FlowSet Id: (Data)" value matches the template ID, like in this case it is 256, to ensure you are looking at the correct flow:įor steps on how to do this on Windows see the link below: )" You can see a list of the fields being sent and match them up with the required fields from above.ġ2. If you expand the section below which says "Template (ID =. Here you can check to see if the required NetFlow fields are being sent in the template. To find the data gram that has the Netflow template you can enter " cflow.template_id" in the Filter field and it will filter down to only data grams that contain a Netflow Template. If this is the case, you will need to get a longer pcap in order to capture the template.ġ1. If there is No Template Found, you will not be able to see the flows below this and you will see a message stating "No Template Found". Verify that there is a template and the flows have been decode, by expanding where you see a line like "Cisco Netflow/IPFIX" and see if you can see Flows listed below this. Note if this is SFLOW data, decode as SFLOW instead of CFLOW.ġ0. Click the + sign and change the drop down menu to "Destination (->9995)" and select "CFLOW" on the right and click OK.
Move the file via WinScpt or Filezilla over to a Windows computer which has Wireshark installed and open the file.ĩ. Allow the pcap to run for at least 5 minutes, to cancel it enter "ctrl c".ħ. To filter to a specific router IP address you can use a command like below and specify the IP address of the router in the host filter: Tshark -f"port 9995" -i ens33 -F pcap -w /tmp/netflow.pcapĥ.
To run a capture for all Netflow traffic coming into the harvester run the command below, using the name of your NIC in the -i flag. Find the name of the NIC that Netflow data is being sent to by running "ifconfig" like below is ens33, this name will be used in the tshark -i switch in the examples below:Ĥ. Install wireshark by running the command below and follow the prompts(requires access to the internet or local yum repository):ģ. Log into a putty session on the RedHat Harvester as root or sudo su.Ģ.
0 kommentar(er)
