Cisco NetFlow – Using NetFlow with NfSen/NfDump

cisconetflowrouter

We have Cisco ASR1000 Router and it has following configuration:

    flow record netflow-record
     match transport tcp destination-port
     match transport tcp source-port
     match transport udp destination-port
     match transport udp source-port
     match ipv4 destination address
     match ipv4 source address
     collect counter bytes
     collect counter packets
    !
    !
    flow exporter netflow-exporter
     description Netflow-Exporter
     destination xx.xx.xx.xx
     source TenGigabitEthernet0/0/0
     transport udp 9995
    !
    !
    flow monitor netflow-monitor
     exporter netflow-exporter
     cache timeout active 60
     record netflow-record
    !
    interface TenGigabitEthernet0/3/0
     description foo
     ip address 66.xx.xx.66 255.255.255.252
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow monitor netflow-monitor input
    !

Nfsen:

Its running and i can see data in directory:

[root@netflow 30]# ls -l /data/nfsen/profiles-data/live/r1/2016/06/30
total 168
-rw-r--r--. 1 netflow apache   276 Jun 30 15:40 nfcapd.201606301535
-rw-r--r--. 1 netflow apache   276 Jun 30 15:45 nfcapd.201606301540
-rw-r--r--. 1 netflow apache   276 Jun 30 15:50 nfcapd.201606301545
-rw-r--r--. 1 netflow apache   276 Jun 30 15:55 nfcapd.201606301550
-rw-r--r--. 1 netflow apache   276 Jun 30 16:00 nfcapd.201606301555
-rw-r--r--. 1 netflow apache   276 Jun 30 16:05 nfcapd.201606301600

But when i open data i am seeing wrong date like 1969-12-31 and port is 0, is it something related to cisco netflow setting? 

[root@netflow 30]# nfdump -M /data/nfsen/profiles-data/live/r1  -T  -r nfcapd.201606301715 -a -c 10
Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
1969-12-31 19:00:00.000     0.000     0    176.61.183.77:0     ->     xx.xx.xx.98:0           56     2688     1
1969-12-31 19:00:00.000     0.000     0    187.23.16.207:0     ->    xx.xx.xx.171:0           81     2349     1
1969-12-31 19:00:00.000     0.000     0    187.23.16.207:0     ->     xx.xx.xx.39:0            2       58     1
1969-12-31 19:00:00.000     0.000     0    187.23.16.207:0     ->    xx.xx.xx.239:0           81     2349     1
1969-12-31 19:00:00.000     0.000     0    169.228.66.91:0     ->     xx.xx.xx.62:0            1       40     1

EDIT:

also my cisco cache flow is empty how it's possible?

r1#show ip cache flow
IP packet size distribution (0 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 0 bytes
  0 active, 0 inactive, 0 added
  0 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

r1#

Best Answer

Solution

Add following in flow record, it won't work with ipfix but it does work with Netflow-v9

collect timestamp sys-uptime first
collect timestamp sys-uptime last

Exporter enable Netflow-v9

Related Topic