1

What version are my NetFlows?

I have an appliance that is exporting NetFlow to my NetFlow collector. My collector is collecting with nfcapd. The only information I can find is that nfcapd will capture different NetFlow versions "transparently".

My network appliance doesn't tell me in what version it is exporting flows. I need to explore a different NetFlow collector so I'm trying to get an idea of my requirements.

I could contact the vendor of the network appliance but I have several appliances exporting NetFlow so I would prefer to check on the collector end what version these flows are. Is there a way to do this with nfsen/nfcapd/nfdump tools? I'm not having any luck.

harperville
  • 6,921
  • 8
  • 28
  • 36

1 Answers1

1

There are really only two versions that it's likely to be: NetFlow v5 or NetFlow v9 (IPFIX is essentially v9). The version number is included in the datagram, so the easiest way to find out which version it's exporting is to sniff the traffic in something like Wireshark, which will list the traffic as CFLOW. The first two bytes in each datagram will be the version number.

John Murphy
  • 397
  • 3
  • 14
  • That was helpful. I am not sure where to see CFLOW but I did go to the "Data" and saw "00 09" in the first two bytes. Where would I see the CFLOW info? – harperville Oct 11 '13 at 14:22
  • 1
    Since you're seeing NetFlow 9, you're going to need a long enough trace that a Template datagram comes through -- that will tell Wireshark how to interpret the other datagrams. ("CFLOW" is just how Wireshark labels NetFlow. Not sure why.) – John Murphy Oct 11 '13 at 14:29
  • CFLOW as Cisco Flow? It originally came from Cisco. – L.R. Nov 05 '18 at 08:13