Page 1 of 1
No flow data to search, but data being accepted from Meraki
Posted: Mon Jun 20, 2016 7:35 am
by eloyd
I'm posting things in the General Support to see if I can reach a broader audience with this issue.
I have a stock NNA 2.2.1 install, nothing special. I have a Cisco Meraki device that is supposedly sending netflow data to NNA, both devices on the same network. NNA sees the data and sticks it into rrd, but there is no flow data for me to search. It's weird. Screenshots attached.
dashboard.jpg
query.jpg
Re: No flow data to search, but data being accepted from Mer
Posted: Mon Jun 20, 2016 1:39 pm
by tgriep
Can you post 2 or 3 nfcapd files from your NA system?
They should be in this folder.
Code: Select all
/usr/local/nagiosna/var/Bitnetix/flows/
Can you run this from a root shell on the NA server and email it back?
Code: Select all
ls -l /usr/local/nagiosna/var/Bitnetix/flows/
Re: No flow data to search, but data being accepted from Mer
Posted: Mon Jun 20, 2016 2:02 pm
by eloyd
Yah, I'm guessing we're going to do what I've already done, but I'll play along.
Code: Select all
ls -l /usr/local/nagiosna/var/Bitnetix/flows/ | wc
210 1883 13596
# ls -lrta | tail -5
-rw-r--r--+ 1 nna nnacmd 20420 Jun 20 14:55 nfcapd.201606201450
-rw-r--r--+ 1 nna nnacmd 276 Jun 20 15:00 nfcapd.current.1445
-rw-r--r--+ 1 nna nnacmd 21694 Jun 20 15:00 nfcapd.201606201455
-rw-r--r--+ 1 nna nnacmd 107 Jun 20 15:00 .nfstat
drwxrwsr-x+ 2 nna nnacmd 12288 Jun 20 15:01 .
They're definitely being created. The oldest one is from last night at 21:45 when I was blowing away and recreating the source. Most recent one is "now." No real point in emailing a list of 210+ files, is there?
Re: No flow data to search, but data being accepted from Mer
Posted: Mon Jun 20, 2016 2:38 pm
by bwallace
A shot in the dark of sorts, but I was digging into this and found the following statement in the Meraki documentation a bit suspicious:
<other product>... ignores NetFlow packets that do not contain either an SNMP ingress or egress interface index. Support for exporting an SNMP ingress or egress interface index via NetFlow is available in beta.
https://documentation.meraki.com/MX-Z/M ... rWinds_NTA
Might this apply to NA? I'm assuming NA is expecting an index for the ingress and egress interfaces if this is there by default in Netflow v9. Just throwing this out there.....
Re: No flow data to search, but data being accepted from Mer
Posted: Tue Jun 21, 2016 10:37 am
by eloyd
*sigh* I just independently confirmed this through a different line of research. In the end, Meraki's netflow implementation is sub-par and, while it conforms to standards, does not fully comply. As such, the data is useless for NNA. A great dissection of this is available at
https://www.plixer.com/blog/netflow-rep ... w-support/
Time to bitch at Meraki.
Re: No flow data to search, but data being accepted from Mer
Posted: Tue Jun 21, 2016 10:58 am
by bwallace
So my suspicions are confirmed - Aha! Thanks for the helpful link and good luck talking to Meraki. I'll lock this thread now.