info Netflow v9 and NNA

[alopera]

I am working with Netflow v9 in Cisco Swichs and NNA.

Is possible doing a query know the follow info of a flow?

- source MAC, destination MAC
- input interface of switch, output interface of switch

[alopera]

I see this example:

flow record MAC_RECORD
match datalink mac source address input
match datalink mac destination address input
match ipv4 protocol
match ipv4 source address
match ipv4 source mask
match ipv4 destination address
match ipv4 destination mask
match transport source-port
match transport destination-port
match interface input
match interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last

[alopera]

so... maybe NNA does not work with these fields (MAC and interface) but if you use nfdump commands you can extract this information

Is true?

[tgriep]

If you can get the Cisco Switch to send the information to the NNA server, the nfcapd daemons should capture the information.
Then, to get a RAW, CSV output of the data, you could run this command on one of the nfcapd files.

Code: Select all

nfdump -r nfcapd.202002101005 -o raw -o csv

For more options, see these links.
http://manpages.ubuntu.com/manpages/xen ... ump.1.html
http://nfdump.sourceforge.net/
https://blog.programster.org/nfdump-cheatsheet

[alopera]

I have configured switch Cisco for send Netflow with field MAC address.
I have checked that the switch send flows with MAC.
Is possible store MAC address in flows of NNA / nfcapd?

[tgriep]

I do not have access to a Cisco Device to test your configuration example.
I suggest adding those options to the Cisco test device and send the data to the NNA server, then run the nfdump command with the raw option and see if the data is there.
From what I read, as long as the flow data is correct and has the data, you should be able dump it with the -raw option.