![]() ![]() ![]() )" You can see a list of the fields being sent and match them up with the required fields from above.ġ2. If you expand the section below which says "Template (ID =. Here you can check to see if the required NetFlow fields are being sent in the template. To find the data gram that has the Netflow template you can enter " cflow.template_id" in the Filter field and it will filter down to only data grams that contain a Netflow Template. If this is the case, you will need to get a longer pcap in order to capture the template.ġ1. ![]() If there is No Template Found, you will not be able to see the flows below this and you will see a message stating "No Template Found". Verify that there is a template and the flows have been decode, by expanding where you see a line like "Cisco Netflow/IPFIX" and see if you can see Flows listed below this. Note if this is SFLOW data, decode as SFLOW instead of CFLOW.ġ0. Click the + sign and change the drop down menu to "Destination (->9995)" and select "CFLOW" on the right and click OK. Move the file via WinScpt or Filezilla over to a Windows computer which has Wireshark installed and open the file.ĩ. Allow the pcap to run for at least 5 minutes, to cancel it enter "ctrl c".ħ. To filter to a specific router IP address you can use a command like below and specify the IP address of the router in the host filter: ![]() Tshark -f"port 9995" -i ens33 -F pcap -w /tmp/netflow.pcapĥ. To run a capture for all Netflow traffic coming into the harvester run the command below, using the name of your NIC in the -i flag. Find the name of the NIC that Netflow data is being sent to by running "ifconfig" like below is ens33, this name will be used in the tshark -i switch in the examples below:Ĥ. Install wireshark by running the command below and follow the prompts(requires access to the internet or local yum repository):ģ. Log into a putty session on the RedHat Harvester as root or sudo su.Ģ. ![]()
0 Comments
Leave a Reply. |