Revision history [back]
Meraki Netflow 9 template / analysis mismatch
Hi All, I have a capture of netflow data from a meraki mx device that shows a template as follows:
Template (Id = 5206, Count = 13)
Template Id: 5206
Field Count: 13
Field (1/13): IP_SRC_ADDR
Type: IP_SRC_ADDR (8)
Length: 4
......
Field (5/13): BYTES
Type: BYTES (1)
Length: 4
Field (6/13): OUT_BYTES
Type: OUT_BYTES (23)
Length: 4
Field (7/13): PKTS
Type: PKTS (2)
Length: 4
Field (8/13): OUT_PKTS
Type: OUT_PKTS (24)
Length: 4
Field (9/13): PROTOCOL
Type: PROTOCOL (4)
Length: 1
Oddly when I look at the following netflow record field 6 shows as postOctet, and field 8 shows as postPacket, the template and netflow record look to be aligned, but this is what I see in the flow itself:
Flow 2
SrcAddr: 192.168.100.226
DstAddr: 172.217.4.46
SrcPort: 53791
DstPort: 443
Octets: 3113
> Post Octets: 400
Packets: 5
> Post Packets: 3
Protocol: TCP (6)
InputInt: 33
OutputInt: 0
[Duration: 0.228000000 seconds (switched)]
StartTime: 438933.466000000 seconds
EndTime: 438933.694000000 seconds
Anyone have any thoughts on the reason for the discrepancy?
thanks /d
Meraki Netflow 9 template / analysis mismatch
Hi All, I have a capture of netflow data from a meraki mx device that shows a template as follows:
Template (Id = 5206, Count = 13)
Template Id: 5206
Field Count: 13
Field (1/13): IP_SRC_ADDR
Type: IP_SRC_ADDR (8)
Length: 4
......
Field (5/13): BYTES
Type: BYTES (1)
Length: 4
Field (6/13): OUT_BYTES
Type: OUT_BYTES (23)
Length: 4
Field (7/13): PKTS
Type: PKTS (2)
Length: 4
Field (8/13): OUT_PKTS
Type: OUT_PKTS (24)
Length: 4
Field (9/13): PROTOCOL
Type: PROTOCOL (4)
Length: 1
Oddly when I look at the following netflow record field 6 shows as postOctet, and field 8 shows as postPacket, the template and netflow record look to be aligned, but this is what I see in the flow itself:
Frame 57: 312 bytes on wire (2496 bits), 312 bytes captured (2496 bits)
Ethernet II, Src: CiscoMer_3f:df:20 (88:15:44:3f:df:20), Dst: Giga-Byt_33:14:23 (b4:2e:99:33:14:23)
Internet Protocol Version 4, Src: 192.168.100.1, Dst: 192.168.1.50
User Datagram Protocol, Src Port: 5557, Dst Port: 2055
Source Port: 5557
Destination Port: 2055
Length: 278
Checksum: 0x2d01 [unverified]
[Checksum Status: Unverified]
[Stream index: 1]
[Timestamps]
Cisco NetFlow/IPFIX
Version: 9
Count: 6
SysUptime: 438933.000000000 seconds
Timestamp: Sep 28, 2020 21:50:38.000000000 EDT
CurrentSecs: 1601344238
FlowSequence: 134586
SourceId: 0
FlowSet 1 [id=5206] (6 flows)
FlowSet Id: (Data) (5206)
FlowSet Length: 250
[Template Frame: 4]
Flow 1
Flow 2
SrcAddr: 192.168.100.226
DstAddr: 172.217.4.46
SrcPort: 53791
DstPort: 443
Octets: 3113
> Post Octets: 400
Packets: 5
> Post Packets: 3
Protocol: TCP (6)
InputInt: 33
OutputInt: 0
[Duration: 0.228000000 seconds (switched)]
StartTime: 438933.466000000 seconds
EndTime: 438933.694000000 seconds
Flow 3
SrcAddr: 192.168.100.226
DstAddr: 192.168.100.1
SrcPort: 42
DstPort: 0
Octets: 0
Post Octets: 0
Packets: 0
Post Packets: 0
Protocol: ICMP (1)
InputInt: 33
OutputInt: 9
[Duration: 1.840000000 seconds (switched)]
StartTime: 438931.658000000 seconds
EndTime: 438933.498000000 seconds
Flow 4
SrcAddr: 192.168.100.226
DstAddr: 172.217.4.46
SrcPort: 53787
DstPort: 443
Octets: 4431
Post Octets: 2056
Packets: 17
Post Packets: 23
Protocol: TCP (6)
InputInt: 33
OutputInt: 0
[Duration: 2.060000000 seconds (switched)]
StartTime: 438931.278000000 seconds
EndTime: 438933.338000000 seconds
Flow 5
SrcAddr: 192.168.100.226
DstAddr: 172.217.212.102
SrcPort: 53790
DstPort: 443
Octets: 1421
Post Octets: 3291
Packets: 12
Post Packets: 19
Protocol: TCP (6)
InputInt: 33
OutputInt: 0
[Duration: 0.660000000 seconds (switched)]
StartTime: 438932.470000000 seconds
EndTime: 438933.130000000 seconds
Flow 6
SrcAddr: 192.168.100.5
DstAddr: 35.190.244.216
SrcPort: 59425
DstPort: 4070
Octets: 63
Post Octets: 52
Packets: 2
Post Packets: 3
Protocol: TCP (6)
InputInt: 33
OutputInt: 0
[Duration: 9720.918000000 seconds (switched)]
StartTime: 429211.988000000 seconds
EndTime: 438932.906000000 seconds
Anyone have any thoughts on the reason for the discrepancy?
thanks /d