Submit a ticketCall us

Training ClassSign up for Network Performance Monitor (NPM) and Scalability instructor-led classes

Attend our instructor-led classes, provided by SolarWinds® Academy, to discuss the more advanced monitoring mechanisms available in NPM as well as how to tune your equipment to optimize its polling capabilities. NPM classes offered:
NPM Custom Monitoring and Polling
Orion Platform Scalability

Reserve your seat.

Home > Success Center > Netflow Traffic Analyzer (NTA) > NTA - Knowledgebase Articles > NTA - Netflow v5 Wireshark packet capture

NTA - Netflow v5 Wireshark packet capture

Table of contents
Created by Joseph Esquitin, last modified by Erin Stenzel on Jun 30, 2016

Views: 3,485 Votes: 0 Revisions: 6


The information below describes how to read a Netflow v5 Wireshark capture.  This can be useful when troubleshooting an issue where a customer is questioning the data being displayed in the charts.  For example: Endpoints, Application port numbers and Endpoint conversations to name a few.



  • Windows server
  • Cisco devices exporting Netflow v5
  • Wireshark ( any version)





  • Launch Wireshark from the Solarwinds server where Netflow is installed
  • Start the capture
  • Filter the capture to only dislplay Netflow data ( See below CFLOW) and press 'Apply'






  • A couple of things to notice to easily find the Netflow version being exported.  To the far right of the flow packet the Netflow version is displayed.  Flows are displayed as PDU.  Each PDU contains one conversion





Expand the PDU to view the flow data included in each flow.


  • Netflow v5 is not template based. 
  • All required fields are always included in the flow data.
  • Either the InputInt or OutputInt field must contain a valid interface index value for the flow to be processed
  • Either the SrcPort or DstPort field must contain a valid application port number in order for the flow to be processed




Using a capture filter will only capture data for that specific device and will allow Wireshark to capture all flows that we need to investigate:




Note: Always save the capture as a PCAP.




Last modified