Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Netflow Traffic Analyzer (NTA) > NTA - Netflow v5 Wireshark packet capture

NTA - Netflow v5 Wireshark packet capture

Table of contents
Created by Joseph Esquitin, last modified by Erin Stenzel on Jun 30, 2016

Views: 75 Votes: 0 Revisions: 6

Overview

The information below describes how to read a Netflow v5 Wireshark capture.  This can be useful when troubleshooting an issue where a customer is questioning the data being displayed in the charts.  For example: Endpoints, Application port numbers and Endpoint conversations to name a few.

 

Environment

  • Windows server
  • Cisco devices exporting Netflow v5
  • Wireshark ( any version)

Detail

 

 

 

  • Launch Wireshark from the Solarwinds server where Netflow is installed
  • Start the capture
  • Filter the capture to only dislplay Netflow data ( See below CFLOW) and press 'Apply'

 

 

 

 

 

  • A couple of things to notice to easily find the Netflow version being exported.  To the far right of the flow packet the Netflow version is displayed.  Flows are displayed as PDU.  Each PDU contains one conversion

 

 

 

 

Expand the PDU to view the flow data included in each flow.

 

  • Netflow v5 is not template based. 
  • All required fields are always included in the flow data.
  • Either the InputInt or OutputInt field must contain a valid interface index value for the flow to be processed
  • Either the SrcPort or DstPort field must contain a valid application port number in order for the flow to be processed

 

 

 

Using a capture filter will only capture data for that specific device and will allow Wireshark to capture all flows that we need to investigate:

 

 

 

Note: Always save the capture as a PCAP.

 

 

 

Last modified
13:51, 30 Jun 2016

Tags

Classifications

Public