Protocol CFLOW not processing full size Packet
Hi team, I did a packet capture to analyze the Netflow (v9) data. I noticed that for smaller packet (< 1420 including IP header), it inteprets all fields properly. If it is full size, it doesn't inteprets the FlowSet 2 that contains the actual flow data anymore... It still shows the version, count, FlowSequence, and the FlowSet 1 which is the Template, just not the data part. I just updated the wireshark to the latest 4.4.3 too and still the same. Please help.
PS - I want to attach the packets but it requires "60 points" for that... I am new to the forum. Please let me how to attach if there is a different way to do that. Thanks!
Thanks! Difan
Can you share a capture with a packet that illustrates the issue?
Unfortunately due to spammers and scammers we restrict new users from uploading images\captures etc. until they have built enough "karma".
You can put your artefacts on any public "share", and post a link back to them by editing your question.
Thanks Graham! That is a good idea. Let me know if you can download this https://1drv.ms/u/c/6b91f3ba519e259d/...
I also just noticed that they could be fragmented on the IP level. I see IP header flag "more fragments" is set. I am wondering if this is the reason. But I did try checking that "Reassemble fragmented IPv4 datagrams" for IP porotocol. After it, I don't even see UDP headers anymore...
How was the capture made? Was there a capture filter?
Was a bigger capture filtered and saved but the fragments not included?
Hi Chuck, I ran this command
$ sudo tcpdump -nvi eth0 -s 0 -w netflow_nosampler.pcap port 2055on the netflow server which is Ubuntu v22 server. Let me know if there is any problem with the command. Thanks!