Revision history [back]

Hi All, I have a capture of netflow data from a meraki mx device that shows a template as follows:

Template (Id = 5206, Count = 13)
Template Id: 5206
Field Count: 13
Field (1/13): IP_SRC_ADDR
    Type: IP_SRC_ADDR (8)
    Length: 4
 ......
Field (5/13): BYTES
    Type: BYTES (1)
    Length: 4
Field (6/13): OUT_BYTES
    Type: OUT_BYTES (23)
    Length: 4
Field (7/13): PKTS
    Type: PKTS (2)
    Length: 4
Field (8/13): OUT_PKTS
    Type: OUT_PKTS (24)
    Length: 4
Field (9/13): PROTOCOL
    Type: PROTOCOL (4)
    Length: 1

Oddly when I look at the following netflow record field 6 shows as postOctet, and field 8 shows as postPacket, the template and netflow record look to be aligned, but this is what I see in the flow itself:

Frame 57: 312 bytes on wire (2496 bits), 312 bytes captured (2496 bits)

Ethernet II, Src: CiscoMer_3f:df:20 (88:15:44:3f:df:20), Dst: Giga-Byt_33:14:23 (b4:2e:99:33:14:23) Internet Protocol Version 4, Src: 192.168.100.1, Dst: 192.168.1.50 User Datagram Protocol, Src Port: 5557, Dst Port: 2055 Source Port: 5557 Destination Port: 2055 Length: 278 Checksum: 0x2d01 [unverified] [Checksum Status: Unverified] [Stream index: 1] [Timestamps] Cisco NetFlow/IPFIX Version: 9 Count: 6 SysUptime: 438933.000000000 seconds Timestamp: Sep 28, 2020 21:50:38.000000000 EDT CurrentSecs: 1601344238 FlowSequence: 134586 SourceId: 0 FlowSet 1 [id=5206] (6 flows) FlowSet Id: (Data) (5206) FlowSet Length: 250 [Template Frame: 4] Flow 1 Flow 2 SrcAddr: 192.168.100.226 DstAddr: 172.217.4.46 SrcPort: 53791 DstPort: 443 Octets: 3113 Post Octets: 400 Packets: 5 Post Packets: 3 Protocol: TCP (6) InputInt: 33 OutputInt: 0 [Duration: 0.228000000 seconds (switched)] StartTime: 438933.466000000 seconds EndTime: 438933.694000000 seconds Flow 3 SrcAddr: 192.168.100.226 DstAddr: 192.168.100.1 SrcPort: 42 DstPort: 0 Octets: 0 Post Octets: 0 Packets: 0 Post Packets: 0 Protocol: ICMP (1) InputInt: 33 OutputInt: 9 [Duration: 1.840000000 seconds (switched)] StartTime: 438931.658000000 seconds EndTime: 438933.498000000 seconds Flow 4 SrcAddr: 192.168.100.226 DstAddr: 172.217.4.46 SrcPort: 53787 DstPort: 443 Octets: 4431 Post Octets: 2056 Packets: 17 Post Packets: 23 Protocol: TCP (6) InputInt: 33 OutputInt: 0 [Duration: 2.060000000 seconds (switched)] StartTime: 438931.278000000 seconds EndTime: 438933.338000000 seconds Flow 5 SrcAddr: 192.168.100.226 DstAddr: 172.217.212.102 SrcPort: 53790 DstPort: 443 Octets: 1421 Post Octets: 3291 Packets: 12 Post Packets: 19 Protocol: TCP (6) InputInt: 33 OutputInt: 0 [Duration: 0.660000000 seconds (switched)] StartTime: 438932.470000000 seconds EndTime: 438933.130000000 seconds Flow 6 SrcAddr: 192.168.100.5 DstAddr: 35.190.244.216 SrcPort: 59425 DstPort: 4070 Octets: 63 Post Octets: 52 Packets: 2 Post Packets: 3 Protocol: TCP (6) InputInt: 33 OutputInt: 0 [Duration: 9720.918000000 seconds (switched)] StartTime: 429211.988000000 seconds EndTime: 438932.906000000 seconds

Anyone have any thoughts on the reason for the discrepancy?

thanks /d

Hi All, I have a capture of netflow data from a meraki mx device that shows a template as follows:

Template (Id = 5206, Count = 13)
Template Id: 5206
Field Count: 13
Field (1/13): IP_SRC_ADDR
    Type: IP_SRC_ADDR (8)
    Length: 4
 ......
Field (5/13): BYTES
    Type: BYTES (1)
    Length: 4
Field (6/13): OUT_BYTES
    Type: OUT_BYTES (23)
    Length: 4
Field (7/13): PKTS
    Type: PKTS (2)
    Length: 4
Field (8/13): OUT_PKTS
    Type: OUT_PKTS (24)
    Length: 4
Field (9/13): PROTOCOL
    Type: PROTOCOL (4)
    Length: 1

Oddly when I look at the following netflow record field 6 shows as postOctet, and field 8 shows as postPacket, the template and netflow record look to be aligned, but this is what I see in the flow itself:

Frame 57: 312 bytes on wire (2496 bits), 312 bytes captured (2496 bits)

Ethernet II, Src: CiscoMer_3f:df:20 (88:15:44:3f:df:20), Dst: Giga-Byt_33:14:23 (b4:2e:99:33:14:23) Internet Protocol Version 4, Src: 192.168.100.1, Dst: 192.168.1.50 User Datagram Protocol, Src Port: 5557, Dst Port: 2055 Source Port: 5557 Destination Port: 2055 Length: 278 Checksum: 0x2d01 [unverified] [Checksum Status: Unverified] [Stream index: 1] [Timestamps] Cisco NetFlow/IPFIX Version: 9 Count: 6 SysUptime: 438933.000000000 seconds Timestamp: Sep 28, 2020 21:50:38.000000000 EDT CurrentSecs: 1601344238 FlowSequence: 134586 SourceId: 0 FlowSet 1 [id=5206] (6 flows) FlowSet Id: (Data) (5206) FlowSet Length: 250 [Template Frame: 4] Flow 1 Flow 2 SrcAddr: 192.168.100.226 DstAddr: 172.217.4.46 SrcPort: 53791 DstPort: 443 Octets: 3113 > Post Octets: 400 Packets: 5 > Post Packets: 3 Protocol: TCP (6) InputInt: 33 OutputInt: 0 [Duration: 0.228000000 seconds (switched)] StartTime: 438933.466000000 seconds EndTime: 438933.694000000 seconds Flow 3 SrcAddr: 192.168.100.226 DstAddr: 192.168.100.1 SrcPort: 42 DstPort: 0 Octets: 0 Post Octets: 0 Packets: 0 Post Packets: 0 Protocol: ICMP (1) InputInt: 33 OutputInt: 9 [Duration: 1.840000000 seconds (switched)] StartTime: 438931.658000000 seconds EndTime: 438933.498000000 seconds Flow 4 SrcAddr: 192.168.100.226 DstAddr: 172.217.4.46 SrcPort: 53787 DstPort: 443 Octets: 4431 Post Octets: 2056 Packets: 17 Post Packets: 23 Protocol: TCP (6) InputInt: 33 OutputInt: 0 [Duration: 2.060000000 seconds (switched)] StartTime: 438931.278000000 seconds EndTime: 438933.338000000 seconds Flow 5 SrcAddr: 192.168.100.226 DstAddr: 172.217.212.102 SrcPort: 53790 DstPort: 443 Octets: 1421 Post Octets: 3291 Packets: 12 Post Packets: 19 Protocol: TCP (6) InputInt: 33 OutputInt: 0 [Duration: 0.660000000 seconds (switched)] StartTime: 438932.470000000 seconds EndTime: 438933.130000000 seconds Flow 6 SrcAddr: 192.168.100.5 DstAddr: 35.190.244.216 SrcPort: 59425 DstPort: 4070 Octets: 63 Post Octets: 52 Packets: 2 Post Packets: 3 Protocol: TCP (6) InputInt: 33 OutputInt: 0 [Duration: 9720.918000000 seconds (switched)] StartTime: 429211.988000000 seconds EndTime: 438932.906000000 seconds

Anyone have any thoughts on the reason for the discrepancy?

thanks /d