How to analyze the contents of packets using NetFlow?

I

Igor2014-10-29 12:07:03

NetFlow

Igor, 2014-10-29 12:07:03

The initial task is to analyze the content of traffic remotely from a Cisco router.
I googled that Cisco can write to pcap format using capture (starting from some IOS version) to a file locally, or netflow to a remote collector
. I became interested in netflow technology.
While there is no Cisco, I train on Mikrotik, I chose netflow v9. Collector and analyzer - on Ubuntu 14.04. But so far I've only been able to capture the headers of the packets, not all of their contents. Tried to use nfcapd+nfdump and googled some more
tcpdump -n -s 0 -vvv port 2055
But still I see only the headers and not the whole packet. How to solve the problem?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

P

peronik, 2014-10-29
@peronik

What exactly do you want to pull out of the package?
Netflow allows you to receive
Most likely, you need to look at setting up Port Monitoring (SPAN) on Cisco and, accordingly, software that can work with it.

V

vman, 2014-10-29
@vman

Netflow is used to analyze the traffic that was transmitted from one device to another, the data itself is not taken into account in it. To analyze the traffic itself passing through the router, you need to mirror the traffic, see www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_...
imho if it is possible to do this on the switch (via span) , better to do on it.

D

dubidrubi, 2014-10-29
@dubidrubi

What is the end goal? If this is a security issue, then Cisco ASA can look into the payload of the package. You can set up the necessary application policies and enjoy life. Specify the task and it will be easier to help you...
By the way, embedded packet capture allows you to store pcap not only locally, but also centrally save via tftp, ftp, http/https, scp protocols. Just keep in mind that this functionality will additionally load the CPU of your piece of iron.