Wireshark-users: [Wireshark-users] Netflow version 9
From: "Chris Rutherford" <chrismrutherford@xxxxxxxxxxxxxx>
Date: Tue, 29 May 2007 11:53:06 +0100
Hi All,

I'm experiencing some issues with successfully extracting all netflow 9 data from the export packets.   Im using the following CIL options to decode the data and i get the folowing results, but I don't see all the netflow data.  Ive tried searching but there don't seem to be any clear answers.  Do you know if it is possible to display all netflow 9 data instead of just "Type X".  Ideally I'd be receiving MAC info.

 tshark -ni eth0 -R udp.port==10001 -d udp.port==10001,cflow -V

Cisco NetFlow/IPFIX
    Version: 9
    Count: 19
    SysUptime: 10008984
    Timestamp: May 25, 2007 21:11:02.000000000
        CurrentSecs: 1180123862
    FlowSequence: 2568
    SourceId: 0
    FlowSet 1
        Data FlowSet (Template Id): 256
        FlowSet Length: 1336
        Flow 1
            EndTime: 9993.748000000 seconds
            StartTime: 9993.748000000 seconds
            Octets: 28
            Packets: 1
            InputInt: 3
            OutputInt: 2
            SrcAddr: 192.168.0.3 ( 192.168.0.3)
            DstAddr: 192.168.48.3 (192.168.48.3)
            Protocol: 17
            IP ToS: 0x00
            SrcPort: 3000
            DstPort: 0
            Type 48
            Type 51
            NextHop: 192.168.24.2 (192.168.24.2)
            DstMask: 24
            SrcMask: 24
            TCP Flags: 0x10
            Type 61  /*<----Why??
            Type 25
            Type 26
            Type 32
            Type 52
            Type 53
            Type 54
            Type 56
            Type 57  <----Why?? */
            DstAS: 0
            SrcAS: 0

blade2:chris#  tshark -v                                                       
TShark 0.99.4

Copyright 1998-2006 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.12.4, with libpcap 0.9.5, with libz 1.2.3, with libpcre
6.7, without UCD-SNMP or Net-SNMP, with ADNS, without Lua, with GnuTLS 1.4.4,
with Gcrypt 1.2.3, without Kerberos.

Running on Linux 2.6.18 , with libpcap version 0.9.5.

Built using gcc 4.1.2 20061028 (prerelease) (Debian 4.1.1-19).