Troubleshooting Tip: Analyze netflow packets with Wireshark

Description

This article describes how to capture NetFlow packets and decode them with Wireshark to perform further analysis of traffic statistics sent to a NetFlow collector.

Scope

FortiGate, FortiOS.

Solution

When Netflow statistics received in a NetFlow collector need to be investigated further from the FortiGate side, such as when verifying the number of bytes and packets sent for each session monitored, it is possible to capture this traffic in raw format and decode sFlow packets in Wireshark using the port configured for the NetFlow collector.

On the FortiGate side, the netflow configuration is shown as below:

config system netflow
    set collector-ip "10.5.147.53"
    set collector-port 3000
    set source-ip "10.5.134.19"
    set active-flow-timeout 1800
    set inactive-flow-timeout 15
    set template-tx-timeout 1800
    set template-tx-counter 20
    set interface-select-method sdwan
end

In new versions (starting 7.2.8 and 7.4.2), the NetFlow configuration is as show below:

Config system netflow
   set active-flow-timeout 1800
    set inactive-flow-timeout 15
    set template-tx-timeout 1800
    set template-tx-counter 20
 Config collectors
edit 1
    set collector-ip "10.5.147.53"
    set collector-port 3000
    set source-ip "10.5.134.19"
set interface-select-method sdwan
next
end 

If the FortiGate has a hard disk is possible to run traffic capture via GUI; if not, UDP netflow packets are captured with the following command:

diagnose sniffer packet port40 'udp port <netflow_collector_port>' 6 0 a

Note:

Replace the UDP port with the right value in the user FortiGate configuration.

Refer to the following articles to convert traffic capture from plaintext into a Wireshark .pcap format:

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark - Ethereal application

Open the .pcap file from netflow packet capture with Wireshark and go to Analyze -> Decode as:

Select UDP port as the Field, netflow collector port Value, and CFLOW in the Current column as shown in the screenshot below.

Apply the filter. Wireshark will decode NetFlow packets for further troubleshooting.

To check if the netflow-enabled interface is sending traffic to the collector, filter based on the SNMP-index of the interface.

cflow.outputint==<index_no>
cflow.inputintf==<index_no>

Note:

Review the different NetFlow templates' details to understand properly the information of these NetFlow packets. See this document for more information: Netflow Templates 7.6.3.