How to view NetFlow in WireShark

Open the packet capture file (.pcap format) in Wireshark

udp.PNG

 

Select menu option Analyze->Decode As:

decode.PNG

Select '+' in lower left corner to add an entry to the 'Decode As' window

 

decode_as.PNG

 

Select 'none' in the 'current' column then choose 'cflow' from the list:

 

cflow.PNG

Select 'OK' to save the selection.  Note flow packets are subsequently denoted as CFLOW in the protocol column:

flow_packets.PNG

Here is an example of a NetFlow v9 template:

template_only.PNG

This is an example of NetFlow v9 flow records:

Inkedv9_flowset_LI.jpg

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us