Cisco Cflowd

[vmanju123]

nfd.zip
I am testing nfcapd in a cisco SDWAN and the netflow packets coming from Edge devices sample is attached in this question. I was unable to get anything decoded in nfcapd with this ipfix netflow traffic, i checked the pcap in wireshark and the templates and netflow data doesnot seem to contain valid flow 4 tuples so i seem to suspsect the issue is on edge device side, but the people operating the sdwan showed us the netflow configuration in cisco vmanager and there seems to very little to configure in cisco vmanager - there is cflowd configuration and just export configuration but nothing to configure like a template or content of a template. they seem to say the configuration on their side is correct and there is nothing more to be done. Can someone analyze the pcap and let me know if my assessment is correct.

[phaag]

This file is a valid ipfix stream, too. It contains mainly a lot of Network Based Application Recognition (NBAR) records. The collected flows however, do not map into these nbar records - maybe the collection period was too short.

A raw record looks like this:

Flow Record:
  RecordCount  =                 20
  Ident        =               none
  Flags        =               0x00 NETFLOW v9, Unsampled
  Elements     =                  4: 1 2 4 12
  size         =                104
  engine type  =                  0
  engine ID    =                  1
  export sysid =                  7
  first        =                  0 [0000-00-00 00:00:00.000]
  last         =                  0 [0000-00-00 00:00:00.000]
  received at  =      1765880706160 [2025-12-16 11:25:06.160]
  proto        =                 17 UDP
  tcp flags    =               0x00 ........
  src port     =              39922
  dst port     =                 53
  src tos      =                  0
  fwd status   =                  0
  in packets   =                  1
  in bytes     =                 74
  src addr     =       10.108.15.12
  dst addr     =      172.23.247.24
  input        =                 62
  output       =                  0
  src mask     =                  0 /0
  dst mask     =                  0 /0
  dst tos      =                  0
  direction    =                  0
  biFlow Dir   =               0x00
  end reason   =               0x00
  ip exporter  =        10.108.15.3

[vmanju123]

@phaag - please ignore the v9 packets in the pcap, they are valid flows and are parsed properly in nfacpd, the question is more on v10/ipfix packets, i have a new pcap with lot more packets , please see attached, again please ignore v9 packets in the pcap[
Uploading WideCflowdCapture.zip…
](url)

[phaag]

Your file WideCflowdCapture.zip is not correctly uploaded and can be downloaded. There is no URL

Digging into the ipfix flows of nfd.pcap you can see:

• 299 ipfix exporters are sending packets. 143 for observation domain 1026, 150 for observation domain 6, 5 for observation domain 768 and 1 for 512 - all from different IP addresses. Most in the range 10.120.212.x/24 some in 10.120.213.x/24
• Almost no flows data records are sent - just 10.120.212.13 10.120.212.34 and 10.120.213.43 are sending one single flow:

Flow Record:
  RecordCount  =                189
  Ident        =               none
  Flags        =               0x00 NETFLOW v10, Unsampled
  Elements     =                  5: 1 3 4 12 27
  size         =                136
  engine type  =                  0
  engine ID    =                  0
  export sysid =                 49
  first        =      1764619936719 [2025-12-01 21:12:16.719]
  last         =      1764619936719 [2025-12-01 21:12:16.719]
  received at  =      1765978867380 [2025-12-17 14:41:07.380]
  proto        =                 58 ICMP6
  tcp flags    =               0x00 ........
  ICMP         =               133.0  type.code
  in packets   =                  1
  in bytes     =                 56
  src addr     =   fe80::200:ff:fe00:0
  dst addr     =            ff02::2
  input        =                  0
  output       =                  0
  src mask     =                  0 /0
  dst mask     =                  0 /0
  dst tos      =                  0
  direction    =                  0
  biFlow Dir   =               0x00
  end reason   =               0x01 idle timeout
  ip exporter  =      10.120.212.13
  app ID       =              13..1: <no info>

Flow Record:
  RecordCount  =                703
  Ident        =               none
  Flags        =               0x00 NETFLOW v10, Unsampled
  Elements     =                  5: 1 3 4 12 27
  size         =                136
  engine type  =                  0
  engine ID    =                  0
  export sysid =                 41
  first        =      1764620120884 [2025-12-01 21:15:20.884]
  last         =      1764620120884 [2025-12-01 21:15:20.884]
  received at  =      1765978867394 [2025-12-17 14:41:07.394]
  proto        =                 58 ICMP6
  tcp flags    =               0x00 ........
  ICMP         =               133.0  type.code
  in packets   =                  1
  in bytes     =                 56
  src addr     =   fe80::200:ff:fe00:0
  dst addr     =            ff02::2
  input        =                  0
  output       =                  0
  src mask     =                  0 /0
  dst mask     =                  0 /0
  dst tos      =                  0
  direction    =                  0
  biFlow Dir   =               0x00
  end reason   =               0x01 idle timeout
  ip exporter  =      10.120.212.34
  app ID       =              13..1: <no info>

Flow Record:
  RecordCount  =                774
  Ident        =               none
  Flags        =               0x00 NETFLOW v10, Unsampled
  Elements     =                  5: 1 3 4 12 27
  size         =                136
  engine type  =                  0
  engine ID    =                  0
  export sysid =                282
  first        =      1764620150397 [2025-12-01 21:15:50.397]
  last         =      1764620150397 [2025-12-01 21:15:50.397]
  received at  =      1765978867396 [2025-12-17 14:41:07.396]
  proto        =                 58 ICMP6
  tcp flags    =               0x00 ........
  ICMP         =               133.0  type.code
  in packets   =                  1
  in bytes     =                 56
  src addr     =   fe80::200:ff:fe00:0
  dst addr     =            ff02::2
  input        =                  0
  output       =                  0
  src mask     =                  0 /0
  dst mask     =                  0 /0
  dst tos      =                  0
  direction    =                  0
  biFlow Dir   =               0x00
  end reason   =               0x01 idle timeout
  ip exporter  =      10.120.213.43
  app ID       =              13..1: <no info>

• others sending lots of Cisco Network Based Application Recognition (NBAR) records but no flows:

nbar record: 1, 01 00 00 48 nbar record: 1, name: cpnx, desc: Computer Protocol Network Executive
nbar record: 2, 01 00 00 7E nbar record: 2, name: crtp, desc: Combat Radio Transport Protocol
nbar record: 3, 01 00 00 7F nbar record: 3, name: crudp, desc: Combat Radio User Datagram
nbar record: 4, 01 00 00 21 nbar record: 4, name: dccp, desc: Datagram Congestion Control Protocol
nbar record: 5, 01 00 00 13 nbar record: 5, name: dcn-meas, desc: DCN Measurement Subsystems
nbar record: 6, 01 00 00 25 nbar record: 6, name: ddp, desc: Datagram Delivery Protocol
nbar record: 7, 01 00 00 74 nbar record: 7, name: ddx, desc: D-II Data Exchange
nbar record: 8, 01 00 00 56 nbar record: 8, name: dgp, desc: Dissimilar Gateway Protocol
nbar record: 9, 01 00 00 30 nbar record: 9, name: dsr, desc: Dynamic Source Routing Protocol
nbar record: 10, 01 00 00 08 nbar record: 10, name: egp, desc: Exterior Gateway Protocol
nbar record: 11, 01 00 00 58 nbar record: 11, name: eigrp, desc: Enhanced Interior Gateway Routing Protocol
nbar record: 12, 01 00 00 0E nbar record: 12, name: emcon, desc: EMCON
nbar record: 13, 01 00 00 62 nbar record: 13, name: encap, desc: Encapsulation Header
nbar record: 14, 01 00 00 61 nbar record: 14, name: etherip, desc: Ethernet-within-IP Encapsulation
...
nbar record: 1, 01 00 00 22 nbar record: 1, name: 3pc, desc: Third Party Connect Protocol
nbar record: 2, 01 00 00 6B nbar record: 2, name: an, desc: Active Networks
nbar record: 3, 01 00 00 3D nbar record: 3, name: any-host-internal, desc: any host internal protocol
nbar record: 4, 01 00 00 0D nbar record: 4, name: argus, desc: ARGUS
nbar record: 5, 01 00 00 68 nbar record: 5, name: aris, desc: ARIS
nbar record: 6, 01 00 00 5D nbar record: 6, name: ax25, desc: AX.25 Frames
nbar record: 7, 01 00 00 0A nbar record: 7, name: bbnrccmon, desc: BBN RCC Monitoring
nbar record: 8, 01 00 00 31 nbar record: 8, name: bna, desc: BNA
nbar record: 9, 01 00 00 4C nbar record: 9, name: br-sat-mon, desc: Backroom SATNET Monitoring
nbar record: 10, 01 00 00 07 nbar record: 10, name: cbt, desc: CBT
nbar record: 11, 01 00 00 3E nbar record: 11, name: cftp, desc: CFTP
nbar record: 12, 01 00 00 10 nbar record: 12, name: chaos, desc: Chaos
nbar record: 13, 01 00 00 6E nbar record: 13, name: compaq-peer, desc: Compaq Peer Protocol
nbar record: 14, 01 00 00 49 nbar record: 14, name: cphb, desc: Computer Protocol Heart Beat
nbar processed: 14 records - header: size: 1190, type: 12, numelements: 14, elementSize: 84

• These nbar information records are printed along the flow record, if the app ID matches. However, most exporters just send nbar records and no flow records. Therefore you do not see anything.
• Many nbar records are not complete or they use a different encoding: (no name and no description, which is useless)

nbar record: 1, 0D 00 00 00 nbar record: 1, name: , desc:
nbar record: 2, 01 00 00 00 nbar record: 2, name: , desc:
nbar record: 3, 03 00 00 00 nbar record: 3, name: , desc:
nbar record: 4, 0D 00 00 00 nbar record: 4, name: , desc:

• Template records for flows are also sent but no flow. Either you have no traffic on these systems, or they are not yet fully configured.

So it sees for some reason your devices do not really send netflow records. I am not a CISCO SDWAN expert, you I cannot help with the configuration.

[vmanju123]

WideCflowdCapture.zip
Thanks for analyzing the pcap, my analysis was the similar, i have resttached wider capture pcap again