cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
moksha53
Level 7
Report Inappropriate Content
Message 1 of 4

Question: Selecting a specific interface as source/dest when examining netflow data. (McAfee Enterprise Security Manager 9.6.0)

Jump to solution

I am working with ESM 9.6.0 and using it to examine collected netflow data.


When viewing a specific flow,  the "advanced details" section provides "input/output interface" info.  see below:

esm-interface.png

By querying the snmp-enabled device (a router for example) providing the netflow data, I have verified the that the numbers (2/3 in above example) do in fact correspond to the associated interface's "SNMP interface index".

Example:

show snmp mib ifmib ifindex

FastEthernet0/1: Ifindex = 3

FastEthernet0/0: Ifindex = 2

And the "advanced details" interface data makes sense - interface usage and flow direction is as expected.

But - I have not found a way to establish an ESM filter using that information (2 or 3 in example) such that ONLY flows associated with a specific input or output interface are selected.

I want to do such a selection and download the interface-specific results as a csv.

Is this possible?

1 Solution

Accepted Solutions
yd9038
Level 9
Report Inappropriate Content
Message 2 of 4

Re: Question: Selecting a specific interface as source/dest when examining netflow data. (McAfee Enterprise Security Manager 9.6.0)

Jump to solution

One way of doing it is by adding "Input Interface" and "Output Interface" fields to Flows View. You can then export that view to a CSV file, which will have both fields.

Edit Flows view by clicking on "Edit Current View" button at the top toolbar. Which then will bring up Properties window where you then click "Edit Query" button. That's where you add/remove the fields of your choice.

View solution in original post

3 Replies
yd9038
Level 9
Report Inappropriate Content
Message 2 of 4

Re: Question: Selecting a specific interface as source/dest when examining netflow data. (McAfee Enterprise Security Manager 9.6.0)

Jump to solution

One way of doing it is by adding "Input Interface" and "Output Interface" fields to Flows View. You can then export that view to a CSV file, which will have both fields.

Edit Flows view by clicking on "Edit Current View" button at the top toolbar. Which then will bring up Properties window where you then click "Edit Query" button. That's where you add/remove the fields of your choice.

View solution in original post

moksha53
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Question: Selecting a specific interface as source/dest when examining netflow data. (McAfee Enterprise Security Manager 9.6.0)

Jump to solution

I just went through query construction 101    Thanks for your reply to what turned out to be straightforward.

Sample csv download:

"Source IP","Source Port","Destination IP","Destination Port","State","Protocol","Last Time","Duration","Input Interface","Output Interface"

"10.6.6.6","64744","10.4.4.4","1234","Closed","tcp","10/08/2016 07:03:37","1000","3","6"

"10.10.153.5","64001","10.4.4.4","1234","Closed","tcp","10/08/2016 07:03:34","179","11","6"

.... continues

Again - thanks.

piotr77
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Question: Selecting a specific interface as source/dest when examining netflow data.

Jump to solution

Good day.

It is true that the thread is quite old, but still current. In connection with the topic, I would like to ask an additional question. What to do to make these parameters visible in filters for control panels and report filters? The steps described above will only cause columns in the table. However, I would like to create detailed flow statistics for specific interfaces. Is it possible to create reports on counting traffic on a specific interface in motion?

ESM ver. 11.1.3

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community