cancel
Showing results for 
Search instead for 
Did you mean: 
moksha53
Level 7

Question: Selecting a specific interface as source/dest when examining netflow data. (McAfee Enterprise Security Manager 9.6.0)

Jump to solution

I am working with ESM 9.6.0 and using it to examine collected netflow data.


When viewing a specific flow,  the "advanced details" section provides "input/output interface" info.  see below:

esm-interface.png

By querying the snmp-enabled device (a router for example) providing the netflow data, I have verified the that the numbers (2/3 in above example) do in fact correspond to the associated interface's "SNMP interface index".

Example:

show snmp mib ifmib ifindex

FastEthernet0/1: Ifindex = 3

FastEthernet0/0: Ifindex = 2

And the "advanced details" interface data makes sense - interface usage and flow direction is as expected.

But - I have not found a way to establish an ESM filter using that information (2 or 3 in example) such that ONLY flows associated with a specific input or output interface are selected.

I want to do such a selection and download the interface-specific results as a csv.

Is this possible?

0 Kudos
1 Solution

Accepted Solutions
yd9038
Level 9

Re: Question: Selecting a specific interface as source/dest when examining netflow data. (McAfee Enterprise Security Manager 9.6.0)

Jump to solution

One way of doing it is by adding "Input Interface" and "Output Interface" fields to Flows View. You can then export that view to a CSV file, which will have both fields.

Edit Flows view by clicking on "Edit Current View" button at the top toolbar. Which then will bring up Properties window where you then click "Edit Query" button. That's where you add/remove the fields of your choice.

0 Kudos
2 Replies
yd9038
Level 9

Re: Question: Selecting a specific interface as source/dest when examining netflow data. (McAfee Enterprise Security Manager 9.6.0)

Jump to solution

One way of doing it is by adding "Input Interface" and "Output Interface" fields to Flows View. You can then export that view to a CSV file, which will have both fields.

Edit Flows view by clicking on "Edit Current View" button at the top toolbar. Which then will bring up Properties window where you then click "Edit Query" button. That's where you add/remove the fields of your choice.

0 Kudos
moksha53
Level 7

Re: Question: Selecting a specific interface as source/dest when examining netflow data. (McAfee Enterprise Security Manager 9.6.0)

Jump to solution

I just went through query construction 101    Thanks for your reply to what turned out to be straightforward.

Sample csv download:

"Source IP","Source Port","Destination IP","Destination Port","State","Protocol","Last Time","Duration","Input Interface","Output Interface"

"10.6.6.6","64744","10.4.4.4","1234","Closed","tcp","10/08/2016 07:03:37","1000","3","6"

"10.10.153.5","64001","10.4.4.4","1234","Closed","tcp","10/08/2016 07:03:34","179","11","6"

.... continues

Again - thanks.

0 Kudos