How to detect if a Netflow Source is sending Flows to QRadar

Hey there,

i have “Router A” which is forwarding Netflow Data (e.g. Traffic client y to client z, send as TCP packet) to a QRadar Flow Appliance. Is there any way to see the “Router A” as active log Source or do I just see the traffic (client y to client z)? I have a lot of traffic data in the network activity tab but i can’t find the “Router A” IP.

I did not find any listing where I can see Netflow sources marked as active or inactive (such as the log source lists of event log sources). How can I figure out if the Router is sending netflow data to QRadar?



NetFlow with zero packet and zero bytes?


We are experiencing NetFlows in Netowrk Activity Tab with zero packets and zero bytes.
Flows are coming from the internal IPs and are destined to different legitimate Internet destinations.
My guess here is that the source IPs are just trying to connect to the internet but because they are rejected at Firewall so the flows are showing with zero bytes and packets.

So my question here is, is it normal to see this in such scenarios? I read somewhere that this might be a configuration issue at the flow source. What could be the possible scenarios where we may receive flows with zero packets and zero bytes.



Cisco 5760 Wireless LAN Controller: High Performance; More Features

Features and Capabilities

The first model in the new 5700 Series, the Cisco 5760 Wireless LAN Controller, is designed for mid-to-large campus deployments and offers:

  • Support high availability and application visibility for wireless clients
  • Wire-speed 60 Gbps throughput with advanced network services per controller
  • Support for up to 1000 access points and 12,000 clients per controller
  • High resiliency with N+1 clustering, Multiple LAG, and redundant power supplies
  • Cisco IOS-based wireless controller with features such as Flexible NetFlow, Advanced QoS, downloadable access control lists, and more

Product Support Services

Cisco’s Services can help you increase operational efficiency, lower support costs, and improve availability risk management.

Additional Resources


Problems with getting both ingress and egress Netflow data

I have a Cisco 6500 switch that I want to capture all vlan8 traffic incoming and outgoing. I talked with my networking group and they set me up with the following commands. (May not be exact commands but this was an example I gave them)

conf t
ip flow-export version
ip flow-export destination 1234
int vlan8
ip flow
ip flow ingress
route-cache flow

I am currently capturing this data using Ntop and we are getting a lot of traffic. I see all incoming and outgoing traffic from all vlan8 machines ( However for any machine that is not in vlan8, but is talking to vlan8, I only see the received traffic from them.

Ex. goes to a website on
I only see received traffic from the machine and no sent traffic. Obviously it has sent traffic because received the website.

I just wanted to verify that this is how Netflow captures data and that everything is working correctly. It kinda makes sense to me that sense isn’t in vlan8 it may not get the outbound traffic (even though it sends it to vlan8). Ideally I’d want sent and received traffic from anything that touches vlan8. Thanks.