I have set up a netflow server at our data centre, which is connected via VPN to ~40 remote offices using Cisco ASA 5505. The aim is to analyse usage data and find out exactly how the remote connections are being used.

I followed through http://techowto.files.wordpress.com/2008/09/ntop-guide.pdf to set up ntop and https://supportforums.cisco.com/docs/DOC-6114 to set up the ASAs. I can see from the Plugin > Netflow > Statistics page that netflow packets from my ASAs are being received - the counter is increasing. However, I am not seeing any breakdown on the Global Traffic Statistic page after switching to the Netflow interface. I'm just seeing a pie chart showing 100% traffic for eth0.

The interfaces and documentation are a little hard to follow so I am not sure I have got things configured correctly.

When setting up my NetFlow-device.2 I can specify Virtual NetFlow Interface Network Address - the web UI says

This value is in the form of a network address and mask on the network where the actual NetFlow probe is located.

• is this a Network address (e.g. 192.168.0.0/24) or an actual host IP address (192.167.0.1/24)?
• If that should be a network address, is this the network in which one of my ASAs is or the network in which my ntop server is?
• If a host IP address, is this the IP address used by eth0 on my ntop server, the IP address of an ASA, or something else?
• Do I need a separate virtual interface for each ASA I am collecting netflow data from?

Any guidance would be greatly welcome.