[netsa-tools-discuss] Silk netflow-v9: lack of flags and template warnings

Mark Thomas mthomas at cert.org
Mon Dec 4 11:35:41 EST 2023 

Ulrik-

Hello again!

Regarding the warning you are seeing:

"Template warning: Illegal length 2 for information element messageScope"

The warning is harmless since the messageScope element is not used by SiLK.

(To provide some background, the warning is generated by libfixbuf and it is stating that messageScope element is supposed to be a single octet[1] but the incoming template uses two octets.)

The warning is only supposed to occur once for each template where the element appears, but it will occur each time the template is received.  For a UDP stream, this can occur fairly often.  (The recommendation is 3 times within a 10 minute window.)

Unfortunately I do not believe there is a way to disable the warning message.


I see from your followup email that Fortigate does not provide TCP flags information.  I had anticipated that answer from them.  Good luck with your enhancement request.

Had you not heard from them, my suggestion to check this for yourself would be to run flowcap or rwflowpack for a short time with template logging enabled.  For UDP, one does this by setting the SILK_IPFIX_PRINT_TEMPLATES environment variable prior to starting the tool.


I hope you find that information useful.

Regards,

-Mark



[1] See elementId 263 in the IPFIX Element Assignments from IANA
https://www.iana.org/assignments/ipfix/ipfix.xhtml


-----Original Message-----
From: Ulrik Haugen <ulrik.haugen at liu.se>
Date: Thu, 30 Nov 2023 14:22:02 +0100
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Silk netflow-v9: lack of flags and template
 warnings

Hello!

We are testing Silk with Netflow v9 records from our Fortigate firewalls
to see if we can replace Ipfix from our Juniper routers as the
replacements we will get for the latter will not be able to provide
unsampled flow records.

Configuring a probe and sensor for Netflow v9 and pointing Fortigate to
it looks promising in what turns up in answers to rwfilter for the new
sensor except for two things after a short test:


* all flows from the new sensor have an empty flags field

Do you happen to know this expected for flows from Foritigate? (We will
ask Fortigate too.)


* rwflowpack logs a lot of warnings about the templates

"Template warning: Illegal length 2 for information element
messageScope"

Would anyone care to elaborate about the warnings and how serious they
are?


Our Netflow v9 stream is produced by a firewall running Fortigate
Fortios 7.2.6.

Best regards
Ulrik Haugen

More information about the netsa-tools-discuss mailing list