[netsa-tools-discuss] Silk netflow-v9: lack of flags and template warnings
Ulrik Haugen
ulrik.haugen at liu.se
Tue Dec 5 07:00:03 EST 2023
Hello Mark!
Thank you very much for your helpful answer, very useful indeed!
Best regards
Ulrik
Mark Thomas <mthomas at cert.org> wrote:
> Ulrik-
>
> Hello again!
>
> Regarding the warning you are seeing:
>
> "Template warning: Illegal length 2 for information element messageScope"
>
> The warning is harmless since the messageScope element is not used by SiLK.
>
> (To provide some background, the warning is generated by libfixbuf and
> it is stating that messageScope element is supposed to be a single
> octet[1] but the incoming template uses two octets.)
>
> The warning is only supposed to occur once for each template where the
> element appears, but it will occur each time the template is received.
> For a UDP stream, this can occur fairly often. (The recommendation is
> 3 times within a 10 minute window.)
>
> Unfortunately I do not believe there is a way to disable the warning message.
>
>
> I see from your followup email that Fortigate does not provide TCP
> flags information. I had anticipated that answer from them. Good luck
> with your enhancement request.
>
> Had you not heard from them, my suggestion to check this for yourself
> would be to run flowcap or rwflowpack for a short time with template
> logging enabled. For UDP, one does this by setting the
> SILK_IPFIX_PRINT_TEMPLATES environment variable prior to starting the
> tool.
>
>
> I hope you find that information useful.
>
> Regards,
>
> -Mark
>
>
>
> [1] See elementId 263 in the IPFIX Element Assignments from IANA
> https://www.iana.org/assignments/ipfix/ipfix.xhtml
>
>
> -----Original Message-----
> From: Ulrik Haugen <ulrik.haugen at liu.se>
> Date: Thu, 30 Nov 2023 14:22:02 +0100
> To: <netsa-tools-discuss at cert.org>
> Subject: [netsa-tools-discuss] Silk netflow-v9: lack of flags and template
> warnings
>
> Hello!
>
> We are testing Silk with Netflow v9 records from our Fortigate firewalls
> to see if we can replace Ipfix from our Juniper routers as the
> replacements we will get for the latter will not be able to provide
> unsampled flow records.
>
> Configuring a probe and sensor for Netflow v9 and pointing Fortigate to
> it looks promising in what turns up in answers to rwfilter for the new
> sensor except for two things after a short test:
>
>
> * all flows from the new sensor have an empty flags field
>
> Do you happen to know this expected for flows from Foritigate? (We will
> ask Fortigate too.)
>
>
> * rwflowpack logs a lot of warnings about the templates
>
> "Template warning: Illegal length 2 for information element
> messageScope"
>
> Would anyone care to elaborate about the warnings and how serious they
> are?
>
>
> Our Netflow v9 stream is produced by a firewall running Fortigate
> Fortios 7.2.6.
>
> Best regards
> Ulrik Haugen
More information about the netsa-tools-discuss
mailing list