[netsa-tools-discuss] Unable to collect IPFIX from cisco router
Mark Thomas
mthomas at cert.org
Wed Apr 6 15:33:41 EDT 2016
Bassem-
Thank you for the sensors.conf configuration file.
The error message you are getting says the flow records have no
octets (or bytes) field. It may be that the Cisco router is
exporting a template that does not have a bytes information element.
If you export the environment variable
SILK_IPFIX_PRINT_TEMPLATES=1
prior to starting rwflowpack, rwflowpack will display the templates
it receives.
The set of IPFIX/NetFlow v9 information elements supported by SiLK
are given here.
http://tools.netsa.cert.org/silk/faq.html#ipfix-fields
While we currently have a quirks value to work around a missing
packets information element (zero-packets), we currently to do not
have something similar for a missing bytes information element.
-Mark
On Mon, 4 Apr 2016 17:11:31 +0200, bassem zaki wrote:
> You can find sensors.conf in the attachment.
>
> On Mon, Apr 4, 2016 at 5:10 PM, bassem zaki <eng.bassem.zaki at gmail.com>
> wrote:
>
>> Hello all,
>>
>> I'm trying to collect IPFIX flows from cisco router using "rwflowpack" at
>> the begining the below error appears for a while until the template is sent
>> by the router (10 secs) because I'm using UDP.
>>
>> <SNIP>
>> Apr 4 16:59:44 COLLECTOR rwflowpack[928]: Skipping set: Missing external
>> template 00000100:010b
>> <SNIP>
>>
>> Then after receiving the template it keeps logging that error log:
>>
>> <SNIP>
>> Apr 4 16:58:53 COLLECTOR rwflowpack[864]:
>> IGNORED|XX.XX.XX.XX|XX.XX.XX.XX|80|52745|0|0|0|no forward/reverse octets|
>> <SNIP>
>>
>> Does any one knows the reason why?
>>
>> PS: I'm using natting to connect the collector to the router.
>>
>>
>> BR,
>> Bassem
>>
More information about the netsa-tools-discuss
mailing list