[netsa-tools-discuss] Fwd: silk
Daniel Hermans
daniel.hermans at gmail.com
Tue Dec 12 17:51:05 EST 2017
Hi SiLK team,
I'm trying to get SILK to ingest netflow v9 flows and having some issues as
can be seen by the logs below (with the template shown):
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Will process template
0x0101 with the YAF template
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Contains 8 Elements, Enabled by
SILK_IPFIX_PRINT_TEMPLATES
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position 0, Length 4, IE 8, Name
sourceIPv4Address
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position 1, Length 4, IE 12, Name
destinationIPv4Address
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position 2, Length 4, IE 10, Name
ingressInterface
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position 3, Length 4, IE 14, Name
egressInterface
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position 4, Length 2, IE 7, Name
sourceTransportPort
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position 5, Length 2, IE 11, Name
destinationTransportPort
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position 6, Length 1, IE 4, Name
protocolIdentifier
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position 7, Length 4, IE 1, Name
octetDeltaCount
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.252.91|10.39.132.10|51702|25|6|0|344|byte or packet count is
zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.39.221|10.11.40.143|8089|26286|6|0|7173|byte or packet count
is zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.133.138|10.39.248.145|25|16976|6|0|566|byte or packet count
is zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.181.67|10.39.145.255|31055|443|6|0|2107|byte or packet count
is zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.39.221|10.40.29.69|8089|62069|6|0|6970|byte or packet count
is zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.38.4|10.11.40.233|8089|29179|6|0|6021|byte or packet count is
zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.39.46|10.108.10.84|58492|80|6|0|551|byte or packet count is
zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.39.120|10.40.28.248|9997|50238|6|0|12292|byte or packet count
is zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.38.4|10.11.40.40|8089|33242|6|0|6125|byte or packet count is
zero|
Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.132.10|10.39.252.91|25|51702|6|0|566|byte or packet count is
zero|
So all messages are ignored. A typical flow record as seen in wireshark
looks like:
Flow 1
SrcAddr: 10.39.154.46
DstAddr: 10.108.162.144
InputInt: 133
OutputInt: 0
SrcPort: 443
DstPort: 51769
Protocol: TCP (6)
Octets: 83026
Any thoughts as to what I'm doing wrong?
I don't actually know the model number of Cisco device(s) sending the flow
( the flows are sent from a service provider ) but i believe it's a Nexus
9K
My sensor and silk configs are small and simple - 1 sensor, 1 v9 flow etc..
I'm rusty on C but tried to enable TRACE mode based on a post I saw on the
archive list.
Didn't get too far with that either, as when I compile libfixbuf-1.8.0 it
installs the shared object /usr/local/lib/libfixbuf.so.3.2.0 rather than
/usr/local/lib/libfixbuf.so.1.8.0
The silk-3.16.0 configure then does not find the shared object and doesn't
enable netflow support ( fails the version check )
Thanks for any help!
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list