[netsa-tools-discuss] Fwd: silk

Mark Thomas mthomas at cert.org
Wed Dec 13 14:50:14 EST 2017 

Daniel-

Thank you for using the NetSA tools.

SiLK is ignoring your data because the template used by your router
does not include the number of packets in the flow.  The template
include the octetDeltaCount but not a corresponding
packetDeltaCount.

There is a work-around for this issue in SiLK, which requires that
you edit the sensor.conf file that rwflowpack is using.  In the
probe block for your router, add the following:

  quirks zero-packets

This causes rwflowpack to use a packet count of 1 for all incoming
flow records that do not have their own packet count, and that
should allow rwflowpack to store the records.

I hope that solves your issue.

-Mark


-----Original Message-----
From: Daniel Hermans <daniel.hermans at gmail.com>
Date: Wed, 13 Dec 2017 09:51:05 +1100
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Fwd: silk

Hi SiLK team,

I'm trying to get SILK to ingest netflow v9 flows and having some issues as
can be seen by the logs below (with the template shown):

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Will process template
0x0101 with the YAF template

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Contains 8 Elements, Enabled by
SILK_IPFIX_PRINT_TEMPLATES

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position   0, Length     4, IE           8, Name
sourceIPv4Address

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position   1, Length     4, IE          12, Name
destinationIPv4Address

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position   2, Length     4, IE          10, Name
ingressInterface

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position   3, Length     4, IE          14, Name
egressInterface

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position   4, Length     2, IE           7, Name
sourceTransportPort

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position   5, Length     2, IE          11, Name
destinationTransportPort

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position   6, Length     1, IE           4, Name
protocolIdentifier

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]: Domain 0X0001,
TemplateID 0X0101, Position   7, Length     4, IE           1, Name
octetDeltaCount

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.252.91|10.39.132.10|51702|25|6|0|344|byte or packet count is
zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.39.221|10.11.40.143|8089|26286|6|0|7173|byte or packet count
is zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.133.138|10.39.248.145|25|16976|6|0|566|byte or packet count
is zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.181.67|10.39.145.255|31055|443|6|0|2107|byte or packet count
is zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.39.221|10.40.29.69|8089|62069|6|0|6970|byte or packet count
is zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.38.4|10.11.40.233|8089|29179|6|0|6021|byte or packet count is
zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.39.46|10.108.10.84|58492|80|6|0|551|byte or packet count is
zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.39.120|10.40.28.248|9997|50238|6|0|12292|byte or packet count
is zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.38.4|10.11.40.40|8089|33242|6|0|6125|byte or packet count is
zero|

Dec 12 14:47:27 ip-10-39-128-243 rwflowpack[4370]:
IGNORED|10.39.132.10|10.39.252.91|25|51702|6|0|566|byte or packet count is
zero|





So all messages are ignored. A typical flow record as seen in wireshark
looks like:

Flow 1

    SrcAddr: 10.39.154.46

    DstAddr: 10.108.162.144

    InputInt: 133

    OutputInt: 0

    SrcPort: 443

    DstPort: 51769

    Protocol: TCP (6)

    Octets: 83026




Any thoughts as to what I'm doing wrong?

I don't actually know the model number of Cisco device(s) sending the flow
( the flows are sent from a service provider )  but i believe it's a Nexus
9K


My sensor and silk configs are small and simple - 1 sensor, 1 v9 flow etc..


I'm rusty on C but tried to enable TRACE mode based on a post I saw on the
archive list.


Didn't get too far with that either, as when I compile libfixbuf-1.8.0 it
installs the shared object /usr/local/lib/libfixbuf.so.3.2.0 rather than
/usr/local/lib/libfixbuf.so.1.8.0


The  silk-3.16.0 configure then does not find the shared object and doesn't
enable netflow support ( fails the version check )




Thanks for any help!

More information about the netsa-tools-discuss mailing list