[netsa-tools-discuss] rwflowpack config issue??
Dave McClain
deputy527 at yahoo.com
Fri Sep 14 15:15:36 EDT 2018
All, thanks in advance for any help. Having an issue rcv’ing and unpacking ipfix from an Avaya ERS4850 switch to single machine SILK (v3.17.2) install, ubuntu.
Avaya switch is generating ipfix information and I can see the data locally on the switch. It is set to export ipfix to the collector, 192.168.136.169 with UDP, port 9995 and the only option for protocol version is “preipfixv9”. (protocol, port and protocol version can not be modified, not an option on the switch)
I’ve verified that the export is occurring to the collector (silk machine) using tcpdump and watching the incoming packets to udp:9995. However, I get the following recurring in rwflowpack.log > date : timestamp : host : "rwflowpack [2380] : Ignoring packet: Illegal IPFIX Message Version 0x0009 (d=1,c=4)" >underline added for attention
I’m assuming that 1) either one of the conf files is not set correctly for Avaya ipfix OR 2) I’m using the wrong packing logic OR 3) there is something about “preipfixv9” which rwflowpack doesn’t recognize as ipfix.
Any ideas or observations are welcome, tks, Dave
silk.conf>
sensor 0 Internet0
class all
sensors Internet0
end class
EOF
sensors.conf>
probe Internet0 ipfix
listen-on-port 9995
protocol ump
listen-as-host 192.168.136.169
end probe
group my-network
ipblocks 192.168.136.0/24
end group
sensor Internet0
infix-probes Internet0
internal-ipblocks @my-network
external-ipblocks remainder
end sensor
EOF
rwflowpack.conf is the default with the following modifications from the “Silk on a box - Ubuntu 12.04..” instructions
cat /usr/local/share/silk/etc/rwflowpack.conf | \
sed 's/ENABLED=/ENABLED=yes/;' | \
sed 's/SENSOR_CONFIG=/SENSOR_CONFIG=\/data\/sensors.conf/;' | \
sed 's/SITE_CONFIG=/SITE_CONFIG=\/data\/silk.conf/' | \
sed 's/LOG_TYPE=syslog/LOG_TYPE=legacy/' | \
sed 's/LOG_DIR=.*/LOG_DIR=\/var\/log/' | \
sed 's/CREATE_DIRECTORIES=.*/CREATE_DIRECTORIES=yes/' \
>> rwflowpack.conf
sudo mv rwflowpack.conf /usr/local/etc/
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list