[netsa-tools-discuss] rwflowpack config issue??

Mark Thomas mthomas at cert.org
Fri Sep 14 16:22:21 EDT 2018 

Dave-

Thank you for your interest in the NetSA tools.

Thanks also for providing your configuration settings and the
details of the problem you are having.

To solve your issue, specify your probe as a "netflow-v9" type
instead of "ipfix".  That is,

 probe Internet0 netflow-v9
  listen-on-port 9995
  protocol udp
  listen-as-host 192.168.136.169
 end probe

An IPFIX probe expects the data to have Version 10 (0x000a);
netflow-v9 probes support Message Version 9.

I hope that helps.

-Mark


-----Original Message-----
From: Dave McClain <deputy527 at yahoo.com>
Date: Fri, 14 Sep 2018 15:15:36 -0400
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] rwflowpack config issue??

All, thanks in advance for any help.  Having an issue rcv’ing and unpacking ipfix from an Avaya ERS4850 switch to single machine SILK (v3.17.2) install, ubuntu.

Avaya switch is generating ipfix information and I can see the data locally on the switch.  It is set to export ipfix to the collector, 192.168.136.169 with UDP, port 9995 and the only option for protocol version is “preipfixv9”.  (protocol, port and protocol version can not be modified, not an option on the switch)

I’ve verified that the export is occurring to the collector (silk machine) using tcpdump and watching the incoming packets to udp:9995.  However, I get the following recurring in rwflowpack.log  >  date : timestamp : host : "rwflowpack [2380] : Ignoring packet: Illegal IPFIX Message Version 0x0009 (d=1,c=4)"  >underline added for attention 

I’m assuming that 1) either one of the conf files is not set correctly for Avaya ipfix OR 2) I’m using the wrong packing logic OR 3) there is something about “preipfixv9” which rwflowpack doesn’t recognize as ipfix.

Any ideas or observations are welcome, tks, Dave

silk.conf>
sensor 0 Internet0

class all
  sensors Internet0
end class
 EOF


sensors.conf>
probe Internet0 ipfix
 listen-on-port 9995
 protocol ump
 listen-as-host 192.168.136.169
end probe

group my-network
 ipblocks 192.168.136.0/24
end group

sensor Internet0
 infix-probes Internet0
 internal-ipblocks @my-network
 external-ipblocks remainder
end sensor
EOF

rwflowpack.conf is the default with the following modifications from the “Silk on a box - Ubuntu 12.04..” instructions
cat /usr/local/share/silk/etc/rwflowpack.conf | \
sed 's/ENABLED=/ENABLED=yes/;' | \
sed 's/SENSOR_CONFIG=/SENSOR_CONFIG=\/data\/sensors.conf/;' | \
sed 's/SITE_CONFIG=/SITE_CONFIG=\/data\/silk.conf/' | \
sed 's/LOG_TYPE=syslog/LOG_TYPE=legacy/' | \
sed 's/LOG_DIR=.*/LOG_DIR=\/var\/log/' | \
sed 's/CREATE_DIRECTORIES=.*/CREATE_DIRECTORIES=yes/' \
>> rwflowpack.conf
sudo mv rwflowpack.conf /usr/local/etc/

More information about the netsa-tools-discuss mailing list