[netsa-tools-discuss] rwflowpack config issue??

Dave McClain deputy527 at yahoo.com
Fri Sep 14 21:58:13 EDT 2018 

Thanks Mark, I’ve made the probe change, but now seem to be struggling with a template issue which is discarding flows.

in rwflowpack.log I am receiving multiple lines with varying numbers of flows lost -  “  ‘Internet0’ : Ignoring NetflowV9 record:  No Templates Present for this session. 1 Flows Lost. “



> On Sep 14, 2018, at 4:22 PM, Mark Thomas <mthomas at cert.org> wrote:
> 
> Dave-
> 
> Thank you for your interest in the NetSA tools.
> 
> Thanks also for providing your configuration settings and the
> details of the problem you are having.
> 
> To solve your issue, specify your probe as a "netflow-v9" type
> instead of "ipfix".  That is,
> 
> probe Internet0 netflow-v9
>  listen-on-port 9995
>  protocol udp
>  listen-as-host 192.168.136.169
> end probe
> 
> An IPFIX probe expects the data to have Version 10 (0x000a);
> netflow-v9 probes support Message Version 9.
> 
> I hope that helps.
> 
> -Mark
> 
> 
> -----Original Message-----
> From: Dave McClain <deputy527 at yahoo.com>
> Date: Fri, 14 Sep 2018 15:15:36 -0400
> To: <netsa-tools-discuss at cert.org>
> Subject: [netsa-tools-discuss] rwflowpack config issue??
> 
> All, thanks in advance for any help.  Having an issue rcv’ing and unpacking ipfix from an Avaya ERS4850 switch to single machine SILK (v3.17.2) install, ubuntu.
> 
> Avaya switch is generating ipfix information and I can see the data locally on the switch.  It is set to export ipfix to the collector, 192.168.136.169 with UDP, port 9995 and the only option for protocol version is “preipfixv9”.  (protocol, port and protocol version can not be modified, not an option on the switch)
> 
> I’ve verified that the export is occurring to the collector (silk machine) using tcpdump and watching the incoming packets to udp:9995.  However, I get the following recurring in rwflowpack.log  >  date : timestamp : host : "rwflowpack [2380] : Ignoring packet: Illegal IPFIX Message Version 0x0009 (d=1,c=4)"  >underline added for attention 
> 
> I’m assuming that 1) either one of the conf files is not set correctly for Avaya ipfix OR 2) I’m using the wrong packing logic OR 3) there is something about “preipfixv9” which rwflowpack doesn’t recognize as ipfix.
> 
> Any ideas or observations are welcome, tks, Dave
> 
> silk.conf>
> sensor 0 Internet0
> 
> class all
>  sensors Internet0
> end class
> EOF
> 
> 
> sensors.conf>
> probe Internet0 ipfix
> listen-on-port 9995
> protocol ump
> listen-as-host 192.168.136.169
> end probe
> 
> group my-network
> ipblocks 192.168.136.0/24
> end group
> 
> sensor Internet0
> infix-probes Internet0
> internal-ipblocks @my-network
> external-ipblocks remainder
> end sensor
> EOF
> 
> rwflowpack.conf is the default with the following modifications from the “Silk on a box - Ubuntu 12.04..” instructions
> cat /usr/local/share/silk/etc/rwflowpack.conf | \
> sed 's/ENABLED=/ENABLED=yes/;' | \
> sed 's/SENSOR_CONFIG=/SENSOR_CONFIG=\/data\/sensors.conf/;' | \
> sed 's/SITE_CONFIG=/SITE_CONFIG=\/data\/silk.conf/' | \
> sed 's/LOG_TYPE=syslog/LOG_TYPE=legacy/' | \
> sed 's/LOG_DIR=.*/LOG_DIR=\/var\/log/' | \
> sed 's/CREATE_DIRECTORIES=.*/CREATE_DIRECTORIES=yes/' \
>>> rwflowpack.conf
> sudo mv rwflowpack.conf /usr/local/etc/

More information about the netsa-tools-discuss mailing list