Mailing List Archive

I am having issues with Cento exporting netflow version 9 as well. I am able to export without issues using version 5. However, I will need version 9 soon because we need to export IPv6.

Our vendor for an IRP server sent us the following:

" According to IRP collector logs there were 0 flow packets received.
Further investigation indicated to missconfigured flow traffic:
[root@datafoundry (DATA-FOUNDRY) ~]# tshark -c 1000 -i any port 2055
Running as user "root" and group "root". This could be dangerous.
Capturing on Pseudo-device that captures on all interfaces
0.000000000 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000039173 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000110965 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000121947 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000126788 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000180269 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000186766 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000847617 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000921107 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000927370 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000990790 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record

As you can see, the flow sources are sending 1 bytes packets and are causing Flowd receive buffers overloads:
[root@datafoundry (DATA-FOUNDRY) ~]# netstat -tulpn | egrep "Proto|irpfl"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 8390664 0 :::2055 :::* 8321/irpflowd
udp 0 0 :::6343 :::* 8321/irpflowd

We tried to increase system buffers, but received packets still full them up within few seconds.
Could you kindly provide the latest running configuration from your devices so we could investigate this? We assume that wrong template is being used."

I performed an update this morning with no change in results.

Kind regards,

Jesse


From: ntop-bounces@listgateway.unipi.it [mailto:ntop-bounces@listgateway.unipi.it] On Behalf Of Loic SOULAS
Sent: Wednesday, December 07, 2016 8:27 AM
To: ntop@listgateway.unipi.it
Subject: [Ntop] cento with logstash

Hy

I’m writing with regard to a problem with cento and logstash.
I use cento for export to a netfow collector. The collector is logstash with netfow codec.

My version of logstash is 5.0.1 and netflow codec is 3.1.2.
If I use cento in netfow version 5, it’s ok, but if I use netflow version 9, I had an error : No matching template for flow id 257

Can you tell what correspond the flow id 257, and if it’s possible to correct my problem ?

Regards.

Loïc






_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

I am having issues with Cento exporting netflow version 9 as well. I am able to export without issues using version 5. However, I will need version 9 soon because we need to export IPv6.

Our vendor for an IRP server sent us the following:

" According to IRP collector logs there were 0 flow packets received.
Further investigation indicated to missconfigured flow traffic:
[root@datafoundry (DATA-FOUNDRY) ~]# tshark -c 1000 -i any port 2055
Running as user "root" and group "root". This could be dangerous.
Capturing on Pseudo-device that captures on all interfaces
0.000000000 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000039173 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000110965 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000121947 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000126788 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000180269 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000186766 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000847617 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000921107 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000927370 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record
0.000990790 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record

As you can see, the flow sources are sending 1 bytes packets and are causing Flowd receive buffers overloads:
[root@datafoundry (DATA-FOUNDRY) ~]# netstat -tulpn | egrep "Proto|irpfl"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 8390664 0 :::2055 :::* 8321/irpflowd
udp 0 0 :::6343 :::* 8321/irpflowd

We tried to increase system buffers, but received packets still full them up within few seconds.
Could you kindly provide the latest running configuration from your devices so we could investigate this? We assume that wrong template is being used."

I performed an update this morning with no change in results.

Kind regards,

Jesse


From: ntop-bounces@listgateway.unipi.it [mailto:ntop-bounces@listgateway.unipi.it] On Behalf Of Loic SOULAS
Sent: Wednesday, December 07, 2016 8:27 AM
To: ntop@listgateway.unipi.it
Subject: [Ntop] cento with logstash

Hy

I’m writing with regard to a problem with cento and logstash.
I use cento for export to a netfow collector. The collector is logstash with netfow codec.

My version of logstash is 5.0.1 and netflow codec is 3.1.2.
If I use cento in netfow version 5, it’s ok, but if I use netflow version 9, I had an error : No matching template for flow id 257

Can you tell what correspond the flow id 257, and if it’s possible to correct my problem ?

Regards.

Loïc






_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop