I am having issues with Cento exporting netflow version 9 as well. I am able to export without issues using version 5. However, I will need version 9 soon because we need to export IPv6.
Our vendor for an IRP server sent us the following: " According to IRP collector logs there were 0 flow packets received. Further investigation indicated to missconfigured flow traffic: [root@datafoundry (DATA-FOUNDRY) ~]# tshark -c 1000 -i any port 2055 Running as user "root" and group "root". This could be dangerous. Capturing on Pseudo-device that captures on all interfaces 0.000000000 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000039173 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000110965 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000121947 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000126788 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000180269 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000186766 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000847617 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000921107 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000927370 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record 0.000990790 10.10.20.1 -> 10.10.20.2 CFLOW 1476 total: 1 (v9) record As you can see, the flow sources are sending 1 bytes packets and are causing Flowd receive buffers overloads: [root@datafoundry (DATA-FOUNDRY) ~]# netstat -tulpn | egrep "Proto|irpfl" Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 8390664 0 :::2055 :::* 8321/irpflowd udp 0 0 :::6343 :::* 8321/irpflowd We tried to increase system buffers, but received packets still full them up within few seconds. Could you kindly provide the latest running configuration from your devices so we could investigate this? We assume that wrong template is being used." I performed an update this morning with no change in results. Kind regards, Jesse From: [email protected] [mailto:[email protected]] On Behalf Of Loic SOULAS Sent: Wednesday, December 07, 2016 8:27 AM To: [email protected] Subject: [Ntop] cento with logstash Hy I’m writing with regard to a problem with cento and logstash. I use cento for export to a netfow collector. The collector is logstash with netfow codec. My version of logstash is 5.0.1 and netflow codec is 3.1.2. If I use cento in netfow version 5, it’s ok, but if I use netflow version 9, I had an error : No matching template for flow id 257 Can you tell what correspond the flow id 257, and if it’s possible to correct my problem ? Regards. Loïc _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
