lspgn
commented
5 years ago Hello @lz006, could you give me the version you're using and the command line you're passing? Do you have a pcap of the NetFlow data?
Closed lz006 closed 5 years ago
lspgn
commented
5 years ago Hello @lz006, could you give me the version you're using and the command line you're passing? Do you have a pcap of the NetFlow data?
lz006
commented
5 years ago Am 22.10.2018 13:30, schrieb lspgn:
Hello @lz006 [1], could you give me the version you're using and the command line you're passing? Do you have a pcap of the NetFlow data?
-- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [2], or mute the thread [3].
Hi,
I'm using NetFlow v5.
Start Cmd:
sudo docker run --net=host -ti cloudflare/goflow:latest -kafka=false -loglevel debug
Attached you will find netflow.pcap.
thanks for help.
regards
Lucas
[1] https://github.com/lz006 [2] https://github.com/cloudflare/goflow/issues/14#issuecomment-431807359 [3] https://github.com/notifications/unsubscribe-auth/AFhpQ2vkKYDv9vY-HKj1yaratjGMM8hTks5unaxOgaJpZM4Xys3Z
lspgn
commented
5 years ago Ah this is not compatible NetFlow v5. Any way you can do v9/ipfix?
lz006
commented
5 years ago I'm on open vswitch which has only support for netflow v5. Damn.
But anyways thank you very much.
On 22 October 2018 19:18:40 CEST, lspgn notifications@github.com wrote:
Ah this is not compatible NetFlow v5. Any way you can do v9/ipfix?
-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/cloudflare/goflow/issues/14#issuecomment-431902974
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
lspgn
commented
5 years ago It's possible some converters exists. For now, I haven't planned on supporting NetFlow v5 but if there is enough interest I'll look into it.
Closing it for now.
Thank you :-)
lspgn
commented
5 years ago @lz006 feel free to send me a sample of NetFlow v5 (it was not attached to the other message).
lz006
commented
5 years ago now there should be an attachment, it seems that github drops that when answering via email...
chrispassas
commented
5 years ago I'm also interested in v5 support.
Hi, I'm trying out your goflow-solution, but I still don't get it to log NetFlow-Data. When using sFlow it works just fine. I did a tcpdump & wireshark to make sure that packets are arriving. And it seems everything to be ok with the NetFlow-Agent from OpenvSwitch:
Frame 15: 162 bytes on wire (1296 bits), 162 bytes captured (1296 bits) on interface 0 Ethernet II, Src: PcsCompu_65:3b:b0 (08:00:27:65:3b:b0), Dst: PcsCompu_99:cc:11 (08:00:27:99:cc:11) Internet Protocol Version 4, Src: 10.0.2.4, Dst: 10.0.2.15 User Datagram Protocol, Src Port: 44835, Dst Port: 2055 Cisco NetFlow/IPFIX Version: 5 Count: 2 SysUptime: 2606.495000000 seconds Timestamp: Oct 22, 2018 00:11:51.286745386 CEST FlowSequence: 13 EngineType: Unknown (5) EngineId: 5 00.. .... .... .... = SamplingMode: No sampling mode configured (0) ..00 0000 0000 0000 = SampleRate: 0 pdu 1/2 SrcAddr: 10.0.0.1 DstAddr: 10.0.0.2 NextHop: 0.0.0.0 InputInt: 1 OutputInt: 10 Packets: 5 Octets: 1004 [Duration: 0.015000000 seconds] SrcPort: 40736 DstPort: 1234 Padding: 00 TCP Flags: 0x19 Protocol: TCP (6) IP ToS: 0x00 SrcAS: 0 DstAS: 0 SrcMask: 0 (prefix: 0.0.0.0/32) DstMask: 0 (prefix: 0.0.0.0/32) Padding: 0000 pdu 2/2 SrcAddr: 10.0.0.2 DstAddr: 10.0.0.1 NextHop: 0.0.0.0 InputInt: 10 OutputInt: 1 Packets: 3 Octets: 206 [Duration: 0.008000000 seconds] SrcPort: 1234 DstPort: 40736 Padding: 00 TCP Flags: 0x11 Protocol: TCP (6) IP ToS: 0x00 SrcAS: 0 DstAS: 0 SrcMask: 0 (prefix: 0.0.0.0/32) DstMask: 0 (prefix: 0.0.0.0/32) Padding: 0000
I used you proposed docker image. Any idea why goflow does not process those NetFlow-Messages?
Kind Regards Lucas