search

cloudflare / goflow

The high-scalability sFlow/NetFlow/IPFIX collector used internally at Cloudflare.
BSD 3-Clause "New" or "Revised" License
870 stars 173 forks source link

Netflow v5 -- Unknown #89

Closed mugugnu closed 3 years ago

mugugnu commented 3 years ago

Hi, my goflow container (latest 3.4.3) is receiving flow records with initial flags like this: (i'm inspecting them via nfcapd on a VM)

Flow Record: Flags = 0x00 NETFLOW v5, Unsampled label =

However goflow returns continously this error: Error from: NetFlow (0) duration: 12.92µs. Unknown NetFlow version 5 (only decodes v9 and v10/IPFIX)"

Does goflow support netflow v5 ? Can you help me troubleshoot this ?

lspgn commented 3 years ago

Hello, You need to send NetFlow v5 on a different port than v9/ipfix (by default :2056). Defined by -nfl.port and -nfl.addr args. Let me know if that works.

mugugnu commented 3 years ago

I was actually sending to 2056, but goflow default setup was and still is: time="2021-01-08T15:30:10Z" level=info msg="Listening on UDP :6343" Type=sFlow time="2021-01-08T15:30:10Z" level=info msg="Listening on UDP :2055" Type=NetFlow time="2021-01-08T15:30:10Z" level=info msg="Listening on UDP :2056" Type=NetFlowLegacy

I'm not sure what i actually did except for deleting the pods (both goflow and nflow-gen) and recreating them a bunch of times.

As long as goflow was configured to send to kafka i could not see any message in the goflow logs, when i addeded the -kafka=false i started seeing netflow traffic arrive.

So, bottom line is that i'm sending to 2056...logs read "netflowlegacy", sounds like v5 doesn't it ?

lspgn commented 3 years ago

As long as goflow was configured to send to kafka i could not see any message in the goflow logs, when i addeded the -kafka=false i started seeing netflow traffic arrive.

Correct, it's only logging when Kafka is disabled.

So, bottom line is that i'm sending to 2056...logs read "netflowlegacy", sounds like v5 doesn't it ?

Correct. I use legacy term for v5.

Do you still see the error about the version? If so, could you send me a pcap?

mugugnu commented 3 years ago

Without kafka it's working fine, no more errors. Update: also with kafka enabled, i'm receiving stuff on the choosen topic. I just don't know how to decode it (is it binary ?)

lspgn commented 3 years ago

Update: also with kafka enabled, i'm receiving stuff on the choosen topic. I just don't know how to decode it (is it binary ?)

It is a protobuf message. You need to unmarshall the data.

mugugnu commented 3 years ago

everything's fine. Thanks for your support

StefanoKoo commented 3 years ago

@mugugnu Did you find a way to decode the messages?