search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.14k stars 4.91k forks source link

netflow protocol version 31538 not supported #16890

Closed bLackCat-79 closed 2 years ago

bLackCat-79 commented 4 years ago

Hi All,

I am using an ELK stack SIEM with filebeat. Filebeat has been configured to accept netflow traffic.

When my uibiquiti sends netflow data I see the following error:

2020-03-06T17:17:44.919Z WARN [netflow] netflow/input.go:244 Error parsing NetFlow packet of length 59 from 192.168.1.243:514: netflow protocol version 31538 not supported

Can anyone help me on this one?

elasticmachine commented 4 years ago

Pinging @elastic/siem (Team:SIEM)

bLackCat-79 commented 4 years ago

Is it allowed to bump this issue up?

andrewkroh commented 4 years ago

Would you be able to share a PCAP sample of the netflow traffic that causes the issue? The sample would need to include both the netflow templates and some data records for us to try to recreate and analyze.

Also what's the hardware model/version and firmware version?

adriansr commented 4 years ago

It looks like Filebeat is receiving non-netflow packets, a .pcap capture of the traffic arriving to Filebeat will help in determining what's going on.

A common mistake is to configure devices to send sFlow instead of NetFlow. But in that case you'll be receiving an error referencing version 0.

Here, version 31538 corresponds to a packet whose first two bytes are printable ascii characters {2, So this is neither NetFlow nor sFlow.

The fact that the source port is 514/udp is also suspicious, as that is the port used for syslog. Also, is 192.168.1.243 your Ubiquiti device?

jlind23 commented 2 years ago

Backlog grooming: Closing it for now until further activity, can still be reopened if needed.