Template not found when using Flexible Netflow templates

[Splitarra]

• Version: logstash 6.2 netflow module - 3.11.4
• Operating System: Ubuntu 16.04.3
• Config File (if you have sensitive info, please remove it): See below
• Sample Data: I can email a sample PCAP if required.
• Steps to Reproduce: Netflow data is being exported from a Cisco ASR 1k. When using the default netflowV9 fields the template is received and flows are imported. When switching to Flexible Netflow the template is not recognised by logstash.

I am exporting some fields that weren't in the netflow.yaml file so i added those definitions with no success:

70:

• :uint24
• :mpls_label_1 71:
• :uint24
• :mpls_label_2 72:
• :uint24
• :mpls_label_3 73:
• :uint24
• :mpls_label_4 74:
• :uint24
• :mpls_label_5 75:
• :uint24
• :mpls_label_6

I get the following error: [2018-03-31T17:44:11,234][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 279 from source id 2048, because no template to decode it with has been received Which seems to suggest that the netflow plugin is not recognising the template that is being sent?

When i set up a wireshark the template file is received within a few minutes. I have attached a txt representation of the packet capture but can email the actual PCAP containing the template and netflow messages if needed.

flow packet.txt template packet.txt

[jorritfolmer]

The Cisco ASR 1k is on the list of devices that we currently don't support due to duplicate fields. Or rather "can't" because the library we use to parse the netflow structure doesn't support it.

[Splitarra]

Hi Jorritfolmer.

Thanks for your answer on this. I managed to get around the issue by using nprobe as a proxy for the netflow data.