Netflow v9/IPFix from mikrotik routeros

[sliddjur]

When using v9 on a mikrotik router, the ipv6 packets have huge amount of "in bytes". See picture.

Can this be solved in the definitions file? I dont know if it is a mikrotik or logstash problem. I attached flow template for both v9 and ipfix.

Also, I am not getting ipfix working, I am spammed with:

[2016-12-14T12:24:55,027][WARN ][logstash.codecs.netflow  ] Template length doesn't fit cleanly into flowset {:template_id=>257, :template_length=>101, :record_length=>612}
[2016-12-14T12:25:49,030][WARN ][logstash.codecs.netflow  ] Template length doesn't fit cleanly into flowset {:template_id=>257, :template_length=>101, :record_length=>308}
[2016-12-14T12:25:55,029][WARN ][logstash.codecs.netflow  ] Template length doesn't fit cleanly into flowset {:template_id=>257, :template_length=>101, :record_length=>612}

• Version: logstash 5.1.1
• Operating System: 16.04.1 LTS (Xenial Xerus)
• Config File (if you have sensitive info, please remove it): ipfix config:

  
  input {
      udp {
              port => 5045
              tags => ["netflow"]
              type => "netflow"
              codec => netflow {
                      versions => [10]
                      target => ipfix
              }
      }
  }

filter { if "netflow" in [tags] { geoip { source => "[netflow][ipv4_dst_addr]" target => "dst_geoip" } geoip { source => "[netflow][ipv4_src_addr]" target => "src_geoip" } } }

output { if "netflow" in [tags] { elasticsearch { hosts => ["172.23.253.23:9200"] index => "netflow-%{+YYYY.MM.dd}"

document_type => "events"

            template_name => "netflow"
            }
    }

}

- Sample Data:
[Desktop.zip](https://github.com/logstash-plugins/logstash-codec-netflow/files/651592/Desktop.zip)

[jorritfolmer]

Thanks for your pcap, very helpful! I've replayed your pcap to the asr9k branch on my test vm, and found that the ipv6 flows look normal, i.e. no suspicious large in_bytes or in_pkts.

Could you verify on your end with the asr9k branch? I'd do something like this to test it:

systemctl stop logstash
cd /home/somedir
git clone https://github.com/logstash-plugins/logstash-codec-netflow.git
git checkout asr9k
vi /usr/share/logstash/Gemfile
   (then find the line with logstash-codec-netflow, and replace it with:
   gem "logstash-codec-netflow", :path => "/home/somedir/logstash-codec-netflow")
systemctl start logstash

[sliddjur]

@jorritfolmer yes it worked well. Now ipv6 in netflow 9 works well with routeros on your asr9k branch.

Allthough I am not getting any ipfix.

[2016-12-22T14:31:16,271][WARN ][logstash.codecs.netflow  ] Invalid netflow packet received (End of file reached)
[2016-12-22T14:31:18,272][WARN ][logstash.codecs.netflow  ] Invalid netflow packet received (End of file reached)
[2016-12-22T14:31:20,272][WARN ][logstash.codecs.netflow  ] Invalid netflow packet received (End of file reached)

This is from ipfix + netflow9 from a mikrotik. ipfix.zip

[sliddjur]

The /lib/logstash/codecs/netflow/ipfix.yaml file has uint64

0:
  1:
  - :uint64
  - :octetDeltaCount
  2:
  - :uint64
  - :packetDeltaCount

What happens when the template from mikrotik sends field 1 and 2 length 4 bytes?

[jorritfolmer]

Thanks for your pcap, very helpful. I will look into it later though.

[jorritfolmer]

I'll look into it this weekend.

[jorritfolmer]

Ok found it!

It appears the Mikrotik IPFIX implementation uses the flow count as Length (in the Message Header) instead of the byte count. We depend on a correct declaration of length to decode any incoming packet. According to the IPFIX RFC:

Length

 Total length of the IPFIX Message, measured in octets, including
 Message Header and Set(s).

Notice the Length: 2 on the 3rd line from. For this particular packet it should be around 300 bytes:

Cisco NetFlow/IPFIX
    Version: 10
    Length: 2
    Timestamp: Dec 22, 2016 14:15:15.000000000 CET
    FlowSequence: 40 (expected 46)
    Observation Domain Id: 0
    Set 1 [id=2] (Data Template): 258,259
        FlowSet Id: Data Template (V10 [IPFIX]) (2)
        FlowSet Length: 272
        Template (Id = 258, Count = 34)
        Template (Id = 259, Count = 31)
    [Expected Sequence Number: 46]
    [Previous Frame in Sequence: 31]

You should probably file a bug with Mikrotik.

[jorritfolmer]

Is there a public Mikrotik bugtracker so we can keep track of this?

[jorritfolmer]

Any news from Mikrotik on this bug?

[jorritfolmer]

The Length field seems fixed now, from a separate pcap I received in issue #81 using RouterOS 6.39.2