search

robcowart / elastiflow

Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack
Other
2.48k stars 596 forks source link

sflow version 2 #541

Closed freedomwarrior closed 2 years ago

freedomwarrior commented 4 years ago

Does elkflow supports version 2 ?

robcowart commented 4 years ago

The codec used by ElastiFlow supports sFlow v5, which has been the current standard since 2004. What device do you have that sends sFlow v2?

freedomwarrior commented 4 years ago

Core switch Quanta LB6M firmwared into Brocade Turbo Iron 24x

robcowart commented 4 years ago

Wow. That is surprisingly new gear to be supporting such an old and little used protocol. If you can provide a PCAP of the sFlow records I can look into what it would take to add support.

freedomwarrior commented 4 years ago

This one helps? Or I do wrong? image

robcowart commented 4 years ago

I was asking for the PCAP file so that I can investigate the details of a variety of flow records myself as well as create a replay script for testing.

That screenshot shows only a counter sample, not a flow sample.

freedomwarrior commented 4 years ago

I was asking for the PCAP file so that I can investigate the details of a variety of flow records myself as well as create a replay script for testing.

That screenshot shows only a counter sample, not a flow sample.

Ye, sorry https://github.com/freedomwarrior/123/blob/master/brocade.pcap

robcowart commented 4 years ago

Thanks. You can delete the file now if you don't want that information to stay on the internet.

I can see a few differences between sFlow v2 datagrams and v5. They aren't significant, but they are there, and would prevent the current codec from working without modification. I will need to block out some time to work on this.

freedomwarrior commented 4 years ago

Ok, thank you very much!

fredtj commented 4 years ago

@freedomwarrior in the mean time you could perhaps use sflowtool to convert the flows to netflow?

freedomwarrior commented 3 years ago

@freedomwarrior in the mean time you could perhaps use sflowtool to convert the flows to netflow?

Hello. Sorry for my late response. I try this: sflowtool -p 6343 -c elastiflow.collector -d 2055 but it seems not working. I see udp datagrams from sflowtool, but logstash didn't record them.

09:55:23.640319 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
09:55:23.920991 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
09:55:23.920992 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
09:55:23.920992 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
09:55:23.920992 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
09:55:23.920992 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
09:55:23.920992 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
09:55:23.920992 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
09:55:23.920992 IP relocate.net.35431 > lline-140-39.elastiflow.collector.2055: UDP, length 72
robcowart commented 2 years ago

This issue is being closed as this legacy version of ElastiFlow is now deprecated and is to be archived. Please try the new ElastiFlow, request a free Basic Tier license, and join the ElastiFlow Community Slack. Thank you.