Can't (yet) decode flowset with netflow-udp-input >= 3.2.0

Question

Can't (yet) decode flowset with netflow-udp-input >= 3.2.0

Adium74 opened this issue 7 years ago · 4 comments

udp_7000.zip
Version: logstash 6.2.1 / logstash-codec-netflow (3.11.2)
Operating System: CentOS Linux 7 (Kernel: Linux 3.10.0-693.17.1.el7.x86_64)
Device: VMware ESXi 6.0 Update 3 (build 5050593)
Config File:

input {
        udp {
                port => 7000
                codec => netflow
                type => "netflow"
                queue_size => 10000
                workers => 4
                tags => [ "vmware_vds" ]
        }
}
output {
	stdout { codec => rubydebug }
}

Steps to Reproduce:

Start Logstash
View the logs

[2018-02-15T12:19:16,439][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from observation domain id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2018-02-15T12:19:40,437][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 256 from observation domain id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.

Messages is not go away after 1 minute.

tcpdump pcap-file from server in attach

Answer 1 · 2018-03-10T13:30:20.000Z

Sorry bit busy lately. I'll look into it.

Answer 2 · 2018-03-25T08:35:29.000Z

I can't reproduce your issue, the pcap sample you sent decodes perfectly.
This is a sample from what I get from your pcap:

{
  "@version": "1",
  "host": "172.16.32.201",
  "netflow": {
    "destinationIPv4Address": "10.81.29.158",
    "destinationTransportPort": 54283,
    "tcpControlBits": 24,
    "vmwareUnknown890": 1,
    "sourceIPv4Address": "10.247.0.209",
    "ingressInterface": 5331,
    "ipClassOfService": 0,
    "version": 10,
    "packetDeltaCount": 1,
    "flowEndReason": 1,
    "protocolIdentifier": 6,
    "flowDirection": 1,
    "layer2SegmentId": 0,
    "egressInterface": 3071,
    "octetDeltaCount": 132,
    "sourceTransportPort": 1918,
    "flowEndMilliseconds": "2018-02-15T09:28:20.000Z",
    "maximumTTL": 55,
    "vmwareUnknown888": 2,
    "flowStartMilliseconds": "2018-02-15T09:28:20.000Z",
    "vmwareUnknown889": 0
  },
  "@timestamp": "2018-02-15T09:28:35.000Z"
}

Answer 3 · 2018-03-25T10:09:48.000Z

Oops, I have been able to reproduce this issue. To reproduce:

Configure 2 or more udp input workers
Logstash-Input-UDP >= 3.2.0
Run netflow_bench_cisco_asa.py against Logstash

Expected results:

all 210000 flows decoded (14 flows per packet x 15000 packets)

Actual results:

only some percentage of flows decoded
lots of "no template received" warnings.

Discussion: With Netflow-Input-UDP >= 3.2.0 Netflow data packets can only be decoded by the worker that has previously received a template to decode with. Netflow_bench_cisco_asa.py sends only 1 template before sending 15000 packets. Since the codec is now cloned for each worker with this commit in logstash-plugins/logstash-input-udp@ecf93e1, templates are no longer shared between workers. This means only a percentage of flows can be decoded, and others not.

Answer 4 · 2018-03-26T16:52:52.000Z

Closed with commit 3f054b4