Can't (yet) decode flowset id 256,260,261,263 from source id 0 (Cisco ASA5516 9.8(4)20)
marvinwankersteen opened this issue · 1 comments
marvinwankersteen commented
Hey,
I already opened an issue at elastiflow, but I think it's a problem of the codec itself.
We recently changed our Cisco ASA from 5510 to 5516 with version 9.8(4)20 and have had problems decoding the Netflow since then.
Logstash displays the following messages:
Can't (yet) decode flowset id 256 from source id 0
Can't (yet) decode flowset id 260 from source id 0
Can't (yet) decode flowset id 261 from source id 0
Can't (yet) decode flowset id 263 from source id 0
The ASA sends every minute the template:
flow-export template timeout-rate 1
We running the following version of ELK:
docker.elastic.co/elasticsearch/elasticsearch:7.8.0-amd64
robcowart/elastiflow-logstash-oss:3.5.3 #logstash-codec-netflow 4.2.1
docker.elastic.co/kibana/kibana:7.8.0
Environment for elastiflow:
LS_JAVA_OPTS: -Xms4g -Xmx4g
ELASTIFLOW_RESOLVE_IP2HOST: 'false'
ELASTIFLOW_NAMESERVER: 127.0.0.1
ELASTIFLOW_NETFLOW_IPV4_PORT: '2055'
ELASTIFLOW_ES_HOST: loadbalancer:9200
I have checked with tcpdump that the templates are really sent and they are coming every minute.
What information exactly is required from the PCAP? I cannot publish any information here because of data protection.
Maybe you can already do something with the following?
Cisco NetFlow/IPFIX
Version: 9
Count: 16
SysUptime: 3346714.954000000 seconds
Timestamp: Jul 7, 2020 14:45:41.000000000 CEST
CurrentSecs: 1594125941
FlowSequence: 503134
SourceId: 0
FlowSet 1 [id=0] (Data Template): 256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271
FlowSet Id: Data Template (V9) (0)
FlowSet Length: 1416
Template (Id = 256, Count = 21)
Template Id: 256
Field Count: 21
Field (1/21): flowId
Type: flowId (148)
Length: 4
Field (2/21): IP_SRC_ADDR
Type: IP_SRC_ADDR (8)
Length: 4
Field (3/21): L4_SRC_PORT
Type: L4_SRC_PORT (7)
Length: 2
Field (4/21): INPUT_SNMP
Type: INPUT_SNMP (10)
Length: 2
Field (5/21): IP_DST_ADDR
Type: IP_DST_ADDR (12)
Length: 4
Field (6/21): L4_DST_PORT
Type: L4_DST_PORT (11)
Length: 2
Field (7/21): OUTPUT_SNMP
Type: OUTPUT_SNMP (14)
Length: 2
Field (8/21): PROTOCOL
Type: PROTOCOL (4)
Length: 1
Field (9/21): ICMP_IPv4_TYPE
Type: ICMP_IPv4_TYPE (176)
Length: 1
Field (10/21): ICMP_IPv4_CODE
Type: ICMP_IPv4_CODE (177)
Length: 1
Field (11/21): postNATSourceIPv4Address
Type: postNATSourceIPv4Address (225)
Length: 4
Field (12/21): postNATDestinationIPv4Address
Type: postNATDestinationIPv4Address (226)
Length: 4
Field (13/21): postNAPTSourceTransportPort
Type: postNAPTSourceTransportPort (227)
Length: 2
Field (14/21): postNAPTDestinationTransportPort
Type: postNAPTDestinationTransportPort (228)
Length: 2
Field (15/21): firewallEvent
Type: firewallEvent (233)
Length: 1
Field (16/21): FW_EXT_EVENT
Type: FW_EXT_EVENT (33002)
Length: 2
Field (17/21): observationTimeMilliseconds
Type: observationTimeMilliseconds (323)
Length: 8
Field (18/21): flowStartMilliseconds
Type: flowStartMilliseconds (152)
Length: 8
Field (19/21): INGRESS_ACL_ID
Type: INGRESS_ACL_ID (33000)
Length: 12
Field (20/21): EGRESS_ACL_ID
Type: EGRESS_ACL_ID (33001)
Length: 12
Field (21/21): AAA_USERNAME
Type: AAA_USERNAME (40000)
Length: 20
Template (Id = 260, Count = 18)
Template Id: 260
Field Count: 18
Field (1/18): IP_SRC_ADDR
Type: IP_SRC_ADDR (8)
Length: 4
Field (2/18): L4_SRC_PORT
Type: L4_SRC_PORT (7)
Length: 2
Field (3/18): INPUT_SNMP
Type: INPUT_SNMP (10)
Length: 2
Field (4/18): IP_DST_ADDR
Type: IP_DST_ADDR (12)
Length: 4
Field (5/18): L4_DST_PORT
Type: L4_DST_PORT (11)
Length: 2
Field (6/18): OUTPUT_SNMP
Type: OUTPUT_SNMP (14)
Length: 2
Field (7/18): PROTOCOL
Type: PROTOCOL (4)
Length: 1
Field (8/18): ICMP_IPv4_TYPE
Type: ICMP_IPv4_TYPE (176)
Length: 1
Field (9/18): ICMP_IPv4_CODE
Type: ICMP_IPv4_CODE (177)
Length: 1
Field (10/18): postNATSourceIPv4Address
Type: postNATSourceIPv4Address (225)
Length: 4
Field (11/18): postNATDestinationIPv4Address
Type: postNATDestinationIPv4Address (226)
Length: 4
Field (12/18): postNAPTSourceTransportPort
Type: postNAPTSourceTransportPort (227)
Length: 2
Field (13/18): postNAPTDestinationTransportPort
Type: postNAPTDestinationTransportPort (228)
Length: 2
Field (14/18): firewallEvent
Type: firewallEvent (233)
Length: 1
Field (15/18): FW_EXT_EVENT
Type: FW_EXT_EVENT (33002)
Length: 2
Field (16/18): observationTimeMilliseconds
Type: observationTimeMilliseconds (323)
Length: 8
Field (17/18): INGRESS_ACL_ID
Type: INGRESS_ACL_ID (33000)
Length: 12
Field (18/18): EGRESS_ACL_ID
Type: EGRESS_ACL_ID (33001)
Length: 12
Template (Id = 261, Count = 14)
Template Id: 261
Field Count: 14
Field (1/14): IP_SRC_ADDR
Type: IP_SRC_ADDR (8)
Length: 4
Field (2/14): L4_SRC_PORT
Type: L4_SRC_PORT (7)
Length: 2
Field (3/14): INPUT_SNMP
Type: INPUT_SNMP (10)
Length: 2
Field (4/14): IP_DST_ADDR
Type: IP_DST_ADDR (12)
Length: 4
Field (5/14): L4_DST_PORT
Type: L4_DST_PORT (11)
Length: 2
Field (6/14): OUTPUT_SNMP
Type: OUTPUT_SNMP (14)
Length: 2
Field (7/14): PROTOCOL
Type: PROTOCOL (4)
Length: 1
Field (8/14): ICMP_IPv4_TYPE
Type: ICMP_IPv4_TYPE (176)
Length: 1
Field (9/14): ICMP_IPv4_CODE
Type: ICMP_IPv4_CODE (177)
Length: 1
Field (10/14): firewallEvent
Type: firewallEvent (233)
Length: 1
Field (11/14): FW_EXT_EVENT
Type: FW_EXT_EVENT (33002)
Length: 2
Field (12/14): observationTimeMilliseconds
Type: observationTimeMilliseconds (323)
Length: 8
Field (13/14): INGRESS_ACL_ID
Type: INGRESS_ACL_ID (33000)
Length: 12
Field (14/14): EGRESS_ACL_ID
Type: EGRESS_ACL_ID (33001)
Length: 12
Template (Id = 263, Count = 22)
Template Id: 263
Field Count: 22
Field (1/22): flowId
Type: flowId (148)
Length: 4
Field (2/22): IP_SRC_ADDR
Type: IP_SRC_ADDR (8)
Length: 4
Field (3/22): L4_SRC_PORT
Type: L4_SRC_PORT (7)
Length: 2
Field (4/22): INPUT_SNMP
Type: INPUT_SNMP (10)
Length: 2
Field (5/22): IP_DST_ADDR
Type: IP_DST_ADDR (12)
Length: 4
Field (6/22): L4_DST_PORT
Type: L4_DST_PORT (11)
Length: 2
Field (7/22): OUTPUT_SNMP
Type: OUTPUT_SNMP (14)
Length: 2
Field (8/22): PROTOCOL
Type: PROTOCOL (4)
Length: 1
Field (9/22): ICMP_IPv4_TYPE
Type: ICMP_IPv4_TYPE (176)
Length: 1
Field (10/22): ICMP_IPv4_CODE
Type: ICMP_IPv4_CODE (177)
Length: 1
Field (11/22): postNATSourceIPv4Address
Type: postNATSourceIPv4Address (225)
Length: 4
Field (12/22): postNATDestinationIPv4Address
Type: postNATDestinationIPv4Address (226)
Length: 4
Field (13/22): postNAPTSourceTransportPort
Type: postNAPTSourceTransportPort (227)
Length: 2
Field (14/22): postNAPTDestinationTransportPort
Type: postNAPTDestinationTransportPort (228)
Length: 2
Field (15/22): firewallEvent
Type: firewallEvent (233)
Length: 1
Field (16/22): FW_EXT_EVENT
Type: FW_EXT_EVENT (33002)
Length: 2
Field (17/22): observationTimeMilliseconds
Type: observationTimeMilliseconds (323)
Length: 8
Field (18/22): initiatorOctets
Type: initiatorOctets (231)
Length: 8
Field (19/22): responderOctets
Type: responderOctets (232)
Length: 8
Field (20/22): initiatorPackets
Type: initiatorPackets (298)
Length: 8
Field (21/22): responderPackets
Type: responderPackets (299)
Length: 8
Field (22/22): flowStartMilliseconds
Type: flowStartMilliseconds (152)
Length: 8
marvinwankersteen commented
It's solved. Look at robcowart/elastiflow#566 for the solution.