Does codec netflow support L7 protocol name?

f26227279 · March 23, 2018, 5:04am

Hi everyone, I export netflow to logstash and use the netflow codec plugin to analyze the flows, but I found that the flow data doesn't include L7 protocol name field.
this is the json doc:

{
  "_index": "netflow-%{year}-%{month}-%{day}",
  "_type": "doc",
  "_id": "jF_yUGEBwY8ORgd4bUeK",
  "_version": 1,
  "_score": null,
  "_source": {
    "netflow": {
      "first_switched": "2018-02-01T10:24:40.341Z",
      "dst_mask": 0,
      "input_snmp": 144,
      "l4_dst_port": 4324,
      "sampling_algorithm": 0,
      "version": 5,
      "ipv4_next_hop": "120.127.163.1",
      "protocol": 17,
      "src_mask": 0,
      "dst_as": 0,
      "in_pkts": 1,
      "engine_type": 1,
      "output_snmp": 0,
      "last_switched": "2018-02-01T10:24:40.341Z",
      "tcp_flags": 0,
      "l4_src_port": 53,
      "ipv4_dst_addr": "168.95.43.41",
      "in_bytes": 126,
      "flow_seq_num": 1275194905,
      "sampling_interval": 0,
      "flow_records": 28,
      "src_as": 0,
      "engine_id": 2,
      "src_tos": 0,
      "ipv4_src_addr": "120.127.160.98"
    },
    "@timestamp": "2018-02-01T10:29:40.342Z",
    "@version": "1",
    "host": "120.127.163.4"
  },
  "fields": {
    "netflow.first_switched": [
      "2018-02-01T10:24:40.341Z"
    ],
    "@timestamp": [
      "2018-02-01T10:29:40.342Z"
    ],
    "netflow.last_switched": [
      "2018-02-01T10:24:40.341Z"
    ]
  },
  "sort": [
    1517480980342
  ]
}

I wonder whether it is due to the v5 netflow doesn't has the L7 protocol name field?
If I change to v9 netflow would the doc has the field?

thank you in advance!

rcowart · March 23, 2018, 7:22am

Netflow v5 definitely does not have that field.

When you say "L7 protocol name" I assume you mean something like "application ID", as layer 7 doesn't really have protocols in the traditional sense. Netflow v9 definitely can transport this information and the codec has support for many related fields. For example, my Fortinet gear sends a field netflow.application_id.

The first question will be: Does your device support sending this information via Netflow. You may have to specifically configure it do so.

Rob

Robert Cowart (rob@koiossian.com)
www.koiossian.com
True Turnkey SOLUTIONS for the Elastic Stack

system · April 20, 2018, 7:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.