IPFix Custom Cisco ASR1k some not parsing

sudoritz · November 14, 2017, 12:56am

buildig Custom asr1k IPFIX flows

I looked at some template data / pcaps n such and got these to work with SPlunk Stream(BUT 12235/12236/12237 doesnt seem to parse right in it) So im trying to rule out and look at trying logstash mapping. via ipfix.yaml

/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-netflow-3.7.0/lib/logstash/codecs/netflow/ipfix.yaml

i have 11 custom ones decoding but some of these seem they cant decode 12235/12236/12237

ive tried uint32,string,ip4_addr,shortstring

Ip address i thought would be just easy (12236/12237)

http is VAR on the router so im not sure why its not pulling it either.

cisco.app.category.name,12232,9,32,string
cisco.app.http.host,12235,9,var,string
cisco.client.bytes.network,8338,9,8,uint64
cisco.client.ipv4,12236,9,4,uint32
cisco.server.bytes.network,8337,9,8,uint64
cisco.server.ipv4,12237,9,4,uint32

example:

 9:
   12232:
   - :string
   - :CisoAppCategoryName
   12244:
   - :string
   - :CiscoAppBusiness
   12234:
   - :string
   - :CiscoAppGroupName
   12236:
   - :ip4_addr
   - :CiscoClientip
   8337:
   - :uint64
   - :CiscoServerBytesNetwork
   12237:
   - :ip4_addr
   - :CiscoServerip

example heres all the elements in the Flow BUT the ones i was trying to get out .

{"@version":"1","host":"10.10.10.1","ipfix":{"observationPointId":4294967302,"ipDiffServCodePoint":0,"flowStartSysUpTime":76799460,"monitoringIntervalStartMilliSeconds":1510619940000,"flowEndSysUpTime":76800960,"version":10,"packetDeltaCount":3,"ipVersion":4,"connectionSumDurationSeconds":0,"protocolIdentifier":1,"flowDirection":1,"CiscoServicesWaasSegment":16,"newConnectionDeltaCount":0,"ingressVRFID":0,"octetDeltaCount":192,"applicationId":"\r\u0000\u0001ß"},"@timestamp":"2017-11-14T00:40:00.000Z"}

should show more fields

the .pcap with option template ID 259 shows 23
with the 12236 field as 22 2a 74 c2 in HEX and then if i convert hex to IP it shows up.

Cisco NetFlow/IPFIX
    Version: 10
    Timestamp: Nov 13, 2017 17:35:19.000000000 MST
    FlowSequence: 70699
    Observation Domain Id: 512
    Set 1 [id=259] (2 flows)
        Flow 1
            Enterprise Private entry: (ciscoSystems) Type 12236: Value (hex bytes): 22 2a 74 c2
            Enterprise Private entry: (ciscoSystems) Type 12237: Value (hex bytes): bc ea c2 c6
            DSCP: 0
            Protocol: TCP (6)
            Enterprise Private entry: (ciscoSystems) Type 12241: Value (hex bytes): 01 bb
            Ingress VRFID: 0
            Biflow Direction: Initiator (1)

but im not sure where /how to convert it

this is from the cisco router with Size 4 (which i thought was uint32)

| Field | ID | Ent.ID | Offset | Size |

| connection client ipv4 address | 12236 | 9 | 0 | 4 |
| connection server ipv4 address | 12237 | 9 | 4 | 4 |

sudoritz · November 15, 2017, 1:13am

For size 4 client/server IP Ive tried uint32 / shortstring/string/ipv_addr
but none of them show up in the log

jorritfolmer · December 3, 2017, 7:17pm

From your more detailed email the issue seems to be caused by a duplicate field (ciscoAppHTTPHost, IE 12235 from Cisco's PEN 9)
This is something we can't handle unfortunately. I suggest you open a case with Cisco to fix this.

system · December 31, 2017, 7:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.