I'm using ElastiFlow but seeing hundreds of warnings every minute for sFlow records saying logstash.codec.sflow does not understand records with certain formats. The logstash.codecs.flow GitHub hasn't had any activity on it for a few years. I've updated a GitHub issue on that repo and provided a PCAP but there's no response there.
The hundreds of warning messages I see are as follows: (this repeats at random for ever)
[2018-08-20T18:18:13,759][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003
[2018-08-20T18:18:13,759][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1009
[2018-08-20T18:18:13,759][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1008
[2018-08-20T18:18:13,763][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003
[2018-08-20T18:18:13,767][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003
The PCAP is available here. I am seeing data in Kibana from the ElastiFlow (sFlow data) but it's all ingress (no egress) and besides that I'm also certain we are missing data from the sFlow records that cannot be parsed due to the unknown format issue.
The formats are defined in sFlowV5FlowData.pdf. With that information I tried to clone the logstash.codecs.sflow repo and figure out the additional record types myself but the format is more complicated than I can handle. I'm not a ruby programmer. I thought I could, perhaps, just take another record type and expand on it but I don't know how to deal with the field types beyond the uint32 ones.