Netflow: Unsupported field in template

Elastic Stack Logstash
1

I am using Elastiflow to template my Netflow data... Well trying!
I keep getting the following in my Logstash logs:

[2018-02-14T11:23:26,907][WARN ][logstash.codecs.netflow  ] Unsupported field in template 261 {:type=>192, :length=>1}
[2018-02-14T11:23:26,907][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 261 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.

I can see the packets coming through and the template:

Frame 52: 1412 bytes on wire (11296 bits), 1412 bytes captured (11296 bits) on interface 0
    Interface id: 0 (any)
    Encapsulation type: Linux cooked-mode capture (25)
    Arrival Time: Feb 14, 2018 11:22:49.905397429 GMT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1518607369.905397429 seconds
    [Time delta from previous captured frame: 1.999773942 seconds]
    [Time delta from previous displayed frame: 1.999773942 seconds]
    [Time since reference or first frame: 116.895690679 seconds]
    Frame Number: 52
    Frame Length: 1412 bytes (11296 bits)
    Capture Length: 1412 bytes (11296 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: sll:ethertype:ip:udp:cflow]
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 1
    Link-layer address length: 6
    Source: Cisco_3d:9f:46 (18:33:9d:3d:9f:46)
    Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.62.1.246, Dst: 10.65.13.10
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 1396
    Identification: 0xe080 (57472)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 253
    Protocol: UDP (17)
    Header checksum: 0x001c [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.62.6.204
    Destination: 10.65.13.10
    [Source GeoIP: AS11111 The Corporation]
        [Source GeoIP AS Number: AS11111 The Corporation]
    [Destination GeoIP: AS111111 The Corporation]
        [Destination GeoIP AS Number: AS11111 The Corporation]
User Datagram Protocol, Src Port: 52248, Dst Port: 9995
    Source Port: 52248
    Destination Port: 9995
    Length: 1376
    Checksum: 0x9b9d [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
Cisco NetFlow/IPFIX
    Version: 9
    Count: 29
    SysUptime: 1165208.164000000 seconds
    Timestamp: Feb 14, 2018 10:23:09.000000000 GMT
        CurrentSecs: 1518603789
    FlowSequence: 1571910
    SourceId: 0
    FlowSet 1 [id=0] (Data Template): 261
        FlowSet Id: Data Template (V9) (0)
        FlowSet Length: 56
        Template (Id = 261, Count = 12)
            Template Id: 261
            Field Count: 12
            Field (1/12): IP_SRC_ADDR
                Type: IP_SRC_ADDR (8)
                Length: 4
            Field (2/12): IP_DST_ADDR
                Type: IP_DST_ADDR (12)
                Length: 4
            Field (3/12): INPUT_SNMP
                Type: INPUT_SNMP (10)
                Length: 4
            Field (4/12): OUTPUT_SNMP
                Type: OUTPUT_SNMP (14)
                Length: 4
            Field (5/12): L4_SRC_PORT
                Type: L4_SRC_PORT (7)
                Length: 2
            Field (6/12): L4_DST_PORT
                Type: L4_DST_PORT (11)
                Length: 2
            Field (7/12): IP_TOS
                Type: IP_TOS (5)
                Length: 1
            Field (8/12): IP_TTL
                Type: IP_TTL (192)
                Length: 1
            Field (9/12): FIRST_SWITCHED
                Type: FIRST_SWITCHED (22)
                Length: 4
            Field (10/12): LAST_SWITCHED
                Type: LAST_SWITCHED (21)
                Length: 4
            Field (11/12): BYTES
                Type: BYTES (1)
                Length: 8
            Field (12/12): PKTS
                Type: PKTS (2)
                Length: 8
    FlowSet 2 [id=261] (28 flows)
        FlowSet Id: (Data) (261)
        FlowSet Length: 1292
        [Template Frame: 20]
        Flow 1
            SrcAddr: 10.62.6.204
            DstAddr: 10.61.4.93
            InputInt: 27
            OutputInt: 26
            SrcPort: 0
            DstPort: 2048
            IP ToS: 0x00
            IP TTL: 63
            [Duration: 4.012000000 seconds (switched)]
                StartTime: 1165187.576000000 seconds
                EndTime: 1165191.588000000 seconds
            Octets: 420
            Packets: 5
        Flow 2
            SrcAddr: 10.62.6.203
            DstAddr: 10.61.6.13
            InputInt: 27
            OutputInt: 26
            SrcPort: 38796
            DstPort: 514
            IP ToS: 0x00
            IP TTL: 63
            [Duration: 0.028000000 seconds (switched)]
                StartTime: 1165191.172000000 seconds
                EndTime: 1165191.200000000 seconds
            Octets: 216
            Packets: 4

What field is the Logstash error referring to and how do I fix this please?

Thanks

2

Working with sarlacpit on this issue, I've found the 'unsupported field in template' warning appears in log when passing the following field from a Cisco flow record to logstash:

collect ipv4 ttl

After removing the field from the Cisco flow record template, we've seen the error no longer appears in the logstash logs, and flows are received.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.