Very huge amount of traffic by src IP. How handle it?

I've start NetFlow by using this command /usr/share/logstash/bin/logstash --modules netflow -M netflow.var.input.udp.port=9966 and it works.
But when I look at overview traffic dashboard I see that some host send huge amount of traffic.

And it's only one packet! We have tons of gigabytes per day for this host.

But in fact this host doesn't send this amount of traffic. Maybe field "netflow.bytes" for this host contains strange invalid value.
Can I configure some filters to discard packets with this strange value?

Check if you have log entries like shown in https://github.com/logstash-plugins/logstash-codec-netflow/issues/123.

If yes, try if updating to the latest version of the logstash-codec-netflow plugin resolves the issue.

bin/logstash-plugin update logstash-codec-netflow

I have seen incorrect field values (including netflow.bytes) if the data was interpreted incorrectly due to a misinterpreted netflow template.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.