Hello, I configure IPFIX sensor for my firewall, i receive data from the sensor but it only shows 'other' protocol. then trie to configure channel:
- 1:DNS Protocol[UDP] and DestinationPort[53]
- 2:WWW Protocol[TCP] and (DestinationPort[80] or DestinationPort[443])
it is the same. For information i have in log data netflow rejected (code : PE082), trie to change the active flow time but no changes. I tested with NF9_test, and i see flows and templates.
English isn’t my first language, so please excuse any mistakes.
Pierre-Henri
Article Comments
Hello, I have only 1 ipfix sensor (lab environment), i pause my sensor, I see the source 'active' No results in 'unassigned flow'
Templates 261: 148(8) 346(4) 32778(2) 32779(65535) 260: 148(8) 346(4) 32769(4) 32771(4) 32772(1) 32773(65535) 259: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 27(16) 10(4) 11(2) 28(16) 14(4) 21(4) 22(4) 96(65535) 148(8) 371(65535) 257: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 8(4) 10(4) 11(2) 12(4) 14(4) 21(4) 22(4) 96(65535) 148(8) 371(65535) 258: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 8(4) 10(4) 11(2) 12(4) 14(4) 21(4) 22(4) 96(65535) 148(8) 225(4) 226(4) 227(2) 228(2) 371(65535)
Decoded flows: ID:257 - 10.0.0.200:57524->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 19:28:00 0 ID:258 - 10.0.0.200:64711->208.67.222.222:53 E:1 EE:0 P:0 IF/OF:5/4 15:24:39 76 ID:258 - 10.0.0.200:59867->193.242.174.1:80 E:5 EE:0 P:0 IF/OF:5/4 15:23:51 80 ID:258 - 10.0.0.18:51419->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 15:11:13 80 ID:258 - 10.0.0.18:51423->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 09:37:52 821 ID:258 - 10.0.0.18:51316->216.58.198.195:443 E:5 EE:0 P:0 IF/OF:5/4 22:41:03 126 ID:258 - 10.0.0.18:51420->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 14:53:46 80 ID:258 - 10.0.0.18:51424->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 09:20:27 852 ID:257 - 10.0.0.200:57525->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 18:04:45 0 ID:258 - 10.0.0.18:51323->192.0.73.2:443 E:2 EE:0 P:0 IF/OF:5/4 21:50:39 40 ID:258 - 10.0.0.18:51430->54.192.203.241:80 E:1 EE:0 P:0 IF/OF:5/4 08:43:25 433 ID:258 - 10.0.0.18:51326->216.58.198.200:443 E:2 EE:0 P:0 IF/OF:5/4 21:48:13 0 ID:258 - 10.0.0.18:51408->91.209.107.44:443 E:5 EE:0 P:0 IF/OF:5/4 19:28:21 40 ID:258 - 10.0.0.20:123->40.118.106.130:123 E:2 EE:0 P:0 IF/OF:7/4 17:12:16 0 ID:258 - 10.0.0.18:51431->193.252.23.65:110 E:2 EE:0 P:0 IF/OF:5/4 07:01:28 416 ID:258 - 10.0.0.18:51421->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 12:24:40 80 ID:258 - 10.0.0.18:51432->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 06:51:21 821 ID:258 - 10.0.0.18:51422->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 12:07:18 80 ID:258 - 10.0.0.18:51433->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 06:33:55 852 ID:257 - 10.0.0.18:51110->10.0.0.254:4430 E:5 EE:0 P:0 IF/OF:5/5 14:16:47 829
Is there something wrong with the last part of the decoded flows (time) ?
Mar, 2017 - Permalink
Dear Pierre-Henri
An example IPFIX packet from your log is:
ID:257 - 10.0.0.200:57524->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 19:28:00 0
The part P:0 indicates that the traffic is neither UDP (P:6) nor TCP (P:17). Because of this, all this traffic appears in the "Other" channel.
Mar, 2017 - Permalink
Thanks for your time and very quick answers I will investigate more with the firewall vendor Is there more i can do with prtg ?
Mar, 2017 - Permalink
Dear Pierre-Henri
Regarding flow or packet header analysis, PRTG can only apply pre-defined filters, so you cannot break down measured traffic retroactively.
If your question is about the scope of PRTG in general, you can do a lot more than bandwidth monitoring. You can check the availability of devices, the free space on harddrives, the loading time of HTTP resources and more.
Mar, 2017 - Permalink
My question was about the pre-defined filters, i am in test environment.
I continue my testing of PRTG, already configure http sensors, snmp and devices availability.
Thanks again for your very quick and clear answers
Mar, 2017 - Permalink
Dear Pierre-Henri
Please pause all IPFIX sensors using that port. Then please use the Netflow 9 tester (which also decodes IPFIX). The tester shows step by step the decode process. Can you see now why you get "Other" traffic only?
Mar, 2017 - Permalink