I neet to generate netflow test data for my logstash collector.
I've tried a lot of software but I have a lot of problem with everyone. The last im trying is flow-tools under Debian but I have the following problems:
- timestamp sent is set in 1970;
- I don't know how to set sourceip:port/destip:port to test geopoint etc...
Im using this command:
flow-gen -V5 -n 1000 -d 1 | flow-send 0/127.0.0.1/2055 -d 1
This is what i received in tcpdump:
started 0.000, last 65471.207
3.230.2.230/255:0:0 > 0.0.17.230/255:999:1000 >> 3.230.2.230
3 tos 232, 999 (4294902759 octets) [|cnfp]
This is the elasticsearch entry generated by logstash:
{
"_index": "logstash-2021.04.12",
"_type": "_doc",
"_id": "nJxCxXgB6JaveisQTAD1",
"_version": 1,
"_seq_no": 0,
"_primary_term": 1,
"found": true,
"_source": {
"network": {
"iana_number": 17,
"packets": 282,
"bytes": 282,
"type": "ipv4",
"transport": "UDP",
"protocol": "smtp",
"direction": "ingress"
},
"netflow": {
"tcp_flags_label": "none",
"tcp_flag_tags": [],
"tos": 25,
"ip_version": "4",
"version": 5,
"dst_mask_len": 0,
"flow_seq_num": 270,
"engine_type": 0,
"engine_id": 0,
"dst_as": 25,
"sampling_algorithm": 0,
"flow_records": 30,
"src_as": 281,
"next_hop": "0.0.0.0",
"src_mask_len": 0,
"sampling_interval": 0,
"tcp_flags": 0
},
"tags": [
"_geoip_lookup_failure"
],
"ecs": {
"version": "1.6.0"
},
"destination": {
"packets": 282,
"bytes": 282,
"address": "255.255.1.25",
"port": 25,
"as": {},
"ip": "255.255.1.25"
},
"event": {
"module": "flow",
"kind": "metric",
"category": "network",
"dataset": "netflow",
"type": "connection",
"start": "1970-01-01T00:00:01.281Z",
"action": "netflow_flow",
"end": "1970-02-19T17:01:43.041Z",
"duration": 4294902
},
"agent": {
"hostname": "debian",
"type": "Logstash"
},
"source": {
"packets": 282,
"bytes": 282,
"address": "0.0.1.25",
"port": 281,
"as": {},
"ip": "0.0.1.25"
},
"@timestamp": "1970-01-01T00:00:00.000Z",
"observer": {
"ip": "127.0.0.1",
"ingress": {
"interface": {
"id": 281
}
},
"egress": {
"interface": {
"id": 25
}
},
"type": "netflow_exporter"
},
"related": {
"ip": [
"0.0.1.25",
"255.255.1.25"
]
},
"@version": "1"
}
}
UPDATE:
This is what logstash get:
"netflow" => {
"src_port" => 0,
"bytes" => 1,
"first_switched" => "1970-01-01T00:00:00.000Z",
"direction" => "ingress",
"src_addr" => "0.0.0.0",
"dst_addr" => "255.255.0.0",
"packet_format" => "data_flowset_format",
"dst_port_name" => "__UNKNOWN",
"last_switched" => "1970-02-19T17:01:42.760Z",
"output_snmp" => 65280,
"dst_locality" => "public",
"input_snmp" => 0,
"src_locality" => "private",
"packets" => 1,
"dst_port" => 65280,
"protocol_name" => "UDP",
"flow_locality" => "public",
"protocol" => 17,
"src_port_name" => "__UNKNOWN"
},