Missing MAC addresses in NetFlow exports

Started by marianh, June 28, 2017, 09:26:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 28, 2017, 09:26:59 AM Last Edit: June 28, 2017, 09:34:14 AM by marianh
Version of OPNsense 16.7.
Problem: cannot find source MAC and destination MAC in NetFlow exports.
Suggested solution: add mac address fields (IN_SRC_MAC, OUT_DST_MAC) in NetFlow v9 template.

Packet capture of the export:

Cisco NetFlow/IPFIX
    Version: 9
    Count: 23
    SysUptime: 1118038.000000000 seconds
    Timestamp: Jun 28, 2017 09:14:14.000000000 Central Europe Daylight Time
    FlowSequence: 11277
    SourceId: 0
    FlowSet 1 [id=256] (10 flows)
        FlowSet Id: (Data) (256)
        FlowSet Length: 576
        [Template Frame: 1]
        Flow 1
            SrcAddr: 10.100.1.70
            DstAddr: 10.100.0.1
            NextHop: 130.41.41.199
            InputInt: 2
            OutputInt: 7
            Packets: 1
            Octets: 63
            Post Packets: 0
            Post Octets: 0
            [Duration: 0.000000000 seconds (switched)]
                StartTime: 1118016.000000000 seconds
                EndTime: 1118016.000000000 seconds
            SrcPort: 55738
            DstPort: 53
            TCP Flags: 0x00
                00.. .... = Reserved: 0x0
                ..0. .... = URG: Not used
                ...0 .... = ACK: Not used
                .... 0... = PSH: Not used
                .... .0.. = RST: Not used
                .... ..0. = SYN: Not used
                .... ...0 = FIN: Not used
            Protocol: UDP (17)
            IP ToS: 0x00
            SrcAS: 0
            DstAS: 0
            SrcMask: 16
            DstMask: 32


Capture of sent Netflow template:

Cisco NetFlow/IPFIX
    Version: 9
    Count: 23
    SysUptime: 1117945.000000000 seconds
    Timestamp: Jun 28, 2017 09:12:41.000000000 Central Europe Daylight Time
    FlowSequence: 11272
    SourceId: 0
    FlowSet 1 [id=0] (Data Template): 256,259
        FlowSet Id: Data Template (V9) (0)
        FlowSet Length: 172
        Template (Id = 256, Count = 20)
            Template Id: 256
            Field Count: 20
            Field (1/20): IP_SRC_ADDR
            Field (2/20): IP_DST_ADDR
            Field (3/20): IP_NEXT_HOP
            Field (4/20): INPUT_SNMP
            Field (5/20): OUTPUT_SNMP
            Field (6/20): PKTS
            Field (7/20): BYTES
            Field (8/20): OUT_PKTS
            Field (9/20): OUT_BYTES
            Field (10/20): FIRST_SWITCHED
            Field (11/20): LAST_SWITCHED
            Field (12/20): L4_SRC_PORT
            Field (13/20): L4_DST_PORT
            Field (14/20): TCP_FLAGS
            Field (15/20): PROTOCOL
            Field (16/20): IP_TOS
            Field (17/20): SRC_AS
            Field (18/20): DST_AS
            Field (19/20): SRC_MASK
            Field (20/20): DST_MASK
Print
Go Up Pages1
User actions