Forum Discussion

Sarah's avatar
Sarah
Icon for Cirrus rankCirrus
Oct 21, 2023
Solved

IPFIX Elements

Hello Everyone, I have created an iRule to query HTTP hostname, URI, and respose code and ship them along with other info to Elsatic collectors through ipfix log publisher.  but we came to an issue...
  • Sarah's avatar
    Oct 31, 2023

     

    Hello Reader,

    Thankfully, we found the answer!

    So, basically, some elements such as the http ones i'm using in my above iRule, which are built into BIG-IP system, are defined by IANA under F5's Private Enterprise Number (PEN) 12276. Hence, the [pen: F5 Networks Inc] appeared in wireshark in replacement of the acctual field name unlike the other standard fields.

     

    Solution

    In my case, using Logstash and the netflow codec, for any non standard element (not under PEN 0), we must override the YAML file containing IPFIX field definitions (id, data type, and enetrprits id) for the flow to get decoded and to avoid thrown errors as "unsupported field in template".

     

    Please feel free to update the post should you have any queries.

     

    Regards,

    Sarah.