Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

IPFIX Elements

Go to solution
Sarah
Altocumulus
Altocumulus

‎21-Oct-2023 02:58 - edited ‎21-Oct-2023 12:49

Hello Everyone,

I have created an iRule to query HTTP hostname, URI, and respose code and ship them along with other info to Elsatic collectors through ipfix log publisher. 

but we came to an issue that the collectors were not able to decode the template with an error msg "unsupported field in template"

I have been using the standard ipfix elements built into big-ip system in my iRule. 

below is a snippet of the iRule and the used ipfix elements:

 

 

if { $static::http_rule1_tmplt == ""} {
      # if the template has not been created yet, create the template
      set static::http_rule1_tmplt [IPFIX::template create "flowStartMilliseconds \
                                                          sourceIPv4Address \
                                                          tcpSourcePort \
                                                          destinationIPv4Address \
                                                          tcpDestinationPort \
                                                          postNATDestinationIPv4Address \
                                                          postNAPTDestinationTransportPort  \
                                                          httpHostname \
                                                          httpUrl \
                                                          httpResponseCode  \
                                                          flowEndMilliseconds \ "]
     }

 

When trying to analyze the traffic through wireshark, we noticed the HTTP elements are showing as [pen: F5 Networks Inc]; i wonder if this has to do with the collectors not able to decode the template?

Screen Shot 2023-10-21 at 12.32.47 PM.png

Thank you!

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Sarah
Altocumulus
Altocumulus

‎31-Oct-2023 14:02

 

Hello Reader,

Thankfully, we found the answer!

So, basically, some elements such as the http ones i'm using in my above iRule, which are built into BIG-IP system, are defined by IANA under F5's Private Enterprise Number (PEN) 12276. Hence, the [pen: F5 Networks Inc] appeared in wireshark in replacement of the acctual field name unlike the other standard fields.

 

Solution

In my case, using Logstash and the netflow codec, for any non standard element (not under PEN 0), we must override the YAML file containing IPFIX field definitions (id, data type, and enetrprits id) for the flow to get decoded and to avoid thrown errors as "unsupported field in template".

 

Please feel free to update the post should you have any queries.

 

Regards,

Sarah.

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Sarah
Altocumulus
Altocumulus

‎31-Oct-2023 14:02

 

Hello Reader,

Thankfully, we found the answer!

So, basically, some elements such as the http ones i'm using in my above iRule, which are built into BIG-IP system, are defined by IANA under F5's Private Enterprise Number (PEN) 12276. Hence, the [pen: F5 Networks Inc] appeared in wireshark in replacement of the acctual field name unlike the other standard fields.

 

Solution

In my case, using Logstash and the netflow codec, for any non standard element (not under PEN 0), we must override the YAML file containing IPFIX field definitions (id, data type, and enetrprits id) for the flow to get decoded and to avoid thrown errors as "unsupported field in template".

 

Please feel free to update the post should you have any queries.

 

Regards,

Sarah.

0 Kudos

Go to solution
BrentYost
Nimbostratus
Nimbostratus

‎16-Nov-2023 01:35

Certainly! The issue may stem from custom HTTP elements not recognized by collectors. Ensure elements align with IPFIX standards. Check collector documentation for compatibility and consider using standard Information Elements.

If you require and are stressed to juggle several college assignments offer dependable assistance. but this https://customwriting.com/assignments.html platform has completely changed my academic experience. The writers' unparalleled level of experience improves the calibre of my work. The stress-free, seamless process from order placement to the completed assignment is what distinguishes it. It guarantees that assignments are not just completed but also surpass expectations, so I heartily recommend it to anyone who must complete academic assignments.
Copyright © 2023 Khoros, LLC