ipfix template // howto decode interface?

schirrmi · September 22, 2021, 11:35am

Hi all,

I set up some monitoring on elasticsearch for my traffic flow as ipfix an v9 netflows.
Works fine so far but though I did check to transfer the interfaces I cannot find them in the messages. I’d guess I’d need to write an own schema for the decoding? but at what code are the interfaces? or is it at “standard” codes but different format?

the marks “in interface” & “out interface” are ticked in the selection.
Wireshard does see outputint & inputin when set to cflow, thus looks bit like finding the correct mapping?!

actually when writing the output as debug out with logstash there’s no value looking like interface

Best Daniel

schirrmi · September 22, 2021, 1:30pm

ok looks like I was looking on the data the wrong way. seems the interface indexes are stored to ipfix.input_snmp / ipfix.output_snmp.

So I’m now wondering is there a chance for finding the mapping of interface index to interface name?

abrar226 · April 12, 2022, 7:27am

have you manged to map the index to the interface name?

rextended · April 12, 2022, 7:29am

The user left the forum in 2021 after writing only these two posts.
And you, after your last post on 2018, reply to that?

abrar226 · April 19, 2022, 6:25am

well i didn’t check the history as you did. and there was already a post and didn’t want to open a new post related with same topic which i was looking for.