Cherry-pick #13821 to 6.8: [Filebeat] Fix bugs in Netflow input #14032

adriansr · 2019-10-14T07:00:47Z

Cherry-pick of PR #13821 to 6.8 branch. Original message:

This PR fixes a couple bugs in the Netflow input causing flow loss in Netflow V9 and IPFIX:

Bad expiration of templates caused all templates to be removed after each expiration_timeout elapsed.
Incorrect handling of sequence numbers caused all templates to be removed if a device exported packets from different Observation Domains.

It's easier to review by looking at the individual commits.

This commit fixes a couple bugs in the Netflow input causing flow loss in Netflow V9 and IPFIX: Due to an error the expiration loop was expiring the sessions twice in each iteration. This caused all the sessions to be expired wether active or not, every time that the expiration interval elapsed. The NetFlow input was mistakenly comparing sequence numbers (v9 and IPFIX) from the same source but different Observation Domain (aka Source ID). This caused the session to be reset when packets from different source IDs where interweaved. This refactors the source ID out of session and into the session key, so that now a different source ID from the same source creates a new session. (cherry picked from commit 62d0e87)

adriansr added backport review labels Oct 14, 2019

Fix changelog

fe1bfe9

andrewkroh approved these changes Oct 14, 2019

View reviewed changes

adriansr merged commit 3409cbc into elastic:6.8 Oct 14, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cherry-pick #13821 to 6.8: [Filebeat] Fix bugs in Netflow input #14032

Cherry-pick #13821 to 6.8: [Filebeat] Fix bugs in Netflow input #14032

adriansr commented Oct 14, 2019

Cherry-pick #13821 to 6.8: [Filebeat] Fix bugs in Netflow input #14032

Cherry-pick #13821 to 6.8: [Filebeat] Fix bugs in Netflow input #14032

Conversation

adriansr commented Oct 14, 2019