A question came up from the ElastiFlow Community asking:
> While searching some data, I noticed that every 10 minutes or so I get a flood of flow records that don’t have a flow.conversation.id. Is that normal or should every flow in the system have a Conversation ID?
This was in a test environment consisting of ElastiFlow Flow Collector 6.4.2 receiving flow approximately 1000 flows/second from two Cisco Catalyst 9500s and two Cisco ISR routers. The missing flow.conversation.id values are suspicious because they seem to occur at regular intervals when there is a burst of flows for a few minutes.
To understand the issue, note that flow.conversation.id is created from a hash function that combines the conversation elements of source and destination IP addresses as well as the source and destination ports. If the flow.conversation.id is missing from your data, it is typically because all the necessary elements to create it are not provided.
Consider the example flow records in the attached pictures, all related to the same flow. You’ll notice that this record does not include a flow.conversation.id . The reason for this absence is tied to the nature of the traffic being monitored. In this specific case, the traffic is directed to the destination IP 224.0.0.5, which is a multicast address utilized by the OSPF routing protocol. Notably, this type of traffic does not involve conventional source or destination ports, which explains why a flow.conversation.id is not generated for these records.
