From 5c483dc3a95c16a8421987cab5fc2abd9ae09706 Mon Sep 17 00:00:00 2001
From: Sven Rebhan <36194019+srebhan@users.noreply.github.com>
Date: Tue, 23 Apr 2024 11:43:36 -0400
Subject: [PATCH] feat(inputs.netflow): Add support for netflow v9 option
 packets (#15180)

---
 plugins/inputs/netflow/netflow_decoder.go     |  28 ++++++++++++++++++
 .../testcases/netflow_v9_options/expected.out |   8 +++++
 .../testcases/netflow_v9_options/message.bin  | Bin 0 -> 934 bytes
 .../netflow_v9_options/telegraf.conf          |   2 ++
 plugins/inputs/netflow/type_conversion.go     |   2 +-
 5 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 plugins/inputs/netflow/testcases/netflow_v9_options/expected.out
 create mode 100644 plugins/inputs/netflow/testcases/netflow_v9_options/message.bin
 create mode 100644 plugins/inputs/netflow/testcases/netflow_v9_options/telegraf.conf

diff --git a/plugins/inputs/netflow/netflow_decoder.go b/plugins/inputs/netflow/netflow_decoder.go
index 0e35aa66f..3383d4416 100644
--- a/plugins/inputs/netflow/netflow_decoder.go
+++ b/plugins/inputs/netflow/netflow_decoder.go
@@ -577,6 +577,34 @@ func (d *netflowDecoder) Decode(srcIP net.IP, payload []byte) ([]telegraf.Metric
 			case netflow.TemplateFlowSet:
 			case netflow.NFv9OptionsTemplateFlowSet:
 			case netflow.OptionsDataFlowSet:
+				for _, record := range fs.Records {
+					tags := map[string]string{
+						"source":  src,
+						"version": "NetFlowV9",
+					}
+					fields := make(map[string]interface{})
+					for _, value := range record.ScopesValues {
+						decodedFields, err := d.decodeValueV9(value)
+						if err != nil {
+							d.Log.Errorf("decoding option record %+v failed: %v", record, err)
+							continue
+						}
+						for _, field := range decodedFields {
+							fields[field.Key] = field.Value
+						}
+					}
+					for _, value := range record.OptionsValues {
+						decodedFields, err := d.decodeValueV9(value)
+						if err != nil {
+							d.Log.Errorf("decoding option record %+v failed: %v", record, err)
+							continue
+						}
+						for _, field := range decodedFields {
+							fields[field.Key] = field.Value
+						}
+					}
+					metrics = append(metrics, metric.New("netflow_options", tags, fields, t))
+				}
 			case netflow.DataFlowSet:
 				for _, record := range fs.Records {
 					tags := map[string]string{
diff --git a/plugins/inputs/netflow/testcases/netflow_v9_options/expected.out b/plugins/inputs/netflow/testcases/netflow_v9_options/expected.out
new file mode 100644
index 000000000..4f2e7b071
--- /dev/null
+++ b/plugins/inputs/netflow/testcases/netflow_v9_options/expected.out
@@ -0,0 +1,8 @@
+netflow_options,source=127.0.0.1,version=NetFlowV9 in_bytes=169952189u,in_snmp=1u,interface="Te0/0/0",interface_desc="TenGigabitEthernet0/0/0",out_snmp=1u 1713379378304536264
+netflow_options,source=127.0.0.1,version=NetFlowV9 in_bytes=169952189u,in_snmp=2u,interface="Te0/0/1",interface_desc="TenGigabitEthernet0/0/1",out_snmp=2u 1713379378304536264
+netflow_options,source=127.0.0.1,version=NetFlowV9 in_bytes=169952189u,in_snmp=3u,interface="Te0/0/2",interface_desc="TenGigabitEthernet0/0/2",out_snmp=3u 1713379378304536264
+netflow_options,source=127.0.0.1,version=NetFlowV9 in_bytes=169952189u,in_snmp=4u,interface="Te0/0/3",interface_desc="TenGigabitEthernet0/0/3",out_snmp=4u 1713379378304536264
+netflow_options,source=127.0.0.1,version=NetFlowV9 in_bytes=169952189u,in_snmp=5u,interface="Te0/0/4",interface_desc="TenGigabitEthernet0/0/4",out_snmp=5u 1713379378304536264
+netflow_options,source=127.0.0.1,version=NetFlowV9 in_bytes=169952189u,in_snmp=6u,interface="Te0/0/5",interface_desc="TenGigabitEthernet0/0/5",out_snmp=6u 1713379378304536264
+netflow_options,source=127.0.0.1,version=NetFlowV9 in_bytes=169952189u,in_snmp=7u,interface="Gi0",interface_desc="GigabitEthernet0",out_snmp=7u 1713379378304536264
+netflow_options,source=127.0.0.1,version=NetFlowV9 in_bytes=169952189u,in_snmp=10u,interface="Lo0",interface_desc="Loopback0",out_snmp=10u 1713379378304536264
diff --git a/plugins/inputs/netflow/testcases/netflow_v9_options/message.bin b/plugins/inputs/netflow/testcases/netflow_v9_options/message.bin
new file mode 100644
index 0000000000000000000000000000000000000000..ead52e3b076f9e90d863a497d38e83ced4a910b7
GIT binary patch
literal 934
zcmajdPYQxS7zOY*Ix5a0IzR-Tp#KMm2sf_Eb)aD-fksICR-LLtwCXxd%&g+;8$}p~
z_ug+KV#LL5_c{z7cZlo_AcVkB01|zDl2H2FAi)+(^dJTNP9>|SPKvx5kMygLf1bQ*
z()w7Gb+_(L)wQWQM}gQ8R`ZNDAtLsQ)|dh@<yp-)+LVZ}8dD&qe5*;L&4>uAF$H2u
zS}iczoQSX*Qy``StA$2e5D`{m3dB@swJ5Eb|M6S={UM1l=T&4im9-8nYuig%?9YxE
GE2<CDTvguy

literal 0
HcmV?d00001

diff --git a/plugins/inputs/netflow/testcases/netflow_v9_options/telegraf.conf b/plugins/inputs/netflow/testcases/netflow_v9_options/telegraf.conf
new file mode 100644
index 000000000..cfd23d363
--- /dev/null
+++ b/plugins/inputs/netflow/testcases/netflow_v9_options/telegraf.conf
@@ -0,0 +1,2 @@
+[[inputs.netflow]]
+  service_address = "udp://127.0.0.1:0"
diff --git a/plugins/inputs/netflow/type_conversion.go b/plugins/inputs/netflow/type_conversion.go
index 49db1a9ef..3e48495cc 100644
--- a/plugins/inputs/netflow/type_conversion.go
+++ b/plugins/inputs/netflow/type_conversion.go
@@ -142,7 +142,7 @@ func decodeHex(b []byte) (interface{}, error) {
 }
 
 func decodeString(b []byte) (interface{}, error) {
-	return string(b), nil
+	return strings.TrimRight(string(b), "\x00"), nil
 }
 
 func decodeMAC(b []byte) (interface{}, error) {