diff --git a/plugins/inputs/netflow/netflow_decoder.go b/plugins/inputs/netflow/netflow_decoder.go index 9df4ee9de..521c704cb 100644 --- a/plugins/inputs/netflow/netflow_decoder.go +++ b/plugins/inputs/netflow/netflow_decoder.go @@ -2,6 +2,7 @@ package netflow import ( "bytes" + "errors" "fmt" "net" "strconv" @@ -530,6 +531,7 @@ type netflowDecoder struct { templates map[string]*netflow.BasicTemplateSystem mappingsV9 map[uint16]fieldMapping mappingsIPFIX map[uint16]fieldMapping + mappingsPEN map[string]fieldMapping sync.Mutex } @@ -552,7 +554,12 @@ func (d *netflowDecoder) Decode(srcIP net.IP, payload []byte) ([]telegraf.Metric buf := bytes.NewBuffer(payload) packet, err := netflow.DecodeMessage(buf, templates) if err != nil { - return nil, err + var terr *netflow.ErrorTemplateNotFound + if errors.As(err, &terr) { + d.Log.Warnf("%v; skipping packet", err) + return nil, nil + } + return nil, fmt.Errorf("decoding message failed: %w", err) } // Extract metrics @@ -571,7 +578,13 @@ func (d *netflowDecoder) Decode(srcIP net.IP, payload []byte) ([]telegraf.Metric } fields := make(map[string]interface{}) for _, value := range record.Values { - for _, field := range d.decodeValueV9(value) { + var extracted []telegraf.Field + if value.PenProvided { + extracted = d.decodeValuePEN(value) + } else { + extracted = d.decodeValueV9(value) + } + for _, field := range extracted { fields[field.Key] = field.Value } } @@ -594,7 +607,13 @@ func (d *netflowDecoder) Decode(srcIP net.IP, payload []byte) ([]telegraf.Metric fields := make(map[string]interface{}) t := time.Now() for _, value := range record.Values { - for _, field := range d.decodeValueIPFIX(value) { + var extracted []telegraf.Field + if value.PenProvided { + extracted = d.decodeValuePEN(value) + } else { + extracted = d.decodeValueIPFIX(value) + } + for _, field := range extracted { fields[field.Key] = field.Value } } @@ -620,6 +639,7 @@ func (d *netflowDecoder) Init() error { d.templates = make(map[string]*netflow.BasicTemplateSystem) d.mappingsV9 = make(map[uint16]fieldMapping) d.mappingsIPFIX = make(map[uint16]fieldMapping) + d.mappingsPEN = make(map[string]fieldMapping) return nil } @@ -707,3 +727,24 @@ func (d *netflowDecoder) decodeValueIPFIX(field netflow.DataField) []telegraf.Fi name := "type_" + strconv.FormatUint(uint64(field.Type), 10) return []telegraf.Field{{Key: name, Value: decodeHex(raw)}} } + +func (d *netflowDecoder) decodeValuePEN(field netflow.DataField) []telegraf.Field { + raw := field.Value.([]byte) + + var prefix string + elementID := field.Type + if field.Type&0x4000 != 0 { + prefix = "rev_" + elementID = field.Type & (0x4000 ^ 0xffff) + } + + key := fmt.Sprintf("%d.%d", field.Pen, elementID) + if m, found := d.mappingsPEN[key]; found { + return []telegraf.Field{{Key: m.name, Value: m.decoder(raw)}} + } + + // Return the raw data if no mapping was found + d.Log.Debugf("unknown PEN data field %v", field) + name := fmt.Sprintf("type_%d_%s%d", field.Pen, prefix, elementID) + return []telegraf.Field{{Key: name, Value: decodeHex(raw)}} +} diff --git a/plugins/inputs/netflow/netflow_test.go b/plugins/inputs/netflow/netflow_test.go index f3ba0f3ff..ae3c742c2 100644 --- a/plugins/inputs/netflow/netflow_test.go +++ b/plugins/inputs/netflow/netflow_test.go @@ -1,6 +1,7 @@ package netflow import ( + "encoding/hex" "fmt" "net" "os" @@ -11,12 +12,13 @@ import ( "time" "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/require" + "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/config" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers/influx" "github.com/influxdata/telegraf/testutil" - "github.com/stretchr/testify/require" ) func TestInit(t *testing.T) { @@ -114,6 +116,48 @@ func TestInit(t *testing.T) { } } +func TestMissingTemplate(t *testing.T) { + raw := "000a00bc646b84c000000000000000e7010500ac000000000001dbe100000000" + raw += "0000038a060018bdeac0a802c8000000000001bb6810f9f90000000000000000" + raw += "000157b8c40155f28a00005056b3e365005056b3a7f804646b8471646b84e600" + raw += "00018843fd5cf60000018843ff232e000000000000000e00000000000007bc00" + raw += "000005000009560000000300dc00000000000000000000000000000e3130342e" + raw += "31362e3234392e3234390e3130342e31362e3234392e323439000000" + msg, err := hex.DecodeString(raw) + require.NoError(t, err) + + var acc testutil.Accumulator + var logger testutil.CaptureLogger + plugin := &NetFlow{ + ServiceAddress: "udp://127.0.0.1:0", + Log: &logger, + } + require.NoError(t, plugin.Init()) + require.NoError(t, plugin.Start(&acc)) + defer plugin.Stop() + + // Create a client without TLS + addr := plugin.conn.LocalAddr() + client, err := createClient(plugin.ServiceAddress, addr) + require.NoError(t, err) + + // Write the message + _, err = client.Write(msg) + require.NoErrorf(t, err, "writing message failed: %v", err) + require.NoError(t, client.Close()) + + // We expect a warning here + require.Eventually(t, func() bool { + return len(logger.Warnings()) > 0 + }, 3*time.Second, 100*time.Millisecond, "did not receive expected warnings") + + var found bool + for _, w := range logger.Warnings() { + found = found || strings.Contains(w, "No info template 261 found for and domain id 231; skipping packet") + } + require.True(t, found, "warning not found") +} + func TestCases(t *testing.T) { // Get all directories in testdata folders, err := os.ReadDir("testcases") diff --git a/plugins/inputs/netflow/testcases/ipfix_example/expected.out b/plugins/inputs/netflow/testcases/ipfix_example/expected.out index a367795c4..9e3694868 100644 --- a/plugins/inputs/netflow/testcases/ipfix_example/expected.out +++ b/plugins/inputs/netflow/testcases/ipfix_example/expected.out @@ -1,29 +1,29 @@ -netflow,source=127.0.0.1,version=IPFIX protocol="tcp",vlan_src=0u,src_tos="0x00",flow_end_ms=1666345513807u,src="192.168.119.100",dst="44.233.90.52",src_port=51008u,total_bytes_exported=0u,flow_end_reason="end of flow",flow_start_ms=1666345513807u,in_total_bytes=52u,in_total_packets=1u,dst_port=443u -netflow,source=127.0.0.1,version=IPFIX src_tos="0x00",src_port=54330u,rev_total_bytes_exported=0u,last_switched=9u,vlan_src=0u,flow_start_ms=1666345513807u,in_total_packets=1u,flow_end_reason="end of flow",flow_end_ms=1666345513816u,in_total_bytes=40u,dst_port=443u,src="192.168.119.100",dst="104.17.240.92",total_bytes_exported=0u,protocol="tcp" -netflow,source=127.0.0.1,version=IPFIX flow_start_ms=1666345513807u,flow_end_ms=1666345513977u,src="192.168.119.100",dst_port=443u,total_bytes_exported=0u,last_switched=170u,src_tos="0x00",in_total_bytes=40u,dst="44.233.90.52",src_port=51024u,protocol="tcp",flow_end_reason="end of flow",in_total_packets=1u,rev_total_bytes_exported=0u,vlan_src=0u -netflow,source=127.0.0.1,version=IPFIX src_port=58246u,total_bytes_exported=1u,flow_start_ms=1666345513806u,flow_end_ms=1666345513806u,in_total_bytes=156u,src="192.168.119.100",rev_total_bytes_exported=0u,last_switched=0u,flow_end_reason="forced end",dst="192.168.119.17",dst_port=53u,protocol="udp",in_total_packets=2u,vlan_src=0u,src_tos="0x00" -netflow,source=127.0.0.1,version=IPFIX protocol="udp",vlan_src=0u,src_port=58879u,dst_port=53u,flow_end_ms=1666345513832u,src_tos="0x00",src="192.168.119.100",total_bytes_exported=1u,rev_total_bytes_exported=0u,flow_end_reason="forced end",last_switched=33u,in_total_bytes=221u,in_total_packets=2u,flow_start_ms=1666345513799u,dst="192.168.119.17" -netflow,source=127.0.0.1,version=IPFIX in_total_packets=2u,dst="192.168.119.17",last_switched=0u,in_total_bytes=522u,flow_end_reason="forced end",flow_start_ms=1666345514150u,src_tos="0x00",flow_end_ms=1666345514167u,src="192.168.119.100",src_port=56439u,dst_port=53u,total_bytes_exported=1u,rev_total_bytes_exported=0u,protocol="udp",vlan_src=0u -netflow,source=127.0.0.1,version=IPFIX in_total_packets=68u,last_switched=18u,in_total_bytes=70228u,dst="34.149.140.181",src_tos="0x00",flow_start_ms=1666345513832u,rev_total_bytes_exported=0u,protocol="udp",vlan_src=0u,total_bytes_exported=0u,src="192.168.119.100",src_port=57795u,dst_port=443u,flow_end_reason="forced end",flow_end_ms=1666345514328u -netflow,source=127.0.0.1,version=IPFIX in_total_packets=4u,src="192.168.119.100",dst="239.255.255.250",src_port=57622u,protocol="udp",vlan_src=0u,src_tos="0x00",flow_start_ms=1666345512753u,flow_end_ms=1666345515756u,in_total_bytes=784u,dst_port=1900u,total_bytes_exported=1u,flow_end_reason="forced end" -netflow,source=127.0.0.1,version=IPFIX flow_start_ms=1666345512531u,in_total_bytes=92215u,src="192.168.119.100",rev_total_bytes_exported=0u,flow_end_reason="forced end",vlan_src=0u,src_tos="0x00",flow_end_ms=1666345519408u,in_total_packets=102u,dst="216.58.212.132",src_port=54458u,dst_port=443u,last_switched=17u,total_bytes_exported=0u,protocol="udp" -netflow,source=127.0.0.1,version=IPFIX dst="13.32.99.76",flow_start_ms=1666345519932u,src="192.168.119.100",vlan_src=0u,flow_end_ms=1666345519942u,flow_end_reason="forced end",dst_port=443u,rev_total_bytes_exported=0u,protocol="tcp",last_switched=10u,in_total_packets=1u,src_port=60758u,src_tos="0x00",in_total_bytes=52u,total_bytes_exported=0u -netflow,source=127.0.0.1,version=IPFIX flow_start_ms=1666345519932u,total_bytes_exported=0u,protocol="tcp",last_switched=10u,vlan_src=0u,src_port=58432u,src_tos="0x00",flow_end_ms=1666345519942u,in_total_bytes=40u,in_total_packets=1u,rev_total_bytes_exported=0u,flow_end_reason="forced end",src="192.168.119.100",dst="104.17.146.91",dst_port=443u -netflow,source=127.0.0.1,version=IPFIX dst_port=53u,rev_total_bytes_exported=0u,src_tos="0x00",in_total_bytes=284u,dst="192.168.119.17",last_switched=0u,src_port=36397u,total_bytes_exported=1u,protocol="udp",flow_start_ms=1666345521006u,in_total_packets=2u,flow_end_reason="forced end",vlan_src=0u,flow_end_ms=1666345521006u,src="192.168.119.100" -netflow,source=127.0.0.1,version=IPFIX in_total_packets=2u,dst_port=53u,flow_start_ms=1666345520998u,flow_end_ms=1666345521019u,rev_total_bytes_exported=0u,last_switched=0u,src="192.168.119.100",dst="192.168.119.17",src_port=39786u,flow_end_reason="forced end",vlan_src=0u,src_tos="0x00",in_total_bytes=193u,total_bytes_exported=1u,protocol="udp" -netflow,source=127.0.0.1,version=IPFIX protocol="tcp",src_tos="0x00",flow_start_ms=1666345521006u,flow_end_ms=1666345521032u,rev_total_bytes_exported=0u,total_bytes_exported=0u,vlan_src=0u,in_total_packets=4u,src="192.168.119.100",src_port=52370u,dst_port=443u,flow_end_reason="forced end",last_switched=9u,in_total_bytes=653u,dst="185.199.109.154" -netflow,source=127.0.0.1,version=IPFIX dst="192.168.119.17",dst_port=53u,vlan_src=0u,flow_start_ms=1666345521742u,in_total_packets=2u,flow_end_reason="forced end",last_switched=0u,flow_end_ms=1666345521742u,src_port=44461u,total_bytes_exported=1u,rev_total_bytes_exported=0u,src="192.168.119.100",protocol="udp",src_tos="0x00",in_total_bytes=326u -netflow,source=127.0.0.1,version=IPFIX total_bytes_exported=0u,protocol="tcp",last_switched=9u,vlan_src=0u,flow_end_ms=1666345521771u,in_total_packets=4u,flow_end_reason="forced end",src_port=52376u,rev_total_bytes_exported=0u,in_total_bytes=653u,src="192.168.119.100",dst_port=443u,src_tos="0x00",flow_start_ms=1666345521742u,dst="185.199.109.154" -netflow,source=127.0.0.1,version=IPFIX src="192.168.119.100",rev_total_bytes_exported=0u,last_switched=0u,in_total_bytes=334u,vlan_src=0u,src_tos="0x00",in_total_packets=2u,dst="192.168.119.17",src_port=51858u,total_bytes_exported=1u,flow_end_reason="forced end",flow_start_ms=1666345521780u,flow_end_ms=1666345521780u,dst_port=53u,protocol="udp" -netflow,source=127.0.0.1,version=IPFIX flow_end_reason="forced end",src_tos="0x00",in_total_bytes=344u,rev_total_bytes_exported=0u,last_switched=13u,dst_port=53u,vlan_src=0u,flow_start_ms=1666345521780u,flow_end_ms=1666345521794u,src_port=34970u,total_bytes_exported=1u,protocol="udp",in_total_packets=2u,src="192.168.119.100",dst="192.168.119.17" -netflow,source=127.0.0.1,version=IPFIX dst="192.168.119.17",total_bytes_exported=1u,dst_port=53u,rev_total_bytes_exported=0u,flow_start_ms=1666345521813u,src_port=52794u,protocol="udp",flow_end_reason="forced end",vlan_src=0u,flow_end_ms=1666345521836u,in_total_bytes=290u,last_switched=23u,src_tos="0x00",in_total_packets=2u,src="192.168.119.100" -netflow,source=127.0.0.1,version=IPFIX in_total_bytes=318u,total_bytes_exported=1u,vlan_src=0u,src_tos="0x00",dst_port=53u,protocol="udp",flow_end_reason="forced end",flow_start_ms=1666345522036u,in_total_packets=2u,flow_end_ms=1666345522050u,src="192.168.119.100",dst="192.168.119.17",src_port=43629u,rev_total_bytes_exported=0u,last_switched=11u -netflow,source=127.0.0.1,version=IPFIX in_total_packets=2u,flow_end_reason="forced end",vlan_src=0u,flow_end_ms=1666345522240u,dst="192.168.119.17",src="192.168.119.100",total_bytes_exported=1u,rev_total_bytes_exported=0u,protocol="udp",last_switched=0u,src_tos="0x00",in_total_bytes=279u,src_port=48781u,dst_port=53u,flow_start_ms=1666345522229u -netflow,source=127.0.0.1,version=IPFIX src_tos="0x00",flow_start_ms=1666345522279u,dst="192.168.119.17",dst_port=53u,total_bytes_exported=1u,rev_total_bytes_exported=0u,last_switched=0u,in_total_bytes=201u,src_port=43078u,flow_end_reason="forced end",vlan_src=0u,flow_end_ms=1666345522291u,in_total_packets=2u,src="192.168.119.100",protocol="udp" -netflow,source=127.0.0.1,version=IPFIX flow_start_ms=1666345521806u,in_total_bytes=19213u,src="192.168.119.100",src_tos="0x00",vlan_src=0u,flow_end_ms=1666345525312u,in_total_packets=98u,src_port=49880u,protocol="tcp",dst_port=443u,total_bytes_exported=0u,rev_total_bytes_exported=0u,last_switched=8u,dst="185.199.111.133",flow_end_reason="forced end" -netflow,source=127.0.0.1,version=IPFIX src="192.168.119.100",src_tos="0x00",flow_start_ms=1666345522240u,flow_end_ms=1666345525417u,vlan_src=0u,total_bytes_exported=0u,protocol="tcp",flow_end_reason="forced end",in_total_packets=15u,dst="140.82.113.21",dst_port=443u,rev_total_bytes_exported=0u,last_switched=102u,in_total_bytes=5660u,src_port=43438u -netflow,source=127.0.0.1,version=IPFIX rev_total_bytes_exported=0u,protocol="tcp",last_switched=9u,flow_start_ms=1666345522291u,in_total_bytes=9678u,dst="140.82.121.6",src_tos="0x00",total_bytes_exported=0u,vlan_src=0u,in_total_packets=50u,src="192.168.119.100",dst_port=443u,flow_end_ms=1666345525576u,src_port=59884u,flow_end_reason="forced end" -netflow,source=127.0.0.1,version=IPFIX rev_total_bytes_exported=0u,flow_end_reason="forced end",flow_end_ms=1666345525645u,in_total_bytes=3896u,in_total_packets=9u,last_switched=0u,src_tos="0x00",protocol="tcp",vlan_src=0u,src="140.82.113.25",dst="192.168.119.100",total_bytes_exported=0u,flow_start_ms=1666345518733u,src_port=443u,dst_port=49448u -netflow,source=127.0.0.1,version=IPFIX src="192.168.119.100",dst="142.250.186.170",rev_total_bytes_exported=0u,in_total_packets=21u,dst_port=443u,protocol="udp",last_switched=18u,vlan_src=0u,flow_start_ms=1666345514168u,flow_end_ms=1666345525871u,in_total_bytes=5520u,total_bytes_exported=0u,flow_end_reason="forced end",src_port=58246u,src_tos="0x00" -netflow,source=127.0.0.1,version=IPFIX flow_end_ms=1666345525880u,dst_port=443u,rev_total_bytes_exported=0u,flow_end_reason="forced end",src_tos="0x00",dst="140.82.121.3",src_port=37792u,vlan_src=0u,in_total_packets=212u,total_bytes_exported=0u,protocol="tcp",flow_start_ms=1666345521019u,in_total_bytes=254425u,src="192.168.119.100",last_switched=9u -netflow,source=127.0.0.1,version=IPFIX src="192.168.119.100",total_bytes_exported=1u,flow_end_reason="forced end",vlan_src=0u,flow_end_ms=1666345527739u,in_total_packets=2u,rev_total_bytes_exported=0u,last_switched=0u,flow_start_ms=1666345527739u,dst="192.168.119.17",protocol="udp",in_total_bytes=164u,dst_port=53u,src_port=50077u,src_tos="0x00" +netflow,source=127.0.0.1,version=IPFIX protocol="tcp",dst_port=443u,in_total_bytes=52u,src_tos="0x00",dst="44.233.90.52",src_port=51008u,flow_end_reason="end of flow",in_total_packets=1u,src="192.168.119.100",type_6871_40="0x0000",flow_start_ms=1666345513807u,vlan_src=0u,flow_end_ms=1666345513807u 1684917213504248417 +netflow,source=127.0.0.1,version=IPFIX type_29305_5="0x00",in_total_bytes=80u,type_29305_86="0x00000001",in_total_packets=2u,type_29305_85="0x00000028",flow_end_reason="end of flow",vlan_src=0u,src="192.168.119.100",flow_end_ms=1666345513816u,dst_port=443u,protocol="tcp",type_6871_21="0x00000009",dst="104.17.240.92",type_29305_58="0x0000",type_6871_40="0x0000",type_6871_rev_40="0x0000",flow_start_ms=1666345513807u,src_port=54330u,src_tos="0x00" 1684917213504502791 +netflow,source=127.0.0.1,version=IPFIX src="192.168.119.100",dst="44.233.90.52",type_6871_rev_40="0x0000",dst_port=443u,type_6871_21="0x000000aa",type_6871_40="0x0000",flow_end_reason="end of flow",flow_end_ms=1666345513977u,type_29305_85="0x00000028",type_29305_5="0x00",vlan_src=0u,flow_start_ms=1666345513807u,src_tos="0x00",protocol="tcp",src_port=51024u,type_29305_86="0x00000001",in_total_bytes=52u,in_total_packets=1u,type_29305_58="0x0000" 1684917213504688593 +netflow,source=127.0.0.1,version=IPFIX flow_end_reason="forced end",src_port=58246u,src="192.168.119.100",flow_end_ms=1666345513806u,dst_port=53u,flow_start_ms=1666345513806u,in_total_packets=2u,src_tos="0x00",type_29305_58="0x0000",in_total_bytes=140u,type_6871_21="0x00000000",protocol="udp",type_6871_rev_40="0x0000",vlan_src=0u,type_6871_40="0x0001",type_29305_5="0x00",type_29305_85="0x0000009c",type_29305_86="0x00000002",dst="192.168.119.17" 1684917213504857795 +netflow,source=127.0.0.1,version=IPFIX type_29305_86="0x00000002",type_29305_58="0x0000",protocol="udp",type_29305_85="0x000000dd",dst="192.168.119.17",in_total_packets=2u,type_6871_rev_40="0x0000",flow_end_ms=1666345513832u,src="192.168.119.100",src_port=58879u,type_6871_21="0x00000021",vlan_src=0u,flow_end_reason="forced end",type_6871_40="0x0001",flow_start_ms=1666345513799u,type_29305_5="0x00",dst_port=53u,src_tos="0x00",in_total_bytes=112u 1684917213505013747 +netflow,source=127.0.0.1,version=IPFIX protocol="udp",type_6871_rev_40="0x0000",vlan_src=0u,type_6871_40="0x0001",type_29305_58="0x0000",type_29305_5="0x00",dst="192.168.119.17",type_29305_86="0x00000002",src="192.168.119.100",flow_end_ms=1666345514167u,type_29305_85="0x0000020a",dst_port=53u,flow_end_reason="forced end",type_6871_21="0x00000000",src_tos="0x00",src_port=56439u,flow_start_ms=1666345514150u,in_total_packets=2u,in_total_bytes=154u 1684917213505160049 +netflow,source=127.0.0.1,version=IPFIX type_6871_rev_40="0x0000",type_29305_85="0x00011254",dst_port=443u,type_29305_86="0x00000044",flow_start_ms=1666345513832u,src="192.168.119.100",in_total_bytes=5853u,protocol="udp",flow_end_reason="forced end",vlan_src=0u,in_total_packets=43u,type_29305_58="0x0000",type_6871_40="0x0000",flow_end_ms=1666345514328u,src_tos="0x00",src_port=57795u,dst="34.149.140.181",type_29305_5="0x00",type_6871_21="0x00000012" 1684917213505306401 +netflow,source=127.0.0.1,version=IPFIX src_tos="0x00",flow_start_ms=1666345512753u,dst="239.255.255.250",src="192.168.119.100",type_6871_40="0x0001",dst_port=1900u,protocol="udp",vlan_src=0u,src_port=57622u,flow_end_ms=1666345515756u,flow_end_reason="forced end",in_total_bytes=784u,in_total_packets=4u 1684917213505453773 +netflow,source=127.0.0.1,version=IPFIX protocol="udp",type_29305_5="0x00",flow_start_ms=1666345512531u,type_6871_21="0x00000011",type_29305_86="0x00000066",type_29305_58="0x0000",flow_end_ms=1666345519408u,dst="216.58.212.132",flow_end_reason="forced end",in_total_bytes=6105u,type_6871_rev_40="0x0000",in_total_packets=60u,vlan_src=0u,src_tos="0x00",dst_port=443u,src_port=54458u,type_6871_40="0x0000",type_29305_85="0x00016837",src="192.168.119.100" 1684917213505487043 +netflow,source=127.0.0.1,version=IPFIX type_6871_rev_40="0x0000",type_29305_86="0x00000001",flow_start_ms=1666345519932u,src_tos="0x00",in_total_bytes=52u,flow_end_ms=1666345519942u,type_29305_58="0x0000",type_6871_21="0x0000000a",in_total_packets=1u,dst="13.32.99.76",src="192.168.119.100",vlan_src=0u,protocol="tcp",src_port=60758u,type_6871_40="0x0000",type_29305_5="0x00",dst_port=443u,flow_end_reason="forced end",type_29305_85="0x00000034" 1684917213505641375 +netflow,source=127.0.0.1,version=IPFIX type_29305_58="0x0000",protocol="tcp",type_6871_21="0x0000000a",src="192.168.119.100",src_tos="0x00",in_total_packets=1u,type_6871_40="0x0000",flow_end_ms=1666345519942u,type_6871_rev_40="0x0000",flow_start_ms=1666345519932u,type_29305_86="0x00000001",in_total_bytes=40u,dst_port=443u,vlan_src=0u,type_29305_5="0x00",type_29305_85="0x00000028",flow_end_reason="forced end",dst="104.17.146.91",src_port=58432u 1684917213505792347 +netflow,source=127.0.0.1,version=IPFIX type_6871_rev_40="0x0000",src_port=36397u,flow_start_ms=1666345521006u,type_29305_5="0x00",src_tos="0x00",in_total_bytes=138u,type_29305_85="0x0000011c",type_6871_21="0x00000000",type_6871_40="0x0001",vlan_src=0u,protocol="udp",dst_port=53u,src="192.168.119.100",type_29305_58="0x0000",in_total_packets=2u,type_29305_86="0x00000002",flow_end_ms=1666345521006u,dst="192.168.119.17",flow_end_reason="forced end" 1684917213505948399 +netflow,source=127.0.0.1,version=IPFIX type_29305_58="0x0000",src="192.168.119.100",type_29305_86="0x00000002",flow_end_reason="forced end",in_total_packets=2u,type_6871_21="0x00000000",flow_start_ms=1666345520998u,type_6871_40="0x0001",vlan_src=0u,protocol="udp",type_6871_rev_40="0x0000",src_port=39786u,type_29305_85="0x000000c1",in_total_bytes=112u,dst_port=53u,dst="192.168.119.17",src_tos="0x00",type_29305_5="0x00",flow_end_ms=1666345521019u 1684917213506093831 +netflow,source=127.0.0.1,version=IPFIX dst_port=443u,type_6871_21="0x00000009",flow_start_ms=1666345521006u,vlan_src=0u,type_29305_58="0x0000",src_tos="0x00",src="192.168.119.100",type_6871_40="0x0000",flow_end_ms=1666345521032u,src_port=52370u,type_29305_85="0x0000028d",in_total_bytes=860u,type_6871_rev_40="0x0000",type_29305_5="0x00",flow_end_reason="forced end",type_29305_86="0x00000004",in_total_packets=5u,protocol="tcp",dst="185.199.109.154" 1684917213506254733 +netflow,source=127.0.0.1,version=IPFIX flow_end_ms=1666345521742u,vlan_src=0u,type_6871_40="0x0001",in_total_packets=2u,type_29305_58="0x0000",src_tos="0x00",src_port=44461u,dst="192.168.119.17",type_29305_5="0x00",type_29305_86="0x00000002",type_6871_21="0x00000000",type_29305_85="0x00000146",flow_start_ms=1666345521742u,in_total_bytes=150u,type_6871_rev_40="0x0000",src="192.168.119.100",protocol="udp",dst_port=53u,flow_end_reason="forced end" 1684917213506407245 +netflow,source=127.0.0.1,version=IPFIX src="192.168.119.100",in_total_packets=5u,protocol="tcp",flow_end_reason="forced end",flow_start_ms=1666345521742u,type_6871_21="0x00000009",vlan_src=0u,dst="185.199.109.154",type_6871_40="0x0000",type_29305_58="0x0000",type_29305_85="0x0000028d",dst_port=443u,type_29305_5="0x00",flow_end_ms=1666345521771u,in_total_bytes=860u,src_port=52376u,type_29305_86="0x00000004",src_tos="0x00",type_6871_rev_40="0x0000" 1684917213506554437 +netflow,source=127.0.0.1,version=IPFIX type_6871_21="0x00000000",vlan_src=0u,src_tos="0x00",flow_end_reason="forced end",flow_start_ms=1666345521780u,flow_end_ms=1666345521780u,type_6871_40="0x0001",src="192.168.119.100",type_29305_86="0x00000002",protocol="udp",dst_port=53u,type_29305_5="0x00",dst="192.168.119.17",type_29305_58="0x0000",in_total_packets=2u,in_total_bytes=158u,src_port=51858u,type_6871_rev_40="0x0000",type_29305_85="0x0000014e" 1684917213506702419 +netflow,source=127.0.0.1,version=IPFIX type_29305_5="0x00",vlan_src=0u,in_total_bytes=150u,flow_start_ms=1666345521780u,protocol="udp",in_total_packets=2u,dst_port=53u,dst="192.168.119.17",src="192.168.119.100",type_29305_86="0x00000002",src_port=34970u,flow_end_reason="forced end",type_6871_40="0x0001",type_29305_58="0x0000",type_29305_85="0x00000158",type_6871_rev_40="0x0000",src_tos="0x00",flow_end_ms=1666345521794u,type_6871_21="0x0000000d" 1684917213506851241 +netflow,source=127.0.0.1,version=IPFIX type_29305_58="0x0000",vlan_src=0u,type_29305_5="0x00",dst_port=53u,flow_end_ms=1666345521836u,src_port=52794u,type_6871_40="0x0001",flow_start_ms=1666345521813u,type_6871_rev_40="0x0000",in_total_bytes=144u,in_total_packets=2u,type_6871_21="0x00000017",protocol="udp",flow_end_reason="forced end",src_tos="0x00",type_29305_86="0x00000002",type_29305_85="0x00000122",dst="192.168.119.17",src="192.168.119.100" 1684917213507002733 +netflow,source=127.0.0.1,version=IPFIX in_total_bytes=142u,in_total_packets=2u,src_port=43629u,src_tos="0x00",dst="192.168.119.17",type_6871_rev_40="0x0000",vlan_src=0u,protocol="udp",type_6871_40="0x0001",type_29305_58="0x0000",dst_port=53u,flow_end_ms=1666345522050u,type_6871_21="0x0000000b",type_29305_5="0x00",src="192.168.119.100",type_29305_86="0x00000002",flow_end_reason="forced end",flow_start_ms=1666345522036u,type_29305_85="0x0000013e" 1684917213507151155 +netflow,source=127.0.0.1,version=IPFIX src_port=48781u,dst_port=53u,protocol="udp",dst="192.168.119.17",type_29305_85="0x00000117",type_29305_5="0x00",src="192.168.119.100",type_6871_40="0x0001",flow_start_ms=1666345522229u,type_6871_21="0x00000000",type_29305_86="0x00000002",type_6871_rev_40="0x0000",flow_end_reason="forced end",vlan_src=0u,src_tos="0x00",in_total_bytes=132u,flow_end_ms=1666345522240u,in_total_packets=2u,type_29305_58="0x0000" 1684917213507318937 +netflow,source=127.0.0.1,version=IPFIX src_tos="0x00",type_29305_58="0x0000",in_total_bytes=120u,src_port=43078u,flow_start_ms=1666345522279u,vlan_src=0u,flow_end_ms=1666345522291u,type_29305_5="0x00",type_6871_rev_40="0x0000",dst_port=53u,type_29305_85="0x000000c9",type_6871_21="0x00000000",in_total_packets=2u,type_29305_86="0x00000002",type_6871_40="0x0001",src="192.168.119.100",protocol="udp",flow_end_reason="forced end",dst="192.168.119.17" 1684917213507703742 +netflow,source=127.0.0.1,version=IPFIX type_29305_58="0x0000",type_29305_86="0x00000062",dst="185.199.111.133",type_6871_rev_40="0x0000",dst_port=443u,flow_start_ms=1666345521806u,vlan_src=0u,type_6871_40="0x0000",type_29305_5="0x00",type_29305_85="0x00004b0d",in_total_bytes=11855u,src_tos="0x00",type_6871_21="0x00000008",in_total_packets=80u,flow_end_ms=1666345525312u,src="192.168.119.100",src_port=49880u,flow_end_reason="forced end",protocol="tcp" 1684917213507860084 +netflow,source=127.0.0.1,version=IPFIX type_6871_21="0x00000066",type_29305_58="0x0000",type_29305_5="0x00",type_6871_rev_40="0x0000",type_29305_85="0x0000161c",src_tos="0x00",in_total_packets=16u,flow_end_reason="forced end",dst_port=443u,type_29305_86="0x0000000f",flow_end_ms=1666345525417u,src_port=43438u,protocol="tcp",type_6871_40="0x0000",src="192.168.119.100",flow_start_ms=1666345522240u,in_total_bytes=4552u,dst="140.82.113.21",vlan_src=0u 1684917213508012376 +netflow,source=127.0.0.1,version=IPFIX vlan_src=0u,protocol="tcp",src_tos="0x00",flow_start_ms=1666345522291u,flow_end_ms=1666345525576u,src="192.168.119.100",type_29305_86="0x00000032",in_total_packets=63u,src_port=59884u,dst_port=443u,type_29305_85="0x000025ce",type_29305_58="0x0000",type_29305_5="0x00",dst="140.82.121.6",type_6871_40="0x0000",type_6871_21="0x00000009",in_total_bytes=58028u,flow_end_reason="forced end",type_6871_rev_40="0x0000" 1684917213508167138 +netflow,source=127.0.0.1,version=IPFIX type_29305_86="0x00000009",flow_end_ms=1666345525645u,protocol="tcp",src_port=443u,type_29305_85="0x00000f38",type_29305_5="0x00",flow_end_reason="forced end",dst_port=49448u,dst="192.168.119.100",in_total_packets=7u,type_6871_rev_40="0x0000",src="140.82.113.25",src_tos="0x00",flow_start_ms=1666345518733u,vlan_src=0u,in_total_bytes=659u,type_6871_21="0x00000000",type_29305_58="0x0000",type_6871_40="0x0000" 1684917213508315850 +netflow,source=127.0.0.1,version=IPFIX vlan_src=0u,type_29305_85="0x00001590",src="192.168.119.100",protocol="udp",dst_port=443u,type_29305_58="0x0000",type_29305_86="0x00000015",flow_start_ms=1666345514168u,src_tos="0x00",type_6871_rev_40="0x0000",dst="142.250.186.170",in_total_packets=17u,src_port=58246u,type_6871_21="0x00000012",flow_end_ms=1666345525871u,flow_end_reason="forced end",type_29305_5="0x00",type_6871_40="0x0000",in_total_bytes=3248u 1684917213508463452 +netflow,source=127.0.0.1,version=IPFIX dst="140.82.121.3",flow_start_ms=1666345521019u,type_29305_86="0x000000d4",type_6871_40="0x0000",type_29305_85="0x0003e1d9",in_total_packets=125u,protocol="tcp",flow_end_reason="forced end",in_total_bytes=16640u,type_29305_58="0x0000",flow_end_ms=1666345525880u,type_6871_21="0x00000009",type_29305_5="0x00",dst_port=443u,src_tos="0x00",type_6871_rev_40="0x0000",vlan_src=0u,src="192.168.119.100",src_port=37792u 1684917213508608204 +netflow,source=127.0.0.1,version=IPFIX type_6871_40="0x0001",src="192.168.119.100",vlan_src=0u,type_6871_rev_40="0x0000",type_29305_58="0x0000",src_port=50077u,flow_end_ms=1666345527739u,type_29305_5="0x00",flow_start_ms=1666345527739u,in_total_packets=2u,src_tos="0x00",flow_end_reason="forced end",type_6871_21="0x00000000",type_29305_86="0x00000002",dst_port=53u,in_total_bytes=120u,type_29305_85="0x000000a4",protocol="udp",dst="192.168.119.17" 1684917213508754156 diff --git a/plugins/inputs/netflow/testcases/issue_13305/expected.out b/plugins/inputs/netflow/testcases/issue_13305/expected.out new file mode 100644 index 000000000..65045672d --- /dev/null +++ b/plugins/inputs/netflow/testcases/issue_13305/expected.out @@ -0,0 +1,2 @@ +netflow,source=127.0.0.1,version=IPFIX ip_version="IPv4",dst_port=44400u,dst_tos="0x00",flow_end_ms=1684767922502u,type_35632_127="0x00000000",flow_start=1684767922u,src="192.168.2.203",flow_end=1684767922u,type_35632_493="0x0000",first_switched=22474460u,type_35632_188="",protocol="udp",in_src_mac="00:50:56:b3:86:e7",type_35632_128="0x00000000",in_snmp=0u,src_mask=0u,out_snmp=0u,type_35632_124="0x00000000",type_35632_494="0x00",in_bytes=122u,type_35632_110="0x00000000",out_dst_mac="00:50:56:b3:a7:f8",type_35632_490="",dst_mask=0u,type_35632_495="0x0000",last_switched=22474460u,in_packets=1u,type_35632_123="0x00000000",dst="189.127.188.175",src_tos="0x00",type_35632_118="0x0025",type_35632_125="0x00000000",next_hop="0.0.0.0",src_port=51413u,tcp_flags="........",flow_start_ms=1684767922502u,type_35632_489="",type_35632_109="0x00000000" 1684848566299341667 +netflow,source=127.0.0.1,version=IPFIX src_mask=0u,out_snmp=0u,type_35632_188="",type_35632_118="0x0025",type_35632_109="0x00000000",type_35632_124="0x00000000",in_packets=1u,dst="177.234.165.79",dst_port=47707u,type_35632_125="0x00000000",tcp_flags="........",flow_end=1684767922u,type_35632_128="0x00000000",protocol="udp",type_35632_490="",dst_mask=0u,last_switched=22474460u,flow_end_ms=1684767922502u,type_35632_489="",in_bytes=86u,type_35632_123="0x00000000",next_hop="0.0.0.0",ip_version="IPv4",src_port=51413u,dst_tos="0x00",type_35632_494="0x00",src="192.168.2.203",type_35632_127="0x00000000",flow_start_ms=1684767922502u,type_35632_493="0x0000",in_src_mac="00:50:56:b3:86:e7",flow_start=1684767922u,first_switched=22474460u,out_dst_mac="00:50:56:b3:a7:f8",src_tos="0x00",type_35632_110="0x00000000",type_35632_495="0x0000",in_snmp=0u 1684848566299737019 diff --git a/plugins/inputs/netflow/testcases/issue_13305/message-1.bin b/plugins/inputs/netflow/testcases/issue_13305/message-1.bin new file mode 100644 index 000000000..9b7dbd5e6 Binary files /dev/null and b/plugins/inputs/netflow/testcases/issue_13305/message-1.bin differ diff --git a/plugins/inputs/netflow/testcases/issue_13305/message-2.bin b/plugins/inputs/netflow/testcases/issue_13305/message-2.bin new file mode 100644 index 000000000..7683df39d Binary files /dev/null and b/plugins/inputs/netflow/testcases/issue_13305/message-2.bin differ diff --git a/plugins/inputs/netflow/testcases/issue_13305/message-3.bin b/plugins/inputs/netflow/testcases/issue_13305/message-3.bin new file mode 100644 index 000000000..42df8e129 Binary files /dev/null and b/plugins/inputs/netflow/testcases/issue_13305/message-3.bin differ diff --git a/plugins/inputs/netflow/testcases/issue_13305/message-4.bin b/plugins/inputs/netflow/testcases/issue_13305/message-4.bin new file mode 100644 index 000000000..dc5cdf211 Binary files /dev/null and b/plugins/inputs/netflow/testcases/issue_13305/message-4.bin differ diff --git a/plugins/inputs/netflow/testcases/issue_13305/telegraf.conf b/plugins/inputs/netflow/testcases/issue_13305/telegraf.conf new file mode 100644 index 000000000..cfd23d363 --- /dev/null +++ b/plugins/inputs/netflow/testcases/issue_13305/telegraf.conf @@ -0,0 +1,2 @@ +[[inputs.netflow]] + service_address = "udp://127.0.0.1:0" diff --git a/plugins/inputs/netflow/type_conversion.go b/plugins/inputs/netflow/type_conversion.go index 3b7095728..4a690b224 100644 --- a/plugins/inputs/netflow/type_conversion.go +++ b/plugins/inputs/netflow/type_conversion.go @@ -118,6 +118,9 @@ func decodeBool(b []byte) interface{} { } func decodeHex(b []byte) interface{} { + if len(b) == 0 { + return "" + } return "0x" + hex.EncodeToString(b) }