fluent-plugin-netflow 0.2.4 → 0.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f06418df4a7d69f282cb471bd2d22600f9dddcd0
-  data.tar.gz: 8415b306a91bcc75381d91d75abe71cd80cd8d7d
+  metadata.gz: a34d06ac33120af173b0714f9c31a41d64a7cd3e
+  data.tar.gz: 0352fe4cc2a9a46035b7ad979e59298aedba5e19
 SHA512:
-  metadata.gz: 55b678d070a64df3b05e69f1d69638e24f04838e20e39ae2a67d6ce7213ee2d4200cab55954d6a3609c430985720c140ad01f9b5bc4b72620e8eb5653b579cb7
-  data.tar.gz: 68241c08abffa8fa0f43a60010a465eb52fa938ebc2b32606ee1d9f2e180d632fd2fafa8f3d4a91e4e8db7a08f330fae25540a7ffbe42b7c54a239b97a79252d
+  metadata.gz: 16adee7943e249eca0669fe08631e1930d67b442edb752a8c8d095321bff41a158e914e868f26eac24857756d24821f03ee9970a6cac7ca73bf39502d6addd79
+  data.tar.gz: 56fc1e35b2ddcaaa7d92098e4818ce486a024dea4d956f437ee16c26c482f40761dd522fe14c5ab01b6e8e53b2a1ed86220ad33a2beeabff954aeb5c18b9f8df

data/VERSION

@@ -1 +1 @@
-0.2.4
+0.2.5

data/lib/fluent/plugin/netflow_fields.yaml

@@ -254,6 +254,30 @@ option:
   95:
   - 4
   - :app_id
+  150:
+  - :uint32
+  - :flowStartSeconds
+  151:
+  - :uint32
+  - :flowEndSeconds
+  152:
+  - :uint64
+  - :flowStartMilliseconds
+  153:
+  - :uint64
+  - :flowEndMilliseconds
+  154:
+  - :uint64
+  - :flowStartMicroseconds
+  155:
+  - :uint64
+  - :flowEndMicroseconds
+  156:
+  - :uint64
+  - :flowStartNanoseconds
+  157:
+  - :uint64
+  - :flowEndNanoseconds
   234:
   - :uint32
   - :ingress_vrf_id

data/lib/fluent/plugin/parser_netflow.rb

@@ -82,6 +82,22 @@ module Fluent
         time.utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
       end
 
+      def format_for_flowSeconds(time)
+        time.utc.strftime("%Y-%m-%dT%H:%M:%S")
+      end
+
+      def format_for_flowMilliSeconds(time)
+        time.utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
+      end
+
+      def format_for_flowMicroSeconds(time)
+        time.utc.strftime("%Y-%m-%dT%H:%M:%S.%6NZ")
+      end
+
+      def format_for_flowNanoSeconds(time)
+        time.utc.strftime("%Y-%m-%dT%H:%M:%S.%9NZ")
+      end
+
       NETFLOW_V5_HEADER_FORMAT = 'nnNNNNnn'
       NETFLOW_V5_HEADER_BYTES  = 24
       NETFLOW_V5_RECORD_FORMAT = 'NNNnnNNNNnnnnnnnxx'
@@ -283,10 +299,53 @@ module Fluent
 
           event['flowset_id'] = flowset.flowset_id
 
-          r.each_pair {|k,v| event[k.to_s] = v }
-          unless @switched_times_from_uptime
-            event['first_switched'] = format_for_switched(msec_from_boot_to_time(event['first_switched'], pdu.uptime, time, 0)) if event['first_switched']
-            event['last_switched']  = format_for_switched(msec_from_boot_to_time(event['last_switched'], pdu.uptime, time, 0)) if event['last_switched']
+          r.each_pair do |k, v|
+            case k
+            when :first_switched
+              unless @switched_times_from_uptime
+                event[k.to_s] = format_for_switched(msec_from_boot_to_time(v.snapshot, pdu.uptime, time, 0))
+              end
+            when :last_switched
+              unless @switched_times_from_uptime
+                event[k.to_s] = format_for_switched(msec_from_boot_to_time(v.snapshot, pdu.uptime, time, 0))
+              end
+            when :flowStartSeconds
+              event[k.to_s] = format_for_flowSeconds(Time.at(v.snapshot, 0))
+            when :flowEndSeconds
+              event[k.to_s] = format_for_flowSeconds(Time.at(v.snapshot, 0))
+            when :flowStartMilliseconds
+              divisor = 1_000
+              microseconds = (v.snapshot % 1_000) * 1_000
+              event[k.to_s] = format_for_flowMilliSeconds(Time.at(v.snapshot / divisor, microseconds))
+            when :flowEndMilliseconds
+              divisor = 1_000
+              microseconds = (v.snapshot % 1_000) * 1_000
+              event[k.to_s] = format_for_flowMilliSeconds(Time.at(v.snapshot / divisor, microseconds))
+            when :flowStartMicroseconds
+              divisor = 1_000_000
+              microseconds = (v.snapshot % 1_000_000)
+              event[k.to_s] = format_for_flowMicroSeconds(Time.at(v.snapshot / divisor, microseconds))
+            when :flowEndMicroseconds
+              divisor = 1_000_000
+              microseconds = (v.snapshot % 1_000_000)
+              event[k.to_s] = format_for_flowMicroSeconds(Time.at(v.snapshot / divisor, microseconds))
+            when :flowStartNanoseconds
+              divisor = 1_000_000_000
+              microseconds = (v.snapshot % 1_000_000_000) / 1_000
+              nanoseconds = v.snapshot % 1_000_000_000
+              time_with_nano = Time.at(v.snapshot / divisor, microseconds)
+              time_with_nano.nsec = nanoseconds
+              event[k.to_s]  = format_for_flowNanoSeconds(time_with_nano)
+            when :flowEndNanoseconds
+              divisor = 1_000_000_000
+              microseconds = (v.snapshot % 1_000_000_000) / 1_000
+              nanoseconds = v.snapshot % 1_000_000_000
+              time_with_nano = Time.at(v.snapshot / divisor, microseconds)
+              time_with_nano.nsec = nanoseconds
+              event[k.to_s]  = format_for_flowNanoSeconds(time_with_nano)
+            else
+              event[k.to_s] = v.snapshot
+            end
           end
 
           if sampler_id = r['flow_sampler_id']

data/test/test_parser_netflow9.rb

@@ -15,6 +15,10 @@ class Netflow9ParserTest < Test::Unit::TestCase
     @raw_template ||= File.read(File.expand_path('../dump/netflow.v9.template.dump', __FILE__))
   end
 
+  def raw_flowStartMilliseconds_template
+    @raw_flowStartMilliseconds_template ||= File.read(File.expand_path('../dump/netflow.v9.template.flowStartMilliseconds.dump', __FILE__))
+  end
+
   def raw_mpls_template
     @raw_mpls_template ||= File.read(File.expand_path('../dump/netflow.v9.mpls-template.dump', __FILE__))
   end
@@ -23,6 +27,10 @@ class Netflow9ParserTest < Test::Unit::TestCase
     @raw_data ||= File.read(File.expand_path('../dump/netflow.v9.dump', __FILE__))
   end
 
+  def raw_flowStartMilliseconds_data
+    @raw_flowStartMilliseconds_data ||= File.read(File.expand_path('../dump/netflow.v9.flowStartMilliseconds.dump', __FILE__))
+  end
+
   def raw_mpls_data
     @raw_mpls_data ||= File.read(File.expand_path('../dump/netflow.v9.mpls-data.dump', __FILE__))
   end
@@ -95,6 +103,51 @@ class Netflow9ParserTest < Test::Unit::TestCase
     assert_equal expected_record, parsed.first[1]
   end
 
+  test 'parse netflow v9 binary data (flowStartMilliseconds)' do
+    parser = create_parser
+
+    parsed = []
+    parser.call raw_flowStartMilliseconds_template, DEFAULT_HOST
+    parser.call(raw_flowStartMilliseconds_data, DEFAULT_HOST) do |time, record|
+      parsed << [time, record]
+    end
+
+    assert_equal 1, parsed.size
+    assert_equal Time.parse('2016-02-12T04:02:25Z').to_i, parsed.first[0]
+    expected_record = {
+      # header
+      'version'      => 9,
+      'flow_seq_num' => 4645895,
+      'flowset_id'   => 261,
+
+      # flowset
+      'in_pkts'               => 1,
+      'in_bytes'              => 60,
+      'ipv4_src_addr'         => '192.168.0.1',
+      'ipv4_dst_addr'         => '192.168.0.2',
+      'input_snmp'            => 54,
+      'output_snmp'           => 29,
+      'flowEndMilliseconds'   => '2016-02-12T04:02:09.053Z',
+      'flowStartMilliseconds' => '2016-02-12T04:02:09.053Z',
+      'l4_src_port'           => 80,
+      'l4_dst_port'           => 32822,
+      'src_as'                => 0,
+      'dst_as'                => 65000,
+      'bgp_ipv4_next_hop'     => '192.168.0.3',
+      'src_mask'              => 24,
+      'dst_mask'              => 24,
+      'protocol'              => 6,
+      'tcp_flags'             => 0x12,
+      'src_tos'               => 0x0,
+      'direction'             => 0,
+      'forwarding_status'     => 0b01000000,
+      'flow_sampler_id'       => 1,
+      'ingress_vrf_id'        => 1610612736,
+      'egress_vrf_id'         => 1610612736
+    }
+    assert_equal expected_record, parsed.first[1]
+  end
+
   test 'parse netflow v9 binary data after sampler data is cached' do
     parser = create_parser
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-netflow
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.2.5
 platform: ruby
 authors:
 - Masahiro Nakagawa
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-08-23 00:00:00.000000000 Z
+date: 2016-11-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -93,12 +93,14 @@ files:
 - lib/fluent/plugin/vash.rb
 - test/dump/netflow.v5.dump
 - test/dump/netflow.v9.dump
+- test/dump/netflow.v9.flowStartMilliseconds.dump
 - test/dump/netflow.v9.mpls-data.dump
 - test/dump/netflow.v9.mpls-template.dump
 - test/dump/netflow.v9.sampler.dump
 - test/dump/netflow.v9.sampler_template.dump
 - test/dump/netflow.v9.template.as2.dump
 - test/dump/netflow.v9.template.dump
+- test/dump/netflow.v9.template.flowStartMilliseconds.dump
 - test/helper.rb
 - test/test_in_netflow.rb
 - test/test_parser_netflow.rb
@@ -130,12 +132,14 @@ summary: Netflow plugin for Fluentd
 test_files:
 - test/dump/netflow.v5.dump
 - test/dump/netflow.v9.dump
+- test/dump/netflow.v9.flowStartMilliseconds.dump
 - test/dump/netflow.v9.mpls-data.dump
 - test/dump/netflow.v9.mpls-template.dump
 - test/dump/netflow.v9.sampler.dump
 - test/dump/netflow.v9.sampler_template.dump
 - test/dump/netflow.v9.template.as2.dump
 - test/dump/netflow.v9.template.dump
+- test/dump/netflow.v9.template.flowStartMilliseconds.dump
 - test/helper.rb
 - test/test_in_netflow.rb
 - test/test_parser_netflow.rb