RubyGems - logstash-codec-netflow - Versions diffs - 3.1.4 → 3.2.0 - Mend

logstash-codec-netflow 3.1.4 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/CONTRIBUTORS +1 -0
data/lib/logstash/codecs/netflow.rb +112 -87
data/lib/logstash/codecs/netflow/ipfix.yaml +664 -0
data/lib/logstash/codecs/netflow/util.rb +44 -0
data/logstash-codec-netflow.gemspec +1 -1
data/spec/codecs/ipfix_test_netscaler_data.dat +0 -0
data/spec/codecs/ipfix_test_netscaler_tpl.dat +0 -0
data/spec/codecs/netflow_spec.rb +303 -0
metadata +42 -36

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 64fcf9c71a5f61b3d08657aa9330fe84c509130f
-  data.tar.gz: 7b3d28e45b1049e3164fc6e1bec4302aef0390c4
+  metadata.gz: 2c0a3f206c7fe1f106fda91bd4d6ae4859b431cc
+  data.tar.gz: fd0a8240b8b1ea48b5c3c6c200eed186ee9774ee
 SHA512:
-  metadata.gz: 721e9b3d27195d9fbcb97101fb710b4830544d9d7300e00e1fa69feca51eb0a45b3416370b94131ff38bd7edb2a751a33ea017e46d3ebe81d57f929d21d9edc1
-  data.tar.gz: 2596a72bf9fc4a8d738e51ffbdf0da7325207192390e1f21770808bd7e0c487ff333d735b89d559502b2b56c3d024f1ce5a95a24fdcdceaadd0feb50046e9d83
+  metadata.gz: 0d593484718168a9b28a07616eb1a13b8cf4e8911caec611113af342f4b926d184dc935dddc6bf62eab7ec91f14d2957f7ece359000f45247766eb0894ea71a2
+  data.tar.gz: 290c29bd48ac4248575a8cdcbfec95e11f6a19c10264b4939bcda4cc02f147982dbf5ec82b9d3d92ae3aa235dfe88e4316707f8dbc4731dd41ad2f2981f27ed7

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,13 @@
+## 3.2.0
+  - Add Netflow v9/v10 template caching, configurable TTL
+  - Add option for including flowset_id for Netflow v10
+  - Refactor/simplify Netflow v9/v10 templates processing
+  - Add variable length field support
+  - Add OctetArray support
+  - Add Citrix Netscaler (IPFIX) support
+  - Add spec tests and anonymized test data for all of the above
 ## 3.1.4
   - Added support for MPLS labels

data/CONTRIBUTORS CHANGED Viewed

@@ -7,6 +7,7 @@ Contributors:
 * Colin Surprenant (colinsurprenant)
 * Daniel Nägele (analogbyte)
 * Evgeniy Sudyr (ejectck)
+* G.J. Moed (gjmoed)
 * Jordan Sissel (jordansissel)
 * Jorrit Folmer (jorritfolmer)
 * Matt Dainty (bodgit)

data/lib/logstash/codecs/netflow.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 require "logstash/codecs/base"
 require "logstash/namespace"
 require "logstash/timestamp"
+require "logstash/json"
 # The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
 #
@@ -22,6 +23,7 @@ require "logstash/timestamp"
 # |OpenBSD pflow         |  y | n  |   y   | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
 # |Mikrotik 6.35.4       |  y |    |   n   | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
 # |Ubiquiti Edgerouter X |    | y  |       | With MPLS labels
+# |Citrix Netscaler      |    |    |   y   | Still some unknown fields, labeled netscalerUnknown<id>
 # |===========================================================================================
 #
 # ==== Usage
@@ -63,12 +65,23 @@ require "logstash/timestamp"
 class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   config_name "netflow"
-  # Netflow v9 template cache TTL (minutes)
+  # Netflow v9/v10 template cache TTL (minutes)
   config :cache_ttl, :validate => :number, :default => 4000
+  # Where to save the template cache
+  # This helps speed up processing when restarting logstash
+  # (So you don't have to await the arrival of templates)
+  # cache will save as path/netflow_templates.cache and/or path/ipfix_templates.cache
+  config :cache_save_path, :validate => :path
   # Specify into what field you want the Netflow data.
   config :target, :validate => :string, :default => "netflow"
+  # Only makes sense for ipfix, v9 already includes this
+  # Setting to true will include the flowset_id in events
+  # Allows you to work with sequences, for instance with the aggregate filter
+  config :include_flowset_id, :validate => :boolean, :default => false
   # Specify which Netflow versions you will accept.
   config :versions, :validate => :array, :default => [5, 9, 10]
@@ -137,6 +150,26 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     # Path to default IPFIX field definitions
     filename = ::File.expand_path('netflow/ipfix.yaml', ::File.dirname(__FILE__))
     @ipfix_fields = load_definitions(filename, @ipfix_definitions)
+    if @cache_save_path
+      if @versions.include?(9)
+        if File.exists?("#{@cache_save_path}/netflow_templates.cache")
+          @netflow_templates_cache = load_templates_cache("#{@cache_save_path}/netflow_templates.cache")
+          @netflow_templates_cache.each{ |key, fields| @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
+        else
+          @netflow_templates_cache = {}
+        end
+      end
+      if @versions.include?(10)
+        if File.exists?("#{@cache_save_path}/ipfix_templates.cache")
+          @ipfix_templates_cache = load_templates_cache("#{@cache_save_path}/ipfix_templates.cache")
+          @ipfix_templates_cache.each{ |key, fields| @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
+        else
+          @ipfix_templates_cache = {}
+        end
+      end
+    end
   end # def register
   def decode(payload, metadata = nil, &block)
@@ -216,40 +249,27 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     events = []
     case record.flowset_id
-    when 0
+    when 0..1
       # Template flowset
       record.flowset_data.templates.each do |template|
         catch (:field) do
           fields = []
-          template.record_fields.each do |field|
-            entry = netflow_field_for(field.field_type, field.field_length)
-            throw :field unless entry
-            fields += entry
-          end
-          # We get this far, we have a list of fields
-          #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
-          if metadata != nil
-            key = "#{flowset.source_id}|#{template.template_id}|#{metadata["host"]}|#{metadata["port"]}"
+          # Template flowset (0) or Options template flowset (1) ?
+          if record.flowset_id == 0
+            template.record_fields.each do |field|
+              entry = netflow_field_for(field.field_type, field.field_length)
+              throw :field unless entry
+              fields += entry
+            end
           else
-            key = "#{flowset.source_id}|#{template.template_id}"
-          end
-          @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
-          # Purge any expired templates
-          @netflow_templates.cleanup!
-        end
-      end
-    when 1
-      # Options template flowset
-      record.flowset_data.templates.each do |template|
-        catch (:field) do
-          fields = []
-          template.scope_fields.each do |field|
-            fields << [uint_field(0, field.field_length), NETFLOW9_SCOPES[field.field_type]]
-          end
-          template.option_fields.each do |field|
-            entry = netflow_field_for(field.field_type, field.field_length)
-            throw :field unless entry
-            fields += entry
+            template.scope_fields.each do |field|
+              fields << [uint_field(0, field.field_length), NETFLOW9_SCOPES[field.field_type]]
+            end
+            template.option_fields.each do |field|
+              entry = netflow_field_for(field.field_type, field.field_length)
+              throw :field unless entry
+              fields += entry
+            end
           end
           # We get this far, we have a list of fields
           #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
@@ -261,6 +281,10 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
           # Purge any expired templates
           @netflow_templates.cleanup!
+          if @cache_save_path
+            @netflow_templates_cache[key] = fields
+            save_templates_cache(@netflow_templates_cache, "#{@cache_save_path}/netflow_templates.cache")
+          end
         end
       end
     when 256..65535
@@ -332,31 +356,17 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     events = []
     case record.flowset_id
-    when 2
-      # Template flowset
+    when 2..3
       record.flowset_data.templates.each do |template|
         catch (:field) do
           fields = []
-          template.record_fields.each do |field|
+          # Template flowset (2) or Options template flowset (3) ?
+          template_fields = (record.flowset_id == 2) ? template.record_fields : (template.scope_fields.to_ary + template.option_fields.to_ary)
+          template_fields.each do |field|
             field_type = field.field_type
             field_length = field.field_length
             enterprise_id = field.enterprise ? field.enterprise_id : 0
-            if field.field_length == 0xffff
-              # FIXME
-              @logger.warn("Cowardly refusing to deal with variable length encoded field", :type => field_type, :enterprise => enterprise_id)
-              throw :field
-            end
-            if enterprise_id == 0
-              case field_type
-              when 291, 292, 293
-                # FIXME
-                @logger.warn("Cowardly refusing to deal with complex data types", :type => field_type, :enterprise => enterprise_id)
-                throw :field
-              end
-            end
             entry = ipfix_field_for(field_type, enterprise_id, field.field_length)
             throw :field unless entry
             fields += entry
@@ -366,42 +376,10 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
           # Purge any expired templates
           @ipfix_templates.cleanup!
-        end
-      end
-    when 3
-      # Options template flowset
-      record.flowset_data.templates.each do |template|
-        catch (:field) do
-          fields = []
-          (template.scope_fields.to_ary + template.option_fields.to_ary).each do |field|
-            field_type = field.field_type
-            field_length = field.field_length
-            enterprise_id = field.enterprise ? field.enterprise_id : 0
-            if field.field_length == 0xffff
-              # FIXME
-              @logger.warn("Cowardly refusing to deal with variable length encoded field", :type => field_type, :enterprise => enterprise_id)
-              throw :field
-            end
-            if enterprise_id == 0
-              case field_type
-              when 291, 292, 293
-                # FIXME
-                @logger.warn("Cowardly refusing to deal with complex data types", :type => field_type, :enterprise => enterprise_id)
-                throw :field
-              end
-            end
-            entry = ipfix_field_for(field_type, enterprise_id, field.field_length)
-            throw :field unless entry
-            fields += entry
+          if @cache_save_path
+            @ipfix_templates_cache[key] = fields
+            save_templates_cache(@ipfix_templates_cache, "#{@cache_save_path}/ipfix_templates.cache")
           end
-          # FIXME Source IP address required in key
-          key = "#{flowset.observation_domain_id}|#{template.template_id}"
-          @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
-          # Purge any expired templates
-          @ipfix_templates.cleanup!
         end
       end
     when 256..65535
@@ -427,6 +405,10 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           event[@target][f] = flowset[f].snapshot
         end
+        if @include_flowset_id
+          event[@target][FLOWSET_ID] = record.flowset_id.snapshot
+        end
         r.each_pair do |k, v|
           case k.to_s
           when /^flow(?:Start|End)Seconds$/
@@ -478,11 +460,51 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     fields
   end
+  def load_templates_cache(file_path)
+    templates_cache = {}
+    begin
+      templates_cache = JSON.parse(File.read(file_path))
+    rescue Exception => e
+      raise "#{self.class.name}: templates cache file corrupt (#{file_path})"
+    end
+    templates_cache
+  end
+  def save_templates_cache(templates_cache, file_path)
+    begin
+      File.open(file_path, 'w') {|file| file.write templates_cache.to_json }
+    rescue Exception => e
+      raise "#{self.class.name}: saving templates cache file failed (#{file_path}) with error #{e}"
+    end
+  end
   def uint_field(length, default)
     # If length is 4, return :uint32, etc. and use default if length is 0
     ("uint" + (((length > 0) ? length : default) * 8).to_s).to_sym
   end # def uint_field
+  def skip_field(field, type, length)
+    if length == 65535
+      field[0] = :VarSkip
+    else
+      field += [nil, {:length => length.to_i}]
+    end
+    field
+  end # def skip_field
+  def string_field(field, type, length)
+    if length == 65535
+      field[0] = :VarString
+    else
+      field[0] = :string
+      field += [{ :length => length.to_i, :trim_padding => true }]
+    end
+    field
+  end # def string_field
   def netflow_field_for(type, length)
     if @netflow_fields.include?(type)
       field = @netflow_fields[type].clone
@@ -494,9 +516,9 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
         # is dynamic
         case field[0]
         when :skip
-          field += [nil, {:length => length}]
+          field += [nil, {:length => length.to_i}]
         when :string
-          field += [{:length => length, :trim_padding => true}]
+          field += [{:length => length.to_i, :trim_padding => true}]
         end
         @logger.debug? and @logger.debug("Definition complete", :field => field)
@@ -528,9 +550,12 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     if field.is_a?(Array)
       case field[0]
       when :skip
-        field += [nil, {:length => length}]
+        field = skip_field(field, type, length.to_i)
       when :string
-        field += [{:length => length, :trim_padding => true}]
+        field = string_field(field, type, length.to_i)
+      when :octetarray
+        field[0] = :OctetArray
+        field += [{:initial_length => length.to_i}]
       when :uint64
         field[0] = uint_field(length, 8)
       when :uint32

data/lib/logstash/codecs/netflow/ipfix.yaml CHANGED Viewed

@@ -1202,6 +1202,670 @@
   433:
   - :uint64
   - :ignoredLayer2FrameTotalCount
+5951:
+  128:
+  - :uint32
+  - :netscalerRoundTripTime
+  129:
+  - :uint32
+  - :netscalerTransactionId
+  130:
+  - :string
+  - :netscalerHttpReqUrl
+  131:
+  - :string
+  - :netscalerHttpReqCookie
+  132:
+  - :uint64
+  - :netscalerFlowFlags
+  133:
+  - :uint32
+  - :netscalerConnectionId
+  134:
+  - :uint8
+  - :netscalerSyslogPriority
+  135:
+  - :string
+  - :netscalerSyslogMessage
+  136:
+  - :uint64
+  - :netscalerSyslogTimestamp
+  140:
+  - :string
+  - :netscalerHttpReqReferer
+  141:
+  - :string
+  - :netscalerHttpReqMethod
+  142:
+  - :string
+  - :netscalerHttpReqHost
+  143:
+  - :string
+  - :netscalerHttpReqUserAgent
+  144:
+  - :uint16
+  - :netscalerHttpRspStatus
+  145:
+  - :uint64
+  - :netscalerHttpRspLen
+  146:
+  - :uint64
+  - :netscalerServerTTFB
+  147:
+  - :uint64
+  - :netscalerServerTTLB
+  150:
+  - :uint32
+  - :netscalerAppNameIncarnationNumber
+  151:
+  - :uint32
+  - :netscalerAppNameAppId
+  152:
+  - :string
+  - :netscalerAppName
+  153:
+  - :uint64
+  - :netscalerHttpReqRcvFB
+  156:
+  - :uint64
+  - :netscalerHttpReqForwFB
+  157:
+  - :uint64
+  - :netscalerHttpResRcvFB
+  158:
+  - :uint64
+  - :netscalerHttpResForwFB
+  159:
+  - :uint64
+  - :netscalerHttpReqRcvLB
+  160:
+  - :uint64
+  - :netscalerHttpReqForwLB
+  161:
+  - :uint32
+  - :netscalerMainPageId
+  162:
+  - :uint32
+  - :netscalerMainPageCoreId
+  163:
+  - :string
+  - :netscalerHttpClientInteractionStartTime
+  164:
+  - :string
+  - :netscalerHttpClientRenderEndTime
+  165:
+  - :string
+  - :netscalerHttpClientRenderStartTime
+  167:
+  - :string
+  - :netscalerAppTemplateName
+  168:
+  - :string
+  - :netscalerHttpClientInteractionEndTime
+  169:
+  - :uint64
+  - :netscalerHttpResRcvLB
+  170:
+  - :uint64
+  - :netscalerHttpResForwLB
+  171:
+  - :uint32
+  - :netscalerAppUnitNameAppId
+  172:
+  - :uint32
+  - :netscalerDbLoginFlags
+  173:
+  - :uint8
+  - :netscalerDbReqType
+  174:
+  - :uint8
+  - :netscalerDbProtocolName
+  175:
+  - :string
+  - :netscalerDbUserName
+  176:
+  - :string
+  - :netscalerDbDatabaseName
+  177:
+  - :string
+  - :netscalerDbCltHostName
+  178:
+  - :string
+  - :netscalerDbReqString
+  179:
+  - :string
+  - :netscalerDbRespStatusString
+  180:
+  - :uint64
+  - :netscalerDbRespStatus
+  181:
+  - :uint64
+  - :netscalerDbRespLength
+  182:
+  - :uint32
+  - :netscalerClientRTT
+  183:
+  - :string
+  - :netscalerHttpContentType
+  185:
+  - :string
+  - :netscalerHttpReqAuthorization
+  186:
+  - :string
+  - :netscalerHttpReqVia
+  187:
+  - :string
+  - :netscalerHttpResLocation
+  188:
+  - :string
+  - :netscalerHttpResSetCookie
+  189:
+  - :string
+  - :netscalerHttpResSetCookie2
+  190:
+  - :string
+  - :netscalerHttpReqXForwardedFor
+  192:
+  - :octetarray
+  - :netscalerConnectionChainID
+  193:
+  - :uint8
+  - :netscalerConnectionChainHopCount
+  200:
+  - :octetarray
+  - :netscalerICASessionGuid
+  201:
+  - :string
+  - :netscaleIcaClientVersion
+  202:
+  - :uint16
+  - :netscalerIcaClientType
+  203:
+  - :ip4_addr
+  - :netscalerIcaClientIP
+  204:
+  - :string
+  - :netscalerIcaClientHostName
+  205:
+  - :string
+  - :netscalerAaaUsername
+  207:
+  - :string
+  - :netscalerIcaDomainName
+  208:
+  - :uint16
+  - :netscalerIcaClientLauncher
+  209:
+  - :uint32
+  - :netscalerIcaSessionSetupTime
+  210:
+  - :string
+  - :netscalerIcaServerName
+  214:
+  - :uint8
+  - :netscalerIcaSessionReconnects
+  215:
+  - :uint32
+  - :netscalerIcaRTT
+  216:
+  - :uint32
+  - :netscalerIcaClientsideRXBytes
+  217:
+  - :uint32
+  - :netscalerIcaClientsideTXBytes
+  219:
+  - :uint16
+  - :netscalerIcaClientsidePacketsRetransmit
+  220:
+  - :uint16
+  - :netscalerIcaServersidePacketsRetransmit
+  221:
+  - :uint32
+  - :netscalerIcaClientsideRTT
+  222:
+  - :uint32
+  - :netscalerIcaServersideRTT
+  223:
+  - :uint32
+  - :netscalerIcaSessionUpdateBeginSec
+  224:
+  - :uint32
+  - :netscalerIcaSessionUpdateEndSec
+  225:
+  - :uint32
+  - :netscalerIcaChannelId1
+  226:
+  - :uint32
+  - :netscalerIcaChannelId1Bytes
+  227:
+  - :uint32
+  - :netscalerIcaChannelId2
+  228:
+  - :uint32
+  - :netscalerIcaChannelId2Bytes
+  229:
+  - :uint32
+  - :netscalerIcaChannelId3
+  230:
+  - :uint32
+  - :netscalerIcaChannelId3Bytes
+  231:
+  - :uint32
+  - :netscalerIcaChannelId4
+  232:
+  - :uint32
+  - :netscalerIcaChannelId4Bytes
+  233:
+  - :uint32
+  - :netscalerIcaChannelId5
+  234:
+  - :uint32
+  - :netscalerIcaChannelId5Bytes
+  235:
+  - :uint16
+  - :netscalerIcaConnectionPriority
+  236:
+  - :uint32
+  - :netscalerApplicationStartupDuration
+  237:
+  - :uint16
+  - :netscalerIcaLaunchMechanism
+  238:
+  - :string
+  - :netscalerIcaApplicationName
+  239:
+  - :uint32
+  - :netscalerApplicationStartupTime
+  240:
+  - :uint16
+  - :netscalerIcaApplicationTerminationType
+  241:
+  - :uint32
+  - :netscalerIcaApplicationTerminationTime
+  242:
+  - :uint32
+  - :netscalerIcaSessionEndTime
+  243:
+  - :uint32
+  - :netscalerIcaClientsideJitter
+  244:
+  - :uint32
+  - :netscalerIcaServersideJitter
+  245:
+  - :uint32
+  - :netscalerIcaAppProcessID
+  246:
+  - :string
+  - :netscalerIcaAppModulePath
+  247:
+  - :uint32
+  - :netscalerIcaDeviceSerialNo
+  248:
+  - :octetarray
+  - :netscalerMsiClientCookie
+  249:
+  - :uint64
+  - :netscalerIcaFlags
+  250:
+  - :string
+  - :netscalerIcaUsername
+  251:
+  - :uint8
+  - :netscalerLicenseType
+  252:
+  - :uint64
+  - :netscalerMaxLicenseCount
+  253:
+  - :uint64
+  - :netscalerCurrentLicenseConsumed
+  254:
+  - :uint32
+  - :netscalerIcaNetworkUpdateStartTime
+  255:
+  - :uint32
+  - :netscalerIcaNetworkUpdateEndTime
+  256:
+  - :uint32
+  - :netscalerIcaClientsideSRTT
+  257:
+  - :uint32
+  - :netscalerIcaServersideSRTT
+  258:
+  - :uint32
+  - :netscalerIcaClientsideDelay
+  259:
+  - :uint32
+  - :netscalerIcaServersideDelay
+  260:
+  - :uint32
+  - :netscalerIcaHostDelay
+  261:
+  - :uint16
+  - :netscalerIcaClientSideWindowSize
+  262:
+  - :uint16
+  - :netscalerIcaServerSideWindowSize
+  263:
+  - :uint16
+  - :netscalerIcaClientSideRTOCount
+  264:
+  - :uint16
+  - :netscalerIcaServerSideRTOCount
+  265:
+  - :uint32
+  - :netscalerIcaL7ClientLatency
+  266:
+  - :uint32
+  - :netscalerIcaL7ServerLatency
+  267:
+  - :string
+  - :netscalerHttpDomainName
+  268:
+  - :uint32
+  - :netscalerCacheRedirClientConnectionCoreID
+  269:
+  - :uint32
+  - :netscalerCacheRedirClientConnectionTransactionID
+  270:
+  - :uint32
+  - :netscalerUnknown270
+  271:
+  - :uint32
+  - :netscalerUnknown271
+  272:
+  - :uint32
+  - :netscalerUnknown272
+  273:
+  - :uint32
+  - :netscalerUnknown273
+  274:
+  - :uint32
+  - :netscalerUnknown274
+  275:
+  - :uint32
+  - :netscalerUnknown275
+  276:
+  - :uint32
+  - :netscalerUnknown276
+  277:
+  - :uint32
+  - :netscalerUnknown277
+  278:
+  - :uint32
+  - :netscalerUnknown278
+  279:
+  - :uint32
+  - :netscalerUnknown279
+  280:
+  - :uint32
+  - :netscalerUnknown280
+  281:
+  - :uint32
+  - :netscalerUnknown281
+  282:
+  - :uint32
+  - :netscalerUnknown282
+  283:
+  - :uint32
+  - :netscalerUnknown283
+  284:
+  - :uint32
+  - :netscalerUnknown284
+  285:
+  - :uint32
+  - :netscalerUnknown285
+  286:
+  - :uint32
+  - :netscalerUnknown286
+  287:
+  - :uint32
+  - :netscalerUnknown287
+  288:
+  - :uint32
+  - :netscalerUnknown288
+  289:
+  - :uint32
+  - :netscalerUnknown289
+  290:
+  - :uint32
+  - :netscalerUnknown290
+  291:
+  - :uint32
+  - :netscalerUnknown291
+  292:
+  - :uint32
+  - :netscalerUnknown292
+  293:
+  - :uint32
+  - :netscalerUnknown293
+  294:
+  - :uint32
+  - :netscalerUnknown294
+  295:
+  - :uint32
+  - :netscalerUnknown295
+  296:
+  - :uint32
+  - :netscalerUnknown296
+  297:
+  - :uint32
+  - :netscalerUnknown297
+  298:
+  - :uint32
+  - :netscalerUnknown298
+  299:
+  - :uint32
+  - :netscalerUnknown299
+  300:
+  - :uint32
+  - :netscalerUnknown300
+  301:
+  - :uint32
+  - :netscalerUnknown301
+  302:
+  - :uint32
+  - :netscalerUnknown302
+  303:
+  - :uint32
+  - :netscalerUnknown303
+  304:
+  - :uint32
+  - :netscalerUnknown304
+  305:
+  - :uint32
+  - :netscalerUnknown305
+  306:
+  - :uint32
+  - :netscalerUnknown306
+  307:
+  - :uint32
+  - :netscalerUnknown307
+  308:
+  - :uint32
+  - :netscalerUnknown308
+  309:
+  - :uint32
+  - :netscalerUnknown309
+  310:
+  - :uint32
+  - :netscalerUnknown310
+  311:
+  - :uint32
+  - :netscalerUnknown311
+  312:
+  - :uint32
+  - :netscalerUnknown312
+  313:
+  - :uint32
+  - :netscalerUnknown313
+  314:
+  - :uint32
+  - :netscalerUnknown314
+  315:
+  - :uint32
+  - :netscalerUnknown315
+  316:
+  - :string
+  - :netscalerUnknown316
+  317:
+  - :uint32
+  - :netscalerUnknown317
+  318:
+  - :uint32
+  - :netscalerUnknown318
+  319:
+  - :string
+  - :netscalerUnknown319
+  320:
+  - :uint16
+  - :netscalerUnknown320
+  321:
+  - :uint32
+  - :netscalerUnknown321
+  322:
+  - :uint32
+  - :netscalerUnknown322
+  323:
+  - :uint16
+  - :netscalerUnknown323
+  324:
+  - :uint16
+  - :netscalerUnknown324
+  325:
+  - :uint16
+  - :netscalerUnknown325
+  326:
+  - :uint16
+  - :netscalerUnknown326
+  327:
+  - :uint32
+  - :netscalerUnknown327
+  328:
+  - :uint16
+  - :netscalerUnknown328
+  329:
+  - :uint16
+  - :netscalerUnknown329
+  330:
+  - :uint16
+  - :netscalerUnknown330
+  331:
+  - :uint16
+  - :netscalerUnknown331
+  332:
+  - :uint32
+  - :netscalerUnknown332
+  333:
+  - :string
+  - :netscalerUnknown333
+  334:
+  - :string
+  - :netscalerUnknown334
+  335:
+  - :uint32
+  - :netscalerUnknown335
+  336:
+  - :uint32
+  - :netscalerUnknown336
+  337:
+  - :uint32
+  - :netscalerUnknown337
+  338:
+  - :uint32
+  - :netscalerUnknown338
+  339:
+  - :uint32
+  - :netscalerUnknown339
+  340:
+  - :uint32
+  - :netscalerUnknown340
+  341:
+  - :uint32
+  - :netscalerUnknown341
+  342:
+  - :uint32
+  - :netscalerUnknown342
+  343:
+  - :uint32
+  - :netscalerUnknown343
+  344:
+  - :uint32
+  - :netscalerUnknown344
+  345:
+  - :uint32
+  - :netscalerUnknown345
+  346:
+  - :uint32
+  - :netscalerUnknown346
+  347:
+  - :uint32
+  - :netscalerUnknown347
+  348:
+  - :uint16
+  - :netscalerUnknown348
+  349:
+  - :string
+  - :netscalerUnknown349
+  350:
+  - :string
+  - :netscalerUnknown350
+  351:
+  - :string
+  - :netscalerUnknown351
+  352:
+  - :uint16
+  - :netscalerUnknown352
+  353:
+  - :uint32
+  - :netscalerUnknown353
+  354:
+  - :uint32
+  - :netscalerUnknown354
+  355:
+  - :uint32
+  - :netscalerUnknown355
+  356:
+  - :uint32
+  - :netscalerUnknown356
+  357:
+  - :uint32
+  - :netscalerUnknown357
+  363:
+  - :octetarray
+  - :netscalerUnknown363
+  383:
+  - :octetarray
+  - :netscalerUnknown383
+  391:
+  - :uint32
+  - :netscalerUnknown391
+  398:
+  - :uint32
+  - :netscalerUnknown398
+  404:
+  - :uint32
+  - :netscalerUnknown404
+  405:
+  - :uint32
+  - :netscalerUnknown405
+  427:
+  - :uint64
+  - :netscalerUnknown427
+  429:
+  - :uint8
+  - :netscalerUnknown429
+  432:
+  - :uint8
+  - :netscalerUnknown432
+  433:
+  - :uint8
+  - :netscalerUnknown433
+  453:
+  - :uint64
+  - :netscalerUnknown453
+  465:
+  - :uint32
+  - :netscalerUnknown465
 29305:
   1:
   - :uint64