logstash-codec-netflow 3.2.2 → 3.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +18 -0
- data/CONTRIBUTORS +2 -0
- data/lib/logstash/codecs/netflow.rb +68 -39
- data/lib/logstash/codecs/netflow/netflow.yaml +122 -28
- data/lib/logstash/codecs/netflow/util.rb +3 -3
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/netflow9_test_0length_fields_tpl_data.dat +0 -0
- data/spec/codecs/netflow9_test_cisco_asr9k_data256.dat +0 -0
- data/spec/codecs/netflow9_test_cisco_asr9k_data260.dat +0 -0
- data/spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat +0 -0
- data/spec/codecs/netflow9_test_cisco_asr9k_opttpl257.dat +0 -0
- data/spec/codecs/netflow9_test_cisco_asr9k_opttpl334.dat +0 -0
- data/spec/codecs/netflow9_test_cisco_asr9k_tpl260.dat +0 -0
- data/spec/codecs/netflow9_test_cisco_asr9k_tpl266.dat +0 -0
- data/spec/codecs/netflow9_test_juniper_srx_tplopt.dat +0 -0
- data/spec/codecs/netflow9_test_streamcore_tpl_data256.dat +0 -0
- data/spec/codecs/netflow9_test_streamcore_tpl_data260.dat +0 -0
- data/spec/codecs/netflow_spec.rb +362 -4
- metadata +24 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c13bc81edc56109e3a9c795d38d565d68b40ae44
|
4
|
+
data.tar.gz: 30620977b21b47ce7b77c2d54427b34e060ed5c9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 88656d03bee9bcae65cfe6b0a25830cd5f2d0831c369d38e7e8f24b1dea976bf391d8197d3c355670ac012244a78c958ed6472d9c31514c00b7decf0fcad7559
|
7
|
+
data.tar.gz: c269177cae5252f6bb7fc7d475b36c9c956fa71b5a21468c1ad5d0a537b80f7c89ed7a6ea244191f0af77fa85e65ec801a9d4c1b03aaa32f6bbaac3ee49d3cb3
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,21 @@
|
|
1
|
+
## 3.3.0
|
2
|
+
|
3
|
+
- Added support for Cisco ASR 9000 (Netflow v9)
|
4
|
+
|
5
|
+
## 3.2.5
|
6
|
+
|
7
|
+
- Added support for Streamcore StreamGroomer (Netflow v9)
|
8
|
+
- Fixed docs so they can generate
|
9
|
+
|
10
|
+
## 3.2.4
|
11
|
+
|
12
|
+
- Fixed 0-length template field length (Netflow 9)
|
13
|
+
|
14
|
+
## 3.2.3
|
15
|
+
|
16
|
+
- Fixed 0-length scope field length (Netflow 9, Juniper SRX)
|
17
|
+
- Fixed JRuby 9K compatibility
|
18
|
+
|
1
19
|
## 3.2.2
|
2
20
|
|
3
21
|
- Added support for VMware VDS IPFIX although field definitions are unknown
|
data/CONTRIBUTORS
CHANGED
@@ -10,10 +10,12 @@ Contributors:
|
|
10
10
|
* G.J. Moed (gjmoed)
|
11
11
|
* Jordan Sissel (jordansissel)
|
12
12
|
* Jorrit Folmer (jorritfolmer)
|
13
|
+
* Keenan Tims (ktims)
|
13
14
|
* Matt Dainty (bodgit)
|
14
15
|
* Paul Warren (pwarren)
|
15
16
|
* Pier-Hugues Pellerin (ph)
|
16
17
|
* Pulkit Agrawal (propulkit)
|
18
|
+
* Raju Nair (rajutech76)
|
17
19
|
* Richard Pijnenburg (electrical)
|
18
20
|
* Salvador Ferrer (salva-ferrer)
|
19
21
|
* Will Rigby (wrigby)
|
@@ -30,8 +30,8 @@ require "logstash/json"
|
|
30
30
|
#
|
31
31
|
# Example Logstash configuration:
|
32
32
|
#
|
33
|
-
# [source]
|
34
|
-
#
|
33
|
+
# [source, ruby]
|
34
|
+
# --------------------------
|
35
35
|
# input {
|
36
36
|
# udp {
|
37
37
|
# host => localhost
|
@@ -43,24 +43,24 @@ require "logstash/json"
|
|
43
43
|
# }
|
44
44
|
# udp {
|
45
45
|
# host => localhost
|
46
|
-
#
|
47
|
-
#
|
46
|
+
# port => 4739
|
47
|
+
# codec => netflow {
|
48
48
|
# versions => [10]
|
49
49
|
# target => ipfix
|
50
|
-
#
|
51
|
-
#
|
50
|
+
# }
|
51
|
+
# type => ipfix
|
52
52
|
# }
|
53
53
|
# tcp {
|
54
54
|
# host => localhost
|
55
55
|
# port => 4739
|
56
56
|
# codec => netflow {
|
57
57
|
# versions => [10]
|
58
|
-
#
|
58
|
+
# target => ipfix
|
59
59
|
# }
|
60
60
|
# type => ipfix
|
61
61
|
# }
|
62
62
|
# }
|
63
|
-
#
|
63
|
+
# --------------------------
|
64
64
|
|
65
65
|
class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
66
66
|
config_name "netflow"
|
@@ -89,15 +89,17 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
89
89
|
#
|
90
90
|
# Each Netflow field is defined like so:
|
91
91
|
#
|
92
|
-
#
|
93
|
-
#
|
94
|
-
#
|
95
|
-
#
|
96
|
-
#
|
97
|
-
#
|
98
|
-
#
|
99
|
-
#
|
100
|
-
#
|
92
|
+
# [source,yaml]
|
93
|
+
# --------------------------
|
94
|
+
# id:
|
95
|
+
# - default length in bytes
|
96
|
+
# - :name
|
97
|
+
# id:
|
98
|
+
# - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
|
99
|
+
# - :name
|
100
|
+
# id:
|
101
|
+
# - :skip
|
102
|
+
# --------------------------
|
101
103
|
#
|
102
104
|
# See <https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml> for the base set.
|
103
105
|
config :netflow_definitions, :validate => :path
|
@@ -107,13 +109,15 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
107
109
|
# Very similar to the Netflow version except there is a top level Private
|
108
110
|
# Enterprise Number (PEN) key added:
|
109
111
|
#
|
110
|
-
#
|
111
|
-
#
|
112
|
-
#
|
113
|
-
#
|
114
|
-
#
|
115
|
-
#
|
116
|
-
#
|
112
|
+
# [source,yaml]
|
113
|
+
# --------------------------
|
114
|
+
# pen:
|
115
|
+
# id:
|
116
|
+
# - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
|
117
|
+
# - :name
|
118
|
+
# id:
|
119
|
+
# - :skip
|
120
|
+
# --------------------------
|
117
121
|
#
|
118
122
|
# There is an implicit PEN 0 for the standard fields.
|
119
123
|
#
|
@@ -186,6 +190,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
186
190
|
yield(decode_netflow5(flowset, record))
|
187
191
|
end
|
188
192
|
elsif header.version == 9
|
193
|
+
# BinData::trace_reading do
|
189
194
|
flowset = Netflow9PDU.read(payload)
|
190
195
|
flowset.records.each do |record|
|
191
196
|
if metadata != nil
|
@@ -193,7 +198,8 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
193
198
|
else
|
194
199
|
decode_netflow9(flowset, record).each{|event| yield(event)}
|
195
200
|
end
|
196
|
-
end
|
201
|
+
# end
|
202
|
+
end
|
197
203
|
elsif header.version == 10
|
198
204
|
flowset = IpfixPDU.read(payload)
|
199
205
|
flowset.records.each do |record|
|
@@ -254,21 +260,28 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
254
260
|
record.flowset_data.templates.each do |template|
|
255
261
|
catch (:field) do
|
256
262
|
fields = []
|
263
|
+
template_length = 0
|
257
264
|
# Template flowset (0) or Options template flowset (1) ?
|
258
265
|
if record.flowset_id == 0
|
259
266
|
template.record_fields.each do |field|
|
260
|
-
|
261
|
-
|
262
|
-
|
267
|
+
if field.field_length > 0
|
268
|
+
entry = netflow_field_for(field.field_type, field.field_length, template.template_id)
|
269
|
+
throw :field unless entry
|
270
|
+
fields += entry
|
271
|
+
template_length += field.field_length
|
272
|
+
end
|
263
273
|
end
|
264
274
|
else
|
265
275
|
template.scope_fields.each do |field|
|
266
|
-
|
276
|
+
if field.field_length > 0
|
277
|
+
fields << [uint_field(0, field.field_length), NETFLOW9_SCOPES[field.field_type]]
|
278
|
+
end
|
267
279
|
end
|
268
280
|
template.option_fields.each do |field|
|
269
|
-
entry = netflow_field_for(field.field_type, field.field_length)
|
281
|
+
entry = netflow_field_for(field.field_type, field.field_length, template.template_id)
|
270
282
|
throw :field unless entry
|
271
283
|
fields += entry
|
284
|
+
template_length += field.field_length
|
272
285
|
end
|
273
286
|
end
|
274
287
|
# We get this far, we have a list of fields
|
@@ -279,6 +292,11 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
279
292
|
key = "#{flowset.source_id}|#{template.template_id}"
|
280
293
|
end
|
281
294
|
@netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
|
295
|
+
@logger.debug("Received template #{template.template_id} with fields #{fields.inspect}")
|
296
|
+
@logger.debug("Received template #{template.template_id} of size #{template_length} bytes. Representing in #{@netflow_templates[key].num_bytes} BinData bytes")
|
297
|
+
if template_length != @netflow_templates[key].num_bytes
|
298
|
+
@logger.warn("Received template #{template.template_id} of size (#{template_length} bytes) doesn't match BinData representation we built (#{@netflow_templates[key].num_bytes} bytes)")
|
299
|
+
end
|
282
300
|
# Purge any expired templates
|
283
301
|
@netflow_templates.cleanup!
|
284
302
|
if @cache_save_path
|
@@ -300,7 +318,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
300
318
|
unless template
|
301
319
|
#@logger.warn("No matching template for flow id #{record.flowset_id} from #{event["source"]}")
|
302
320
|
@logger.warn("No matching template for flow id #{record.flowset_id}")
|
303
|
-
|
321
|
+
return events
|
304
322
|
end
|
305
323
|
|
306
324
|
length = record.flowset_length - 4
|
@@ -309,7 +327,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
309
327
|
# be at most 3 padding bytes
|
310
328
|
if template.num_bytes > length or ! (length % template.num_bytes).between?(0, 3)
|
311
329
|
@logger.warn("Template length doesn't fit cleanly into flowset", :template_id => record.flowset_id, :template_length => template.num_bytes, :record_length => length)
|
312
|
-
|
330
|
+
return events
|
313
331
|
end
|
314
332
|
|
315
333
|
array = BinData::Array.new(:type => template, :initial_length => length / template.num_bytes)
|
@@ -389,7 +407,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
389
407
|
|
390
408
|
unless template
|
391
409
|
@logger.warn("No matching template for flow id #{record.flowset_id}")
|
392
|
-
|
410
|
+
return events
|
393
411
|
end
|
394
412
|
|
395
413
|
array = BinData::Array.new(:type => template, :read_until => :eof)
|
@@ -507,23 +525,34 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
507
525
|
field
|
508
526
|
end # def string_field
|
509
527
|
|
510
|
-
def netflow_field_for(type, length)
|
528
|
+
def netflow_field_for(type, length, template_id)
|
511
529
|
if @netflow_fields.include?(type)
|
512
530
|
field = @netflow_fields[type].clone
|
513
531
|
if field.is_a?(Array)
|
514
532
|
|
515
533
|
field[0] = uint_field(length, field[0]) if field[0].is_a?(Integer)
|
516
534
|
|
517
|
-
# Small bit of fixup for
|
518
|
-
# is dynamic
|
519
|
-
|
535
|
+
# Small bit of fixup for:
|
536
|
+
# - skip or string field types where the length is dynamic
|
537
|
+
# - for uint(8|16|24|32} where we use the length as specified by the
|
538
|
+
# template instead of the YAML (e.g. ipv6_flow_label is 3 bytes in
|
539
|
+
# the YAML and Cisco doc, but Cisco ASR9k sends 4 bytes)
|
540
|
+
case field[0]
|
541
|
+
when :uint8
|
542
|
+
field[0] = uint_field(length, field[0])
|
543
|
+
when :uint16
|
544
|
+
field[0] = uint_field(length, field[0])
|
545
|
+
when :uint24
|
546
|
+
field[0] = uint_field(length, field[0])
|
547
|
+
when :uint32
|
548
|
+
field[0] = uint_field(length, field[0])
|
520
549
|
when :skip
|
521
550
|
field += [nil, {:length => length.to_i}]
|
522
551
|
when :string
|
523
552
|
field += [{:length => length.to_i, :trim_padding => true}]
|
524
553
|
end
|
525
554
|
|
526
|
-
@logger.debug? and @logger.debug("
|
555
|
+
@logger.debug? and @logger.debug("Field definition complete for template #{template_id}", :field => field)
|
527
556
|
|
528
557
|
[field]
|
529
558
|
else
|
@@ -531,7 +560,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
531
560
|
nil
|
532
561
|
end
|
533
562
|
else
|
534
|
-
@logger.warn("Unsupported field", :type => type, :length => length)
|
563
|
+
@logger.warn("Unsupported field in template #{template_id}", :type => type, :length => length)
|
535
564
|
nil
|
536
565
|
end
|
537
566
|
end # def netflow_field_for
|
@@ -189,8 +189,6 @@
|
|
189
189
|
64:
|
190
190
|
- :uint32
|
191
191
|
- :ipv6_option_headers
|
192
|
-
64:
|
193
|
-
- :skip
|
194
192
|
65:
|
195
193
|
- :skip
|
196
194
|
66:
|
@@ -234,6 +232,9 @@
|
|
234
232
|
148:
|
235
233
|
- :uint32
|
236
234
|
- :conn_id
|
235
|
+
152:
|
236
|
+
- 8
|
237
|
+
- :flow_start_msec
|
237
238
|
176:
|
238
239
|
- :uint8
|
239
240
|
- :icmp_type
|
@@ -246,6 +247,18 @@
|
|
246
247
|
179:
|
247
248
|
- :uint8
|
248
249
|
- :icmp_code_ipv6
|
250
|
+
180:
|
251
|
+
- :uint16
|
252
|
+
- :udp_src_port
|
253
|
+
181:
|
254
|
+
- :uint16
|
255
|
+
- :udp_dst_port
|
256
|
+
182:
|
257
|
+
- :uint16
|
258
|
+
- :tcp_src_port
|
259
|
+
183:
|
260
|
+
- :uint16
|
261
|
+
- :tcp_dst_port
|
249
262
|
201:
|
250
263
|
- mpls_label_stack_octets
|
251
264
|
- mpls_label_stack_octets
|
@@ -261,36 +274,132 @@
|
|
261
274
|
228:
|
262
275
|
- :uint16
|
263
276
|
- :xlate_dst_port
|
277
|
+
231:
|
278
|
+
- :uint32
|
279
|
+
- :fwd_flow_delta_bytes
|
280
|
+
232:
|
281
|
+
- :uint32
|
282
|
+
- :rev_flow_delta_bytes
|
264
283
|
233:
|
265
284
|
- :uint8
|
266
285
|
- :fw_event
|
286
|
+
234:
|
287
|
+
- :uint32
|
288
|
+
- :ingressVRFID
|
289
|
+
235:
|
290
|
+
- :uint32
|
291
|
+
- :egressVRFID
|
292
|
+
236:
|
293
|
+
- :string
|
294
|
+
- :VRFname
|
267
295
|
281:
|
268
296
|
- :ip6_addr
|
269
297
|
- :xlate_src_addr_ipv6
|
270
298
|
282:
|
271
299
|
- :ip6_addr
|
272
300
|
- :xlate_dst_addr_ipv6
|
273
|
-
33002:
|
274
|
-
- :uint16
|
275
|
-
- :fw_ext_event
|
276
301
|
323:
|
277
302
|
- 8
|
278
303
|
- :event_time_msec
|
279
|
-
|
280
|
-
-
|
281
|
-
- :
|
282
|
-
|
283
|
-
- :
|
284
|
-
- :
|
285
|
-
|
304
|
+
361:
|
305
|
+
- :uint16
|
306
|
+
- :postNATPortBlockStart
|
307
|
+
362:
|
308
|
+
- :uint16
|
309
|
+
- :postNATPortBlockEnd
|
310
|
+
8192:
|
286
311
|
- :uint32
|
287
|
-
- :
|
312
|
+
- :streamcore_wan_rtt
|
313
|
+
8193:
|
314
|
+
- :uint32
|
315
|
+
- :streamcore_net_app_resp_time
|
316
|
+
8194:
|
317
|
+
- :uint32
|
318
|
+
- :streamcore_total_app_resp_time
|
319
|
+
8195:
|
320
|
+
- :uint16
|
321
|
+
- :streamcore_tcp_retrans_rate
|
322
|
+
8196:
|
323
|
+
- :uint8
|
324
|
+
- :streamcore_call_direction
|
325
|
+
8256:
|
326
|
+
- :string
|
327
|
+
- :streamcore_hostname
|
328
|
+
8257:
|
329
|
+
- :string
|
330
|
+
- :streamcore_url
|
331
|
+
8258:
|
332
|
+
- :string
|
333
|
+
- :streamcore_ssl_cn
|
334
|
+
8259:
|
335
|
+
- :string
|
336
|
+
- :streamcore_ssl_org
|
337
|
+
8320:
|
338
|
+
- :uint16
|
339
|
+
- :streamcore_mos_lq
|
340
|
+
8321:
|
341
|
+
- :uint16
|
342
|
+
- :streamcore_net_delay
|
343
|
+
8322:
|
344
|
+
- :uint16
|
345
|
+
- :streamcore_net_loss
|
346
|
+
8323:
|
347
|
+
- :uint16
|
348
|
+
- :streamcore_net_jitter
|
349
|
+
8324:
|
350
|
+
- :uint16
|
351
|
+
- :streamcore_net_discard
|
352
|
+
8325:
|
353
|
+
- :uint8
|
354
|
+
- :streamcore_rtp_clockrate_in
|
355
|
+
8326:
|
356
|
+
- :uint8
|
357
|
+
- :streamcore_rtp_clockrate_out
|
358
|
+
8327:
|
359
|
+
- :uint8
|
360
|
+
- :streamcore_codec_in
|
361
|
+
8328:
|
362
|
+
- :uint8
|
363
|
+
- :streamcore_codec_out
|
364
|
+
8384:
|
365
|
+
- :uint32
|
366
|
+
- :streamcore_id_rule_1
|
367
|
+
8385:
|
368
|
+
- :uint32
|
369
|
+
- :streamcore_id_rule_2
|
370
|
+
8386:
|
371
|
+
- :uint32
|
372
|
+
- :streamcore_id_rule_3
|
373
|
+
8387:
|
374
|
+
- :uint32
|
375
|
+
- :streamcore_id_rule_4
|
376
|
+
8388:
|
377
|
+
- :uint32
|
378
|
+
- :streamcore_id_rule_5
|
379
|
+
8389:
|
380
|
+
- :uint32
|
381
|
+
- :streamcore_id_rule_6
|
382
|
+
8390:
|
383
|
+
- :uint32
|
384
|
+
- :streamcore_id_rule_7
|
385
|
+
8391:
|
386
|
+
- :uint32
|
387
|
+
- :streamcore_id_rule_8
|
388
|
+
8392:
|
389
|
+
- :uint32
|
390
|
+
- :streamcore_id_rule_9
|
391
|
+
8393:
|
392
|
+
- :uint32
|
393
|
+
- :streamcore_id_rule_10
|
288
394
|
33000:
|
289
395
|
- :acl_id_asa
|
290
396
|
- :ingress_acl_id
|
291
397
|
33001:
|
292
398
|
- :acl_id_asa
|
293
399
|
- egress_acl_id
|
400
|
+
33002:
|
401
|
+
- :uint16
|
402
|
+
- :fw_ext_event
|
294
403
|
40000:
|
295
404
|
- :string
|
296
405
|
- :username
|
@@ -309,18 +418,3 @@
|
|
309
418
|
40005:
|
310
419
|
- :uint8
|
311
420
|
- :fw_event
|
312
|
-
95:
|
313
|
-
- :uint32
|
314
|
-
- :application_id
|
315
|
-
180:
|
316
|
-
- :uint16
|
317
|
-
- :udp_src_port
|
318
|
-
181:
|
319
|
-
- :uint16
|
320
|
-
- :udp_dst_port
|
321
|
-
182:
|
322
|
-
- :uint16
|
323
|
-
- :tcp_src_port
|
324
|
-
183:
|
325
|
-
- :uint16
|
326
|
-
- :tcp_dst_port
|
@@ -179,15 +179,15 @@ class NetflowOptionFlowset < BinData::Record
|
|
179
179
|
endian :big
|
180
180
|
array :templates, :read_until => lambda { flowset_length - 4 - array.num_bytes <= 2 } do
|
181
181
|
uint16 :template_id
|
182
|
-
uint16 :scope_length
|
183
|
-
uint16 :option_length
|
182
|
+
uint16 :scope_length, :assert => lambda { scope_length > 0 }
|
183
|
+
uint16 :option_length, :assert => lambda { option_length > 0 }
|
184
184
|
array :scope_fields, :initial_length => lambda { scope_length / 4 } do
|
185
185
|
uint16 :field_type
|
186
186
|
uint16 :field_length
|
187
187
|
end
|
188
188
|
array :option_fields, :initial_length => lambda { option_length / 4 } do
|
189
189
|
uint16 :field_type
|
190
|
-
uint16 :field_length
|
190
|
+
uint16 :field_length, :assert => lambda { field_length > 0 }
|
191
191
|
end
|
192
192
|
end
|
193
193
|
skip :length => lambda { templates.length.odd? ? 2 : 0 }
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
4
|
-
s.version = '3.
|
4
|
+
s.version = '3.3.0'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
data/spec/codecs/netflow_spec.rb
CHANGED
@@ -966,6 +966,186 @@ describe LogStash::Codecs::Netflow do
|
|
966
966
|
|
967
967
|
end
|
968
968
|
|
969
|
+
context "Netflow 9 Streamcore" do
|
970
|
+
let(:data) do
|
971
|
+
packets = []
|
972
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_streamcore_tpl_data256.dat"), :mode => "rb")
|
973
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_streamcore_tpl_data260.dat"), :mode => "rb")
|
974
|
+
end
|
975
|
+
|
976
|
+
let(:json_events) do
|
977
|
+
events = []
|
978
|
+
events << <<-END
|
979
|
+
{
|
980
|
+
"netflow": {
|
981
|
+
"in_pkts": 3,
|
982
|
+
"first_switched": "2017-01-11T11:47:23.999Z",
|
983
|
+
"flowset_id": 256,
|
984
|
+
"l4_src_port": 8080,
|
985
|
+
"streamcore_id_rule_1": 1171,
|
986
|
+
"streamcore_id_rule_2": 1179,
|
987
|
+
"in_bytes": 128,
|
988
|
+
"protocol": 6,
|
989
|
+
"streamcore_id_rule_5": 0,
|
990
|
+
"tcp_flags": 19,
|
991
|
+
"streamcore_id_rule_3": 1192,
|
992
|
+
"streamcore_id_rule_4": 1435,
|
993
|
+
"streamcore_net_app_resp_time": 0,
|
994
|
+
"l4_dst_port": 50073,
|
995
|
+
"output_snmp": 1148,
|
996
|
+
"streamcore_call_direction": 1,
|
997
|
+
"src_tos": 40,
|
998
|
+
"ipv4_dst_addr": "10.231.128.150",
|
999
|
+
"version": 9,
|
1000
|
+
"streamcore_tcp_retrans_rate": 0,
|
1001
|
+
"flow_seq_num": 2143054578,
|
1002
|
+
"ipv4_src_addr": "100.78.40.201",
|
1003
|
+
"input_snmp": 1152,
|
1004
|
+
"last_switched": "2017-01-11T11:47:29.999Z",
|
1005
|
+
"streamcore_wan_rtt": 0,
|
1006
|
+
"streamcore_total_app_resp_time": 0
|
1007
|
+
},
|
1008
|
+
"@timestamp": "2017-01-11T11:48:15.000Z",
|
1009
|
+
"@version": "1"
|
1010
|
+
}
|
1011
|
+
END
|
1012
|
+
|
1013
|
+
events << <<-END
|
1014
|
+
{
|
1015
|
+
"netflow": {
|
1016
|
+
"in_pkts": 4,
|
1017
|
+
"first_switched": "2017-01-11T11:47:23.999Z",
|
1018
|
+
"flowset_id": 256,
|
1019
|
+
"l4_src_port": 50073,
|
1020
|
+
"streamcore_id_rule_1": 1171,
|
1021
|
+
"streamcore_id_rule_2": 1179,
|
1022
|
+
"in_bytes": 172,
|
1023
|
+
"protocol": 6,
|
1024
|
+
"streamcore_id_rule_5": 0,
|
1025
|
+
"tcp_flags": 19,
|
1026
|
+
"streamcore_id_rule_3": 1192,
|
1027
|
+
"streamcore_id_rule_4": 1435,
|
1028
|
+
"streamcore_net_app_resp_time": 0,
|
1029
|
+
"l4_dst_port": 8080,
|
1030
|
+
"output_snmp": 1152,
|
1031
|
+
"streamcore_call_direction": 0,
|
1032
|
+
"src_tos": 40,
|
1033
|
+
"ipv4_dst_addr": "100.78.40.201",
|
1034
|
+
"version": 9,
|
1035
|
+
"streamcore_tcp_retrans_rate": 0,
|
1036
|
+
"flow_seq_num": 2143054578,
|
1037
|
+
"ipv4_src_addr": "10.231.128.150",
|
1038
|
+
"input_snmp": 1148,
|
1039
|
+
"last_switched": "2017-01-11T11:47:29.999Z",
|
1040
|
+
"streamcore_wan_rtt": 0,
|
1041
|
+
"streamcore_total_app_resp_time": 0
|
1042
|
+
},
|
1043
|
+
"@timestamp": "2017-01-11T11:48:15.000Z",
|
1044
|
+
"@version": "1"
|
1045
|
+
}
|
1046
|
+
END
|
1047
|
+
|
1048
|
+
events << <<-END
|
1049
|
+
{
|
1050
|
+
"netflow": {
|
1051
|
+
"streamcore_id_rule_10": 0,
|
1052
|
+
"in_pkts": 10,
|
1053
|
+
"first_switched": "2017-01-11T11:22:44.999Z",
|
1054
|
+
"flowset_id": 260,
|
1055
|
+
"l4_src_port": 8080,
|
1056
|
+
"reamcore_id_rule_1": 1171,
|
1057
|
+
"streamcore_id_rule_2": 1179,
|
1058
|
+
"in_bytes": 3943,
|
1059
|
+
"protocol": 6,
|
1060
|
+
"streamcore_id_rule_5": 0,
|
1061
|
+
"tcp_flags": 26,
|
1062
|
+
"streamcore_id_rule_6": 0,
|
1063
|
+
"streamcore_id_rule_3": 1192,
|
1064
|
+
"streamcore_id_rule_4": 1435,
|
1065
|
+
"streamcore_id_rule_9": 0,
|
1066
|
+
"streamcore_id_rule_7": 0,
|
1067
|
+
"streamcore_id_rule_8": 0,
|
1068
|
+
"streamcore_net_app_resp_time": 17,
|
1069
|
+
"l4_dst_port": 53483,
|
1070
|
+
"output_snmp": 1148,
|
1071
|
+
"streamcore_hostname": "live.lemde.fr",
|
1072
|
+
"streamcore_call_direction": 1,
|
1073
|
+
"src_tos": 40,
|
1074
|
+
"ipv4_dst_addr": "10.27.8.20",
|
1075
|
+
"version": 9,
|
1076
|
+
"streamcore_tcp_retrans_rate": 0,
|
1077
|
+
"flow_seq_num": 2142545188,
|
1078
|
+
"ipv4_src_addr": "100.78.40.201",
|
1079
|
+
"input_snmp": 1152,
|
1080
|
+
"last_switched": "2017-01-11T11:23:35.999Z",
|
1081
|
+
"streamcore_url": "\/mux.json",
|
1082
|
+
"streamcore_wan_rtt": 0,
|
1083
|
+
"streamcore_total_app_resp_time": 19
|
1084
|
+
},
|
1085
|
+
"@timestamp": "2017-01-11T11:23:51.000Z",
|
1086
|
+
"@version": "1"
|
1087
|
+
}
|
1088
|
+
END
|
1089
|
+
|
1090
|
+
events << <<-END
|
1091
|
+
{
|
1092
|
+
"netflow": {
|
1093
|
+
"streamcore_id_rule_10": 0,
|
1094
|
+
"in_pkts": 11,
|
1095
|
+
"first_switched": "2017-01-11T11:22:44.999Z",
|
1096
|
+
"flowset_id": 260,
|
1097
|
+
"l4_src_port": 53483,
|
1098
|
+
"streamcore_id_rule_1": 1171,
|
1099
|
+
"streamcore_id_rule_2": 1179,
|
1100
|
+
"in_bytes": 3052,
|
1101
|
+
"protocol": 6,
|
1102
|
+
"streamcore_id_rule_5": 0,
|
1103
|
+
"tcp_flags": 26,
|
1104
|
+
"streamcore_id_rule_6": 0,
|
1105
|
+
"streamcore_id_rule_3": 1192,
|
1106
|
+
"streamcore_id_rule_4": 1435,
|
1107
|
+
"streamcore_id_rule_9": 0,
|
1108
|
+
"streamcore_id_rule_7": 0,
|
1109
|
+
"streamcore_id_rule_8": 0,
|
1110
|
+
"streamcore_net_app_resp_time": 17,
|
1111
|
+
"l4_dst_port": 8080,
|
1112
|
+
"output_snmp": 1152,
|
1113
|
+
"streamcore_hostname": "live.lemde.fr",
|
1114
|
+
"streamcore_call_direction": 0,
|
1115
|
+
"src_tos": 40,
|
1116
|
+
"ipv4_dst_addr": "100.78.40.201",
|
1117
|
+
"version": 9,
|
1118
|
+
"streamcore_tcp_retrans_rate": 0,
|
1119
|
+
"flow_seq_num": 2142545188,
|
1120
|
+
"ipv4_src_addr": "10.27.8.20",
|
1121
|
+
"input_snmp": 1148,
|
1122
|
+
"last_switched": "2017-01-11T11:23:35.999Z",
|
1123
|
+
"streamcore_url": "\/mux.json",
|
1124
|
+
"streamcore_wan_rtt": 0,
|
1125
|
+
"streamcore_total_app_resp_time": 19
|
1126
|
+
},
|
1127
|
+
"@timestamp": "2017-01-11T11:23:51.000Z",
|
1128
|
+
"@version": "1"
|
1129
|
+
}
|
1130
|
+
END
|
1131
|
+
|
1132
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1133
|
+
end
|
1134
|
+
|
1135
|
+
it "should decode raw data" do
|
1136
|
+
expect(decode.size).to eq(4)
|
1137
|
+
expect(decode[0].get("[netflow][streamcore_id_rule_1]")).to eq(1171)
|
1138
|
+
expect(decode[3].get("[netflow][streamcore_hostname]")).to eq("live.lemde.fr")
|
1139
|
+
end
|
1140
|
+
|
1141
|
+
it "should serialize to json" do
|
1142
|
+
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
|
1143
|
+
expect(JSON.parse(decode[3].to_json)).to eq(JSON.parse(json_events[3]))
|
1144
|
+
end
|
1145
|
+
|
1146
|
+
end
|
1147
|
+
|
1148
|
+
|
969
1149
|
context "IPFIX Netscaler with variable length fields" do
|
970
1150
|
let(:data) do
|
971
1151
|
# this ipfix raw data was produced by a Netscaler appliance and captured with wireshark
|
@@ -1236,14 +1416,192 @@ describe LogStash::Codecs::Netflow do
|
|
1236
1416
|
|
1237
1417
|
it "should serialize to json" do
|
1238
1418
|
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
|
1239
|
-
expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[1]))
|
1240
|
-
expect(JSON.parse(decode[2].to_json)).to eq(JSON.parse(json_events[2]))
|
1241
|
-
expect(JSON.parse(decode[3].to_json)).to eq(JSON.parse(json_events[3]))
|
1242
|
-
expect(JSON.parse(decode[4].to_json)).to eq(JSON.parse(json_events[4]))
|
1243
1419
|
end
|
1244
1420
|
|
1245
1421
|
end
|
1246
1422
|
|
1423
|
+
context "Juniper SRX options template with 0 scope field length" do
|
1424
|
+
let(:data) do
|
1425
|
+
packets = []
|
1426
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_juniper_srx_tplopt.dat"), :mode => "rb")
|
1427
|
+
end
|
1428
|
+
|
1429
|
+
let(:json_events) do
|
1430
|
+
events = []
|
1431
|
+
events << <<-END
|
1432
|
+
{
|
1433
|
+
"netflow": {
|
1434
|
+
"flow_seq_num": 338,
|
1435
|
+
"flowset_id": 256,
|
1436
|
+
"version":9,
|
1437
|
+
"sampling_algorithm":2,
|
1438
|
+
"sampling_interval":1
|
1439
|
+
},
|
1440
|
+
"@timestamp":"2016-11-29T00:21:56.000Z",
|
1441
|
+
"@version":"1"
|
1442
|
+
}
|
1443
|
+
END
|
1444
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1445
|
+
end
|
1446
|
+
|
1447
|
+
it "should decode raw data" do
|
1448
|
+
expect(decode.size).to eq(1)
|
1449
|
+
expect(decode[0].get("[netflow][sampling_algorithm]")).to eq(2)
|
1450
|
+
end
|
1451
|
+
|
1452
|
+
it "should serialize to json" do
|
1453
|
+
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
|
1454
|
+
end
|
1455
|
+
|
1456
|
+
end
|
1457
|
+
|
1458
|
+
context "Netflow 9 template with 0 length fields" do
|
1459
|
+
let(:data) do
|
1460
|
+
packets = []
|
1461
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_0length_fields_tpl_data.dat"), :mode => "rb")
|
1462
|
+
end
|
1463
|
+
|
1464
|
+
let(:json_events) do
|
1465
|
+
events = []
|
1466
|
+
events << <<-END
|
1467
|
+
{
|
1468
|
+
"netflow":{
|
1469
|
+
"output_snmp":3,
|
1470
|
+
"dst_mask":32,
|
1471
|
+
"in_pkts":0,
|
1472
|
+
"ipv4_dst_addr":"239.255.255.250",
|
1473
|
+
"first_switched":"2016-12-23T01:34:52.999Z",
|
1474
|
+
"flowset_id":256,
|
1475
|
+
"l4_src_port":0,
|
1476
|
+
"src_mask":32,
|
1477
|
+
"version":9,
|
1478
|
+
"flow_seq_num":100728833,
|
1479
|
+
"ipv4_src_addr":"192.168.1.33",
|
1480
|
+
"in_bytes":0,
|
1481
|
+
"protocol":2,
|
1482
|
+
"input_snmp":2,
|
1483
|
+
"last_switched":"2016-12-23T01:34:52.999Z",
|
1484
|
+
"tcp_flags":0,
|
1485
|
+
"engine_id":1,
|
1486
|
+
"out_pkts":1,
|
1487
|
+
"out_bytes":32,
|
1488
|
+
"l4_dst_port":0,
|
1489
|
+
"direction":1
|
1490
|
+
},
|
1491
|
+
"@timestamp":"2016-12-23T01:35:31.000Z",
|
1492
|
+
"@version":"1"
|
1493
|
+
}
|
1494
|
+
END
|
1495
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1496
|
+
end
|
1497
|
+
|
1498
|
+
it "should decode raw data" do
|
1499
|
+
expect(decode.size).to eq(10)
|
1500
|
+
expect(decode[9].get("[netflow][ipv4_src_addr]")).to eq("192.168.1.33")
|
1501
|
+
end
|
1502
|
+
|
1503
|
+
it "should serialize to json" do
|
1504
|
+
expect(JSON.parse(decode[9].to_json)).to eq(JSON.parse(json_events[0]))
|
1505
|
+
end
|
1506
|
+
|
1507
|
+
end
|
1508
|
+
|
1509
|
+
context "Netflow 9 Cisco ASR 9000 series options template 256" do
|
1510
|
+
let(:data) do
|
1511
|
+
packets = []
|
1512
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_asr9k_opttpl256.dat"), :mode => "rb")
|
1513
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_asr9k_data256.dat"), :mode => "rb")
|
1514
|
+
end
|
1515
|
+
|
1516
|
+
let(:json_events) do
|
1517
|
+
events = []
|
1518
|
+
events << <<-END
|
1519
|
+
{
|
1520
|
+
"netflow": {
|
1521
|
+
"flow_seq_num": 24496783,
|
1522
|
+
"scope_system": 3250896451,
|
1523
|
+
"input_snmp": 104,
|
1524
|
+
"if_desc": "TenGigE0_6_0_2",
|
1525
|
+
"flowset_id": 256,
|
1526
|
+
"version": 9
|
1527
|
+
},
|
1528
|
+
"@timestamp": "2016-12-06T10:09:48.000Z",
|
1529
|
+
"@version": "1"
|
1530
|
+
}
|
1531
|
+
END
|
1532
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1533
|
+
end
|
1534
|
+
|
1535
|
+
it "should decode raw data" do
|
1536
|
+
expect(decode.size).to eq(19)
|
1537
|
+
expect(decode[18].get("[netflow][if_desc]")).to eq("TenGigE0_6_0_2")
|
1538
|
+
end
|
1539
|
+
|
1540
|
+
it "should serialize to json" do
|
1541
|
+
expect(JSON.parse(decode[18].to_json)).to eq(JSON.parse(json_events[0]))
|
1542
|
+
end
|
1543
|
+
|
1544
|
+
end
|
1545
|
+
|
1546
|
+
context "Netflow 9 Cisco ASR 9000 series template 260" do
|
1547
|
+
let(:data) do
|
1548
|
+
packets = []
|
1549
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_asr9k_tpl260.dat"), :mode => "rb")
|
1550
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_asr9k_data260.dat"), :mode => "rb")
|
1551
|
+
end
|
1552
|
+
|
1553
|
+
let(:json_events) do
|
1554
|
+
events = []
|
1555
|
+
events << <<-END
|
1556
|
+
{
|
1557
|
+
"netflow": {
|
1558
|
+
"dst_as": 64498,
|
1559
|
+
"forwarding_status": {
|
1560
|
+
"reason": 0,
|
1561
|
+
"status": 1
|
1562
|
+
},
|
1563
|
+
"in_pkts": 2,
|
1564
|
+
"first_switched": "2016-12-06T10:08:53.999Z",
|
1565
|
+
"flowset_id": 260,
|
1566
|
+
"l4_src_port": 443,
|
1567
|
+
"in_bytes": 112,
|
1568
|
+
"protocol": 6,
|
1569
|
+
"tcp_flags": 18,
|
1570
|
+
"ingressVRFID": 1610612736,
|
1571
|
+
"l4_dst_port": 52364,
|
1572
|
+
"src_as": 15169,
|
1573
|
+
"direction": 1,
|
1574
|
+
"output_snmp": 158,
|
1575
|
+
"dst_mask": 24,
|
1576
|
+
"ipv4_dst_addr": "10.0.15.38",
|
1577
|
+
"src_tos": 0,
|
1578
|
+
"src_mask": 24,
|
1579
|
+
"version": 9,
|
1580
|
+
"flow_seq_num": 24495777,
|
1581
|
+
"ipv4_src_addr": "10.0.29.46",
|
1582
|
+
"egressVRFID": 1610612736,
|
1583
|
+
"input_snmp": 75,
|
1584
|
+
"last_switched": "2016-12-06T10:08:54.999Z",
|
1585
|
+
"flow_sampler_id": 1,
|
1586
|
+
"bgp_ipv4_next_hop": "10.0.14.27"
|
1587
|
+
},
|
1588
|
+
"@timestamp": "2016-12-06T10:09:24.000Z",
|
1589
|
+
"@version": "1"
|
1590
|
+
}
|
1591
|
+
END
|
1592
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
1593
|
+
end
|
1594
|
+
|
1595
|
+
it "should decode raw data" do
|
1596
|
+
expect(decode.size).to eq(21)
|
1597
|
+
expect(decode[20].get("[netflow][egressVRFID]")).to eq(1610612736)
|
1598
|
+
end
|
1599
|
+
|
1600
|
+
it "should serialize to json" do
|
1601
|
+
expect(JSON.parse(decode[20].to_json)).to eq(JSON.parse(json_events[0]))
|
1602
|
+
end
|
1603
|
+
end
|
1604
|
+
|
1247
1605
|
end
|
1248
1606
|
|
1249
1607
|
describe LogStash::Codecs::Netflow, 'missing templates, no template caching configured' do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-netflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2017-02-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -90,17 +90,28 @@ files:
|
|
90
90
|
- spec/codecs/netflow5_test_invalid02.dat
|
91
91
|
- spec/codecs/netflow5_test_juniper_mx80.dat
|
92
92
|
- spec/codecs/netflow5_test_microtik.dat
|
93
|
+
- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
|
93
94
|
- spec/codecs/netflow9_test_cisco_asa_1_data.dat
|
94
95
|
- spec/codecs/netflow9_test_cisco_asa_1_tpl.dat
|
95
96
|
- spec/codecs/netflow9_test_cisco_asa_2_data.dat
|
96
97
|
- spec/codecs/netflow9_test_cisco_asa_2_tpl_26x.dat
|
97
98
|
- spec/codecs/netflow9_test_cisco_asa_2_tpl_27x.dat
|
99
|
+
- spec/codecs/netflow9_test_cisco_asr9k_data256.dat
|
100
|
+
- spec/codecs/netflow9_test_cisco_asr9k_data260.dat
|
101
|
+
- spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
|
102
|
+
- spec/codecs/netflow9_test_cisco_asr9k_opttpl257.dat
|
103
|
+
- spec/codecs/netflow9_test_cisco_asr9k_opttpl334.dat
|
104
|
+
- spec/codecs/netflow9_test_cisco_asr9k_tpl260.dat
|
105
|
+
- spec/codecs/netflow9_test_cisco_asr9k_tpl266.dat
|
98
106
|
- spec/codecs/netflow9_test_invalid01.dat
|
107
|
+
- spec/codecs/netflow9_test_juniper_srx_tplopt.dat
|
99
108
|
- spec/codecs/netflow9_test_macaddr_data.dat
|
100
109
|
- spec/codecs/netflow9_test_macaddr_tpl.dat
|
101
110
|
- spec/codecs/netflow9_test_nprobe_data.dat
|
102
111
|
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
103
112
|
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
113
|
+
- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
|
114
|
+
- spec/codecs/netflow9_test_streamcore_tpl_data260.dat
|
104
115
|
- spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
|
105
116
|
- spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
|
106
117
|
- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
|
@@ -147,17 +158,28 @@ test_files:
|
|
147
158
|
- spec/codecs/netflow5_test_invalid02.dat
|
148
159
|
- spec/codecs/netflow5_test_juniper_mx80.dat
|
149
160
|
- spec/codecs/netflow5_test_microtik.dat
|
161
|
+
- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
|
150
162
|
- spec/codecs/netflow9_test_cisco_asa_1_data.dat
|
151
163
|
- spec/codecs/netflow9_test_cisco_asa_1_tpl.dat
|
152
164
|
- spec/codecs/netflow9_test_cisco_asa_2_data.dat
|
153
165
|
- spec/codecs/netflow9_test_cisco_asa_2_tpl_26x.dat
|
154
166
|
- spec/codecs/netflow9_test_cisco_asa_2_tpl_27x.dat
|
167
|
+
- spec/codecs/netflow9_test_cisco_asr9k_data256.dat
|
168
|
+
- spec/codecs/netflow9_test_cisco_asr9k_data260.dat
|
169
|
+
- spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
|
170
|
+
- spec/codecs/netflow9_test_cisco_asr9k_opttpl257.dat
|
171
|
+
- spec/codecs/netflow9_test_cisco_asr9k_opttpl334.dat
|
172
|
+
- spec/codecs/netflow9_test_cisco_asr9k_tpl260.dat
|
173
|
+
- spec/codecs/netflow9_test_cisco_asr9k_tpl266.dat
|
155
174
|
- spec/codecs/netflow9_test_invalid01.dat
|
175
|
+
- spec/codecs/netflow9_test_juniper_srx_tplopt.dat
|
156
176
|
- spec/codecs/netflow9_test_macaddr_data.dat
|
157
177
|
- spec/codecs/netflow9_test_macaddr_tpl.dat
|
158
178
|
- spec/codecs/netflow9_test_nprobe_data.dat
|
159
179
|
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
160
180
|
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
181
|
+
- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
|
182
|
+
- spec/codecs/netflow9_test_streamcore_tpl_data260.dat
|
161
183
|
- spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
|
162
184
|
- spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
|
163
185
|
- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
|