logstash-codec-netflow 3.3.0 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c13bc81edc56109e3a9c795d38d565d68b40ae44
-  data.tar.gz: 30620977b21b47ce7b77c2d54427b34e060ed5c9
+  metadata.gz: ffbcfb5f7060a15a914f28a8dc4060d3c4bb0249
+  data.tar.gz: 64d0ef8ea3727572035c681d8278c0fe7c4cdb85
 SHA512:
-  metadata.gz: 88656d03bee9bcae65cfe6b0a25830cd5f2d0831c369d38e7e8f24b1dea976bf391d8197d3c355670ac012244a78c958ed6472d9c31514c00b7decf0fcad7559
-  data.tar.gz: c269177cae5252f6bb7fc7d475b36c9c956fa71b5a21468c1ad5d0a537b80f7c89ed7a6ea244191f0af77fa85e65ec801a9d4c1b03aaa32f6bbaac3ee49d3cb3
+  metadata.gz: b167a1d6300bf833673be39852d55895fee81994098a174ef5def894a183d0554c41bef7c89ae21755a052c20053c35a2b93ab44cd35b888c5a68c71c33bdb0e
+  data.tar.gz: 7f12d909b7c1fc92586b488e3501d4f315d9460f5184b68d72aa883353af4153e2e6523e8f546fa55f273ae0078cd5bb2374329ef5a5a8053cbfc6b8af081bc2

data/CONTRIBUTORS

@@ -6,6 +6,7 @@ Contributors:
 * Adam Kaminski (thimslugga)
 * Colin Surprenant (colinsurprenant)
 * Daniel Nägele (analogbyte)
+* Diyaldine Maoulida
 * Evgeniy Sudyr (ejectck)
 * G.J. Moed (gjmoed)
 * Jordan Sissel (jordansissel)

data/lib/logstash/codecs/netflow.rb

@@ -2,7 +2,8 @@
 require "logstash/codecs/base"
 require "logstash/namespace"
 require "logstash/timestamp"
-require "logstash/json"
+#require "logstash/json"
+require "json"
 
 # The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
 #
@@ -263,6 +264,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           template_length = 0
           # Template flowset (0) or Options template flowset (1) ?
           if record.flowset_id == 0
+            @logger.debug? and @logger.debug("Start processing template")
             template.record_fields.each do |field|
               if field.field_length > 0
                 entry = netflow_field_for(field.field_type, field.field_length, template.template_id)
@@ -272,10 +274,12 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
               end
             end
           else
+            @logger.debug? and @logger.debug("Start processing options template")
             template.scope_fields.each do |field|
               if field.field_length > 0
                 fields << [uint_field(0, field.field_length), NETFLOW9_SCOPES[field.field_type]]
               end
+              template_length += field.field_length
             end
             template.option_fields.each do |field|
               entry = netflow_field_for(field.field_type, field.field_length, template.template_id)
@@ -295,7 +299,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           @logger.debug("Received template #{template.template_id} with fields #{fields.inspect}")
           @logger.debug("Received template #{template.template_id} of size #{template_length} bytes. Representing in #{@netflow_templates[key].num_bytes} BinData bytes")
           if template_length != @netflow_templates[key].num_bytes
-            @logger.warn("Received template #{template.template_id} of size (#{template_length} bytes) doesn't match BinData representation we built (#{@netflow_templates[key].num_bytes} bytes)")
+            @logger.warn("Received template #{template.template_id} of size #{template_length} bytes doesn't match BinData representation we built (#{@netflow_templates[key].num_bytes} bytes)")
           end
           # Purge any expired templates
           @netflow_templates.cleanup!
@@ -308,6 +312,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     when 256..65535
       # Data flowset
       #key = "#{flowset.source_id}|#{event["source"]}|#{record.flowset_id}"
+      @logger.debug? and @logger.debug("Start processing data flowset #{record.flowset_id}")
       if metadata != nil
         key = "#{flowset.source_id}|#{record.flowset_id}|#{metadata["host"]}|#{metadata["port"]}"
       else
@@ -333,7 +338,9 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
       array = BinData::Array.new(:type => template, :initial_length => length / template.num_bytes)
       records = array.read(record.flowset_data)
 
+      flowcounter = 1
       records.each do |r|
+        @logger.debug? and @logger.debug("Start processing flow #{flowcounter} from data flowset id #{record.flowset_id}")
         event = {
           LogStash::Event::TIMESTAMP => LogStash::Timestamp.at(flowset.unix_sec),
           @target => {}
@@ -360,6 +367,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
         end
 
         events << LogStash::Event.new(event)
+        flowcounter += 1
       end
     else
       @logger.warn("Unsupported flowset id #{record.flowset_id}")

data/lib/logstash/codecs/netflow/netflow.yaml

@@ -223,9 +223,15 @@
 89:
 - :forwarding_status
 - :forwarding_status
+94:
+- :string
+- :application_description
 95:
-- :uint32
 - :application_id
+- :application_id
+96:
+- :string
+- :application_name
 136:
 - :uint8
 - :flow_end_reason
@@ -259,6 +265,12 @@
 183:
 - :uint16
 - :tcp_dst_port
+194:
+- :uint8
+- :ip_tos
+195:
+- :uint8
+- :ip_dscp
 201:
 - mpls_label_stack_octets
 - mpls_label_stack_octets

data/lib/logstash/codecs/netflow/util.rb

@@ -108,6 +108,22 @@ class Forwarding_Status < BinData::Record
   bit6   :reason
 end
 
+class Application_Id < BinData::Primitive
+  endian :big
+  uint8  :classification_id
+  uint24 :selector_id
+
+  def set(val)
+    self.classification_id=val.to_i<<24
+    self.selector_id = val.to_i-((val.to_i>>24)<<24)
+  end
+
+  def get
+    self.classification_id.to_s + ":" + self.selector_id.to_s
+  end
+
+end
+
 class OctetArray < BinData::Primitive
   # arg_processor :octetarray
   mandatory_parameter :initial_length
@@ -177,7 +193,7 @@ end
 
 class NetflowOptionFlowset < BinData::Record
   endian :big
-  array  :templates, :read_until => lambda { flowset_length - 4 - array.num_bytes <= 2 } do
+  array  :templates, :read_until => lambda { array.num_bytes == flowset_length - 4 } do
     uint16 :template_id
     uint16 :scope_length, :assert => lambda { scope_length > 0 }
     uint16 :option_length, :assert => lambda { option_length > 0 }
@@ -189,8 +205,8 @@ class NetflowOptionFlowset < BinData::Record
       uint16 :field_type
       uint16 :field_length, :assert => lambda { field_length > 0 }
     end
+    string  :padding, :read_length => lambda { flowset_length - 4 - scope_length - option_length - 2 - 2 -2}
   end
-  skip   :length => lambda { templates.length.odd? ? 2 : 0 }
 end
 
 class Netflow9PDU < BinData::Record

data/logstash-codec-netflow.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-netflow'
-  s.version         = '3.3.0'
+  s.version         = '3.4.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/spec/codecs/netflow_spec.rb

@@ -300,7 +300,7 @@ describe LogStash::Codecs::Netflow do
     end
   end
 
-  context "Netflow 9 multple netflow exporters" do
+  context "Netflow 9 multiple netflow exporters" do
     let(:data) do
       # This tests whether a template from a 2nd netflow exporter overwrites the template sent from the first.
       # In this test the 3rd packet (from nprobe) should still decode succesfully.
@@ -1602,6 +1602,102 @@ describe LogStash::Codecs::Netflow do
     end
   end
 
+  context "Netflow 9 Cisco NBAR options template 260" do
+    let(:data) do
+      packets = []
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_nbar_opttpl260.dat"), :mode => "rb")
+    end
+
+    let(:json_events) do
+      events = []
+      events << <<-END
+        {
+          "netflow": {
+            "flow_seq_num": 655860,
+            "scope_system": 168755571,
+            "application_name": "argus",
+            "application_description": "ARGUS",
+            "flowset_id": 260,
+            "version": 9,
+            "application_id": "1:13"
+          },
+          "@timestamp": "2017-02-14T11:09:59.000Z",
+          "@version": "1"
+        }
+        END
+      events.map{|event| event.gsub(/\s+/, "")}
+    end
+
+    it "should decode raw data" do
+      expect(decode.size).to eq(15)
+      expect(decode[14].get("[netflow][application_id]")).to eq("1:13")
+      expect(decode[14].get("[netflow][application_description]")).to eq("ARGUS")
+    end
+
+    it "should serialize to json" do
+      expect(JSON.parse(decode[14].to_json)).to eq(JSON.parse(json_events[0]))
+    end
+  end
+
+  context "Netflow 9 Cisco NBAR flowset 262" do
+    let(:data) do
+      packets = []
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_nbar_tpl262.dat"), :mode => "rb")
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_nbar_data262.dat"), :mode => "rb")
+    end
+
+    let(:json_events) do
+      events = []
+      events << <<-END
+        {
+          "netflow": {
+            "dst_as": 0,
+            "in_pkts": 36,
+            "ipv4_src_prefix": "0.0.0.0",
+            "first_switched": "2017-02-14T11:10:20.999Z",
+            "flowset_id": 262,
+            "l4_src_port": 45269,
+            "ipv4_next_hop": "0.0.0.0",
+            "protocol": 17,
+            "in_bytes": 2794,
+            "tcp_src_port": 0,
+            "l4_dst_port": 161,
+            "direction": 0,
+            "src_as": 0,
+            "output_snmp": 0,
+            "ip_dscp": 0,
+            "ipv4_ident": 0,
+            "ipv4_dst_addr": "10.30.19.180",
+            "src_tos": 0,
+            "in_dst_mac": "1c:df:0f:7e:c3:58",
+            "udp_dst_port": 161,
+            "src_mask": 0,
+            "version": 9,
+            "application_id": "5:38",
+            "flow_seq_num": 1509134,
+            "ipv4_src_addr": "10.10.172.60",
+            "in_src_mac": "00:18:19:9e:6c:01",
+            "input_snmp": 1,
+            "last_switched": "2017-02-14T11:10:21.999Z",
+            "flow_sampler_id": 0
+          },
+          "@timestamp": "2017-02-14T11:10:36.000Z",
+          "@version": "1"
+        }
+        END
+      events.map{|event| event.gsub(/\s+/, "")}
+    end
+
+    it "should decode raw data" do
+      expect(decode.size).to eq(5)
+      expect(decode[4].get("[netflow][application_id]")).to eq("5:38")
+    end
+
+    it "should serialize to json" do
+      expect(JSON.parse(decode[4].to_json)).to eq(JSON.parse(json_events[0]))
+    end
+  end
+
 end
 
 describe LogStash::Codecs::Netflow, 'missing templates, no template caching configured' do

metadata

@@ -1,16 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-netflow
 version: !ruby/object:Gem::Version
-  version: 3.3.0
+  version: 3.4.0
 platform: ruby
 authors:
 - Elastic
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-12 00:00:00.000000000 Z
+date: 2017-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
@@ -19,9 +20,8 @@ dependencies:
     - - <=
       - !ruby/object:Gem::Version
         version: '2.99'
-  name: logstash-core-plugin-api
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
@@ -31,99 +31,104 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.99'
 - !ruby/object:Gem::Dependency
+  name: bindata
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
-  name: bindata
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
 - !ruby/object:Gem::Dependency
+  name: logstash-devutils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.0.0
-  name: logstash-devutils
-  prerelease: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.0.0
-description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
 email: info@elastic.co
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- CHANGELOG.md
-- CONTRIBUTORS
-- Gemfile
-- LICENSE
-- NOTICE.TXT
-- README.md
-- lib/logstash/codecs/netflow.rb
 - lib/logstash/codecs/netflow/iana2yaml.rb
 - lib/logstash/codecs/netflow/ipfix.yaml
 - lib/logstash/codecs/netflow/netflow.yaml
 - lib/logstash/codecs/netflow/util.rb
-- logstash-codec-netflow.gemspec
+- lib/logstash/codecs/netflow.rb
 - spec/codecs/ipfix.dat
-- spec/codecs/ipfix_test_netscaler_data.dat
-- spec/codecs/ipfix_test_netscaler_tpl.dat
 - spec/codecs/ipfix_test_openbsd_pflow_data.dat
 - spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
-- spec/codecs/ipfix_test_vmware_vds_data264.dat
-- spec/codecs/ipfix_test_vmware_vds_data266.dat
-- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
-- spec/codecs/ipfix_test_vmware_vds_tpl.dat
 - spec/codecs/netflow5.dat
 - spec/codecs/netflow5_test_invalid01.dat
 - spec/codecs/netflow5_test_invalid02.dat
 - spec/codecs/netflow5_test_juniper_mx80.dat
 - spec/codecs/netflow5_test_microtik.dat
-- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
 - spec/codecs/netflow9_test_cisco_asa_1_data.dat
 - spec/codecs/netflow9_test_cisco_asa_1_tpl.dat
 - spec/codecs/netflow9_test_cisco_asa_2_data.dat
 - spec/codecs/netflow9_test_cisco_asa_2_tpl_26x.dat
 - spec/codecs/netflow9_test_cisco_asa_2_tpl_27x.dat
-- spec/codecs/netflow9_test_cisco_asr9k_data256.dat
-- spec/codecs/netflow9_test_cisco_asr9k_data260.dat
-- spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
-- spec/codecs/netflow9_test_cisco_asr9k_opttpl257.dat
-- spec/codecs/netflow9_test_cisco_asr9k_opttpl334.dat
-- spec/codecs/netflow9_test_cisco_asr9k_tpl260.dat
-- spec/codecs/netflow9_test_cisco_asr9k_tpl266.dat
 - spec/codecs/netflow9_test_invalid01.dat
-- spec/codecs/netflow9_test_juniper_srx_tplopt.dat
 - spec/codecs/netflow9_test_macaddr_data.dat
 - spec/codecs/netflow9_test_macaddr_tpl.dat
 - spec/codecs/netflow9_test_nprobe_data.dat
 - spec/codecs/netflow9_test_nprobe_tpl.dat
 - spec/codecs/netflow9_test_softflowd_tpl_data.dat
-- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
-- spec/codecs/netflow9_test_streamcore_tpl_data260.dat
+- spec/codecs/netflow9_test_valid01.dat
+- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
 - spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
 - spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
-- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
-- spec/codecs/netflow9_test_valid01.dat
+- spec/codecs/ipfix_test_netscaler_data.dat
+- spec/codecs/ipfix_test_netscaler_tpl.dat
+- spec/codecs/ipfix_test_vmware_vds_data264.dat
+- spec/codecs/ipfix_test_vmware_vds_data266.dat
+- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
+- spec/codecs/ipfix_test_vmware_vds_tpl.dat
+- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
+- spec/codecs/netflow9_test_juniper_srx_tplopt.dat
+- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
+- spec/codecs/netflow9_test_streamcore_tpl_data260.dat
+- spec/codecs/netflow9_test_cisco_asr9k_data256.dat
+- spec/codecs/netflow9_test_cisco_asr9k_data260.dat
+- spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
+- spec/codecs/netflow9_test_cisco_asr9k_opttpl257.dat
+- spec/codecs/netflow9_test_cisco_asr9k_opttpl334.dat
+- spec/codecs/netflow9_test_cisco_asr9k_tpl260.dat
+- spec/codecs/netflow9_test_cisco_asr9k_tpl266.dat
+- spec/codecs/netflow9_test_cisco_nbar_data262.dat
+- spec/codecs/netflow9_test_cisco_nbar_opttpl260.dat
+- spec/codecs/netflow9_test_cisco_nbar_tpl262.dat
 - spec/codecs/netflow_spec.rb
+- logstash-codec-netflow.gemspec
+- README.md
+- CHANGELOG.md
+- CONTRIBUTORS
+- Gemfile
+- LICENSE
+- NOTICE.TXT
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
 metadata:
   logstash_plugin: 'true'
   logstash_group: codec
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -138,50 +143,53 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.4.8
-signing_key:
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
 specification_version: 4
 summary: The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows.
 test_files:
 - spec/codecs/ipfix.dat
-- spec/codecs/ipfix_test_netscaler_data.dat
-- spec/codecs/ipfix_test_netscaler_tpl.dat
 - spec/codecs/ipfix_test_openbsd_pflow_data.dat
 - spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
-- spec/codecs/ipfix_test_vmware_vds_data264.dat
-- spec/codecs/ipfix_test_vmware_vds_data266.dat
-- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
-- spec/codecs/ipfix_test_vmware_vds_tpl.dat
 - spec/codecs/netflow5.dat
 - spec/codecs/netflow5_test_invalid01.dat
 - spec/codecs/netflow5_test_invalid02.dat
 - spec/codecs/netflow5_test_juniper_mx80.dat
 - spec/codecs/netflow5_test_microtik.dat
-- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
 - spec/codecs/netflow9_test_cisco_asa_1_data.dat
 - spec/codecs/netflow9_test_cisco_asa_1_tpl.dat
 - spec/codecs/netflow9_test_cisco_asa_2_data.dat
 - spec/codecs/netflow9_test_cisco_asa_2_tpl_26x.dat
 - spec/codecs/netflow9_test_cisco_asa_2_tpl_27x.dat
-- spec/codecs/netflow9_test_cisco_asr9k_data256.dat
-- spec/codecs/netflow9_test_cisco_asr9k_data260.dat
-- spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
-- spec/codecs/netflow9_test_cisco_asr9k_opttpl257.dat
-- spec/codecs/netflow9_test_cisco_asr9k_opttpl334.dat
-- spec/codecs/netflow9_test_cisco_asr9k_tpl260.dat
-- spec/codecs/netflow9_test_cisco_asr9k_tpl266.dat
 - spec/codecs/netflow9_test_invalid01.dat
-- spec/codecs/netflow9_test_juniper_srx_tplopt.dat
 - spec/codecs/netflow9_test_macaddr_data.dat
 - spec/codecs/netflow9_test_macaddr_tpl.dat
 - spec/codecs/netflow9_test_nprobe_data.dat
 - spec/codecs/netflow9_test_nprobe_tpl.dat
 - spec/codecs/netflow9_test_softflowd_tpl_data.dat
-- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
-- spec/codecs/netflow9_test_streamcore_tpl_data260.dat
+- spec/codecs/netflow9_test_valid01.dat
+- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
 - spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
 - spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
-- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
-- spec/codecs/netflow9_test_valid01.dat
+- spec/codecs/ipfix_test_netscaler_data.dat
+- spec/codecs/ipfix_test_netscaler_tpl.dat
+- spec/codecs/ipfix_test_vmware_vds_data264.dat
+- spec/codecs/ipfix_test_vmware_vds_data266.dat
+- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
+- spec/codecs/ipfix_test_vmware_vds_tpl.dat
+- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
+- spec/codecs/netflow9_test_juniper_srx_tplopt.dat
+- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
+- spec/codecs/netflow9_test_streamcore_tpl_data260.dat
+- spec/codecs/netflow9_test_cisco_asr9k_data256.dat
+- spec/codecs/netflow9_test_cisco_asr9k_data260.dat
+- spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
+- spec/codecs/netflow9_test_cisco_asr9k_opttpl257.dat
+- spec/codecs/netflow9_test_cisco_asr9k_opttpl334.dat
+- spec/codecs/netflow9_test_cisco_asr9k_tpl260.dat
+- spec/codecs/netflow9_test_cisco_asr9k_tpl266.dat
+- spec/codecs/netflow9_test_cisco_nbar_data262.dat
+- spec/codecs/netflow9_test_cisco_nbar_opttpl260.dat
+- spec/codecs/netflow9_test_cisco_nbar_tpl262.dat
 - spec/codecs/netflow_spec.rb