RubyGems - logstash-codec-netflow - Versions diffs - 3.1.4 → 3.2.0 - Mend

logstash-codec-netflow 3.1.4 → 3.2.0

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/CONTRIBUTORS +1 -0
data/lib/logstash/codecs/netflow.rb +112 -87
data/lib/logstash/codecs/netflow/ipfix.yaml +664 -0
data/lib/logstash/codecs/netflow/util.rb +44 -0
data/logstash-codec-netflow.gemspec +1 -1
data/spec/codecs/ipfix_test_netscaler_data.dat +0 -0
data/spec/codecs/ipfix_test_netscaler_tpl.dat +0 -0
data/spec/codecs/netflow_spec.rb +303 -0
metadata +42 -36

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 64fcf9c71a5f61b3d08657aa9330fe84c509130f
-  data.tar.gz: 7b3d28e45b1049e3164fc6e1bec4302aef0390c4
+  metadata.gz: 2c0a3f206c7fe1f106fda91bd4d6ae4859b431cc
+  data.tar.gz: fd0a8240b8b1ea48b5c3c6c200eed186ee9774ee
 SHA512:
-  metadata.gz: 721e9b3d27195d9fbcb97101fb710b4830544d9d7300e00e1fa69feca51eb0a45b3416370b94131ff38bd7edb2a751a33ea017e46d3ebe81d57f929d21d9edc1
-  data.tar.gz: 2596a72bf9fc4a8d738e51ffbdf0da7325207192390e1f21770808bd7e0c487ff333d735b89d559502b2b56c3d024f1ce5a95a24fdcdceaadd0feb50046e9d83
+  metadata.gz: 0d593484718168a9b28a07616eb1a13b8cf4e8911caec611113af342f4b926d184dc935dddc6bf62eab7ec91f14d2957f7ece359000f45247766eb0894ea71a2
+  data.tar.gz: 290c29bd48ac4248575a8cdcbfec95e11f6a19c10264b4939bcda4cc02f147982dbf5ec82b9d3d92ae3aa235dfe88e4316707f8dbc4731dd41ad2f2981f27ed7

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,13 @@
+## 3.2.0
+  - Add Netflow v9/v10 template caching, configurable TTL
+  - Add option for including flowset_id for Netflow v10
+  - Refactor/simplify Netflow v9/v10 templates processing
+  - Add variable length field support
+  - Add OctetArray support
+  - Add Citrix Netscaler (IPFIX) support
+  - Add spec tests and anonymized test data for all of the above
 ## 3.1.4
   - Added support for MPLS labels

data/CONTRIBUTORS CHANGED Viewed

@@ -7,6 +7,7 @@ Contributors:
 * Colin Surprenant (colinsurprenant)
 * Daniel Nägele (analogbyte)
 * Evgeniy Sudyr (ejectck)
+* G.J. Moed (gjmoed)
 * Jordan Sissel (jordansissel)
 * Jorrit Folmer (jorritfolmer)
 * Matt Dainty (bodgit)

data/lib/logstash/codecs/netflow.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 require "logstash/codecs/base"
 require "logstash/namespace"
 require "logstash/timestamp"
+require "logstash/json"
 # The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
 #
@@ -22,6 +23,7 @@ require "logstash/timestamp"
 # |OpenBSD pflow         |  y | n  |   y   | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
 # |Mikrotik 6.35.4       |  y |    |   n   | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
 # |Ubiquiti Edgerouter X |    | y  |       | With MPLS labels
+# |Citrix Netscaler      |    |    |   y   | Still some unknown fields, labeled netscalerUnknown<id>
 # |===========================================================================================
 #
 # ==== Usage
@@ -63,12 +65,23 @@ require "logstash/timestamp"
 class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   config_name "netflow"
-  # Netflow v9 template cache TTL (minutes)
+  # Netflow v9/v10 template cache TTL (minutes)
   config :cache_ttl, :validate => :number, :default => 4000
+  # Where to save the template cache
+  # This helps speed up processing when restarting logstash
+  # (So you don't have to await the arrival of templates)
+  # cache will save as path/netflow_templates.cache and/or path/ipfix_templates.cache
+  config :cache_save_path, :validate => :path
   # Specify into what field you want the Netflow data.
   config :target, :validate => :string, :default => "netflow"
+  # Only makes sense for ipfix, v9 already includes this
+  # Setting to true will include the flowset_id in events
+  # Allows you to work with sequences, for instance with the aggregate filter
+  config :include_flowset_id, :validate => :boolean, :default => false
   # Specify which Netflow versions you will accept.
   config :versions, :validate => :array, :default => [5, 9, 10]
@@ -137,6 +150,26 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     # Path to default IPFIX field definitions
     filename = ::File.expand_path('netflow/ipfix.yaml', ::File.dirname(__FILE__))
     @ipfix_fields = load_definitions(filename, @ipfix_definitions)
+    if @cache_save_path
+      if @versions.include?(9)
+        if File.exists?("#{@cache_save_path}/netflow_templates.cache")
+          @netflow_templates_cache = load_templates_cache("#{@cache_save_path}/netflow_templates.cache")
+          @netflow_templates_cache.each{ |key, fields| @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
+        else
+          @netflow_templates_cache = {}
+        end
+      end
+      if @versions.include?(10)
+        if File.exists?("#{@cache_save_path}/ipfix_templates.cache")
+          @ipfix_templates_cache = load_templates_cache("#{@cache_save_path}/ipfix_templates.cache")
+          @ipfix_templates_cache.each{ |key, fields| @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
+        else
+          @ipfix_templates_cache = {}
+        end
+      end
+    end
   end # def register
   def decode(payload, metadata = nil, &block)
@@ -216,40 +249,27 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     events = []
     case record.flowset_id
-    when 0
+    when 0..1
       # Template flowset
       record.flowset_data.templates.each do |template|
         catch (:field) do
           fields = []
-          template.record_fields.each do |field|
-            entry = netflow_field_for(field.field_type, field.field_length)
-            throw :field unless entry
-            fields += entry
-          end
-          # We get this far, we have a list of fields
-          #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
-          if metadata != nil
-            key = "#{flowset.source_id}|#{template.template_id}|#{metadata["host"]}|#{metadata["port"]}"
+          # Template flowset (0) or Options template flowset (1) ?
+          if record.flowset_id == 0
+            template.record_fields.each do |field|
+              entry = netflow_field_for(field.field_type, field.field_length)
+              throw :field unless entry
+              fields += entry
+            end
           else
-            key = "#{flowset.source_id}|#{template.template_id}"
-          end
-          @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
-          # Purge any expired templates
-          @netflow_templates.cleanup!
-        end
-      end
-    when 1
-      # Options template flowset
-      record.flowset_data.templates.each do |template|
-        catch (:field) do
-          fields = []
-          template.scope_fields.each do |field|
-            fields << [uint_field(0, field.field_length), NETFLOW9_SCOPES[field.field_type]]
-          end
-          template.option_fields.each do |field|
-            entry = netflow_field_for(field.field_type, field.field_length)
-            throw :field unless entry
-            fields += entry
+            template.scope_fields.each do |field|
+              fields << [uint_field(0, field.field_length), NETFLOW9_SCOPES[field.field_type]]
+            end
+            template.option_fields.each do |field|
+              entry = netflow_field_for(field.field_type, field.field_length)
+              throw :field unless entry
+              fields += entry
+            end
           end
           # We get this far, we have a list of fields
           #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
@@ -261,6 +281,10 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
           # Purge any expired templates
           @netflow_templates.cleanup!
+          if @cache_save_path
+            @netflow_templates_cache[key] = fields
+            save_templates_cache(@netflow_templates_cache, "#{@cache_save_path}/netflow_templates.cache")
+          end
         end
       end
     when 256..65535
@@ -332,31 +356,17 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     events = []
     case record.flowset_id
-    when 2
-      # Template flowset
+    when 2..3
       record.flowset_data.templates.each do |template|
         catch (:field) do
           fields = []
-          template.record_fields.each do |field|
+          # Template flowset (2) or Options template flowset (3) ?
+          template_fields = (record.flowset_id == 2) ? template.record_fields : (template.scope_fields.to_ary + template.option_fields.to_ary)
+          template_fields.each do |field|
             field_type = field.field_type
             field_length = field.field_length
             enterprise_id = field.enterprise ? field.enterprise_id : 0
-            if field.field_length == 0xffff
-              # FIXME
-              @logger.warn("Cowardly refusing to deal with variable length encoded field", :type => field_type, :enterprise => enterprise_id)
-              throw :field
-            end
-            if enterprise_id == 0
-              case field_type
-              when 291, 292, 293
-                # FIXME
-                @logger.warn("Cowardly refusing to deal with complex data types", :type => field_type, :enterprise => enterprise_id)
-                throw :field
-              end
-            end
             entry = ipfix_field_for(field_type, enterprise_id, field.field_length)
             throw :field unless entry
             fields += entry
@@ -366,42 +376,10 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
           # Purge any expired templates
           @ipfix_templates.cleanup!
-        end
-      end
-    when 3
-      # Options template flowset
-      record.flowset_data.templates.each do |template|
-        catch (:field) do
-          fields = []
-          (template.scope_fields.to_ary + template.option_fields.to_ary).each do |field|
-            field_type = field.field_type
-            field_length = field.field_length
-            enterprise_id = field.enterprise ? field.enterprise_id : 0
-            if field.field_length == 0xffff
-              # FIXME
-              @logger.warn("Cowardly refusing to deal with variable length encoded field", :type => field_type, :enterprise => enterprise_id)
-              throw :field
-            end
-            if enterprise_id == 0
-              case field_type
-              when 291, 292, 293
-                # FIXME
-                @logger.warn("Cowardly refusing to deal with complex data types", :type => field_type, :enterprise => enterprise_id)
-                throw :field
-              end
-            end
-            entry = ipfix_field_for(field_type, enterprise_id, field.field_length)
-            throw :field unless entry
-            fields += entry
+          if @cache_save_path
+            @ipfix_templates_cache[key] = fields
+            save_templates_cache(@ipfix_templates_cache, "#{@cache_save_path}/ipfix_templates.cache")
           end
-          # FIXME Source IP address required in key
-          key = "#{flowset.observation_domain_id}|#{template.template_id}"
-          @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
-          # Purge any expired templates
-          @ipfix_templates.cleanup!
         end
       end
     when 256..65535
@@ -427,6 +405,10 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           event[@target][f] = flowset[f].snapshot
         end
+        if @include_flowset_id
+          event[@target][FLOWSET_ID] = record.flowset_id.snapshot
+        end
         r.each_pair do |k, v|
           case k.to_s
           when /^flow(?:Start|End)Seconds$/
@@ -478,11 +460,51 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     fields
   end
+  def load_templates_cache(file_path)
+    templates_cache = {}
+    begin
+      templates_cache = JSON.parse(File.read(file_path))
+    rescue Exception => e
+      raise "#{self.class.name}: templates cache file corrupt (#{file_path})"
+    end
+    templates_cache
+  end
+  def save_templates_cache(templates_cache, file_path)
+    begin
+      File.open(file_path, 'w') {|file| file.write templates_cache.to_json }
+    rescue Exception => e
+      raise "#{self.class.name}: saving templates cache file failed (#{file_path}) with error #{e}"
+    end
+  end
   def uint_field(length, default)
     # If length is 4, return :uint32, etc. and use default if length is 0
     ("uint" + (((length > 0) ? length : default) * 8).to_s).to_sym
   end # def uint_field
+  def skip_field(field, type, length)
+    if length == 65535
+      field[0] = :VarSkip
+    else
+      field += [nil, {:length => length.to_i}]
+    end
+    field
+  end # def skip_field
+  def string_field(field, type, length)
+    if length == 65535
+      field[0] = :VarString
+    else
+      field[0] = :string
+      field += [{ :length => length.to_i, :trim_padding => true }]
+    end
+    field
+  end # def string_field
   def netflow_field_for(type, length)
     if @netflow_fields.include?(type)
       field = @netflow_fields[type].clone
@@ -494,9 +516,9 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
         # is dynamic
         case field[0]
         when :skip
-          field += [nil, {:length => length}]
+          field += [nil, {:length => length.to_i}]
         when :string
-          field += [{:length => length, :trim_padding => true}]
+          field += [{:length => length.to_i, :trim_padding => true}]
         end
         @logger.debug? and @logger.debug("Definition complete", :field => field)
@@ -528,9 +550,12 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     if field.is_a?(Array)
       case field[0]
       when :skip
-        field += [nil, {:length => length}]
+        field = skip_field(field, type, length.to_i)
       when :string
-        field += [{:length => length, :trim_padding => true}]
+        field = string_field(field, type, length.to_i)
+      when :octetarray
+        field[0] = :OctetArray
+        field += [{:initial_length => length.to_i}]
       when :uint64
         field[0] = uint_field(length, 8)
       when :uint32

data/lib/logstash/codecs/netflow/ipfix.yaml CHANGED Viewed

@@ -1202,6 +1202,670 @@
   433:
   - :uint64
   - :ignoredLayer2FrameTotalCount
+5951:
+  128:
+  - :uint32
+  - :netscalerRoundTripTime
+  129:
+  - :uint32
+  - :netscalerTransactionId
+  130:
+  - :string
+  - :netscalerHttpReqUrl
+  131:
+  - :string
+  - :netscalerHttpReqCookie
+  132:
+  - :uint64
+  - :netscalerFlowFlags
+  133:
+  - :uint32
+  - :netscalerConnectionId
+  134:
+  - :uint8
+  - :netscalerSyslogPriority
+  135:
+  - :string
+  - :netscalerSyslogMessage
+  136:
+  - :uint64
+  - :netscalerSyslogTimestamp
+  140:
+  - :string
+  - :netscalerHttpReqReferer
+  141:
+  - :string
+  - :netscalerHttpReqMethod
+  142:
+  - :string
+  - :netscalerHttpReqHost
+  143:
+  - :string
+  - :netscalerHttpReqUserAgent
+  144:
+  - :uint16
+  - :netscalerHttpRspStatus
+  145:
+  - :uint64
+  - :netscalerHttpRspLen
+  146:
+  - :uint64
+  - :netscalerServerTTFB
+  147:
+  - :uint64
+  - :netscalerServerTTLB
+  150:
+  - :uint32
+  - :netscalerAppNameIncarnationNumber
+  151:
+  - :uint32
+  - :netscalerAppNameAppId
+  152:
+  - :string
+  - :netscalerAppName
+  153:
+  - :uint64
+  - :netscalerHttpReqRcvFB
+  156:
+  - :uint64
+  - :netscalerHttpReqForwFB
+  157:
+  - :uint64
+  - :netscalerHttpResRcvFB
+  158:
+  - :uint64
+  - :netscalerHttpResForwFB
+  159:
+  - :uint64
+  - :netscalerHttpReqRcvLB
+  160:
+  - :uint64
+  - :netscalerHttpReqForwLB
+  161:
+  - :uint32
+  - :netscalerMainPageId
+  162:
+  - :uint32
+  - :netscalerMainPageCoreId
+  163:
+  - :string
+  - :netscalerHttpClientInteractionStartTime
+  164:
+  - :string
+  - :netscalerHttpClientRenderEndTime
+  165:
+  - :string
+  - :netscalerHttpClientRenderStartTime
+  167:
+  - :string
+  - :netscalerAppTemplateName
+  168:
+  - :string
+  - :netscalerHttpClientInteractionEndTime
+  169:
+  - :uint64
+  - :netscalerHttpResRcvLB
+  170:
+  - :uint64
+  - :netscalerHttpResForwLB
+  171:
+  - :uint32
+  - :netscalerAppUnitNameAppId
+  172:
+  - :uint32
+  - :netscalerDbLoginFlags
+  173:
+  - :uint8
+  - :netscalerDbReqType
+  174:
+  - :uint8
+  - :netscalerDbProtocolName
+  175:
+  - :string
+  - :netscalerDbUserName
+  176:
+  - :string
+  - :netscalerDbDatabaseName
+  177:
+  - :string
+  - :netscalerDbCltHostName
+  178:
+  - :string
+  - :netscalerDbReqString
+  179:
+  - :string
+  - :netscalerDbRespStatusString
+  180:
+  - :uint64
+  - :netscalerDbRespStatus
+  181:
+  - :uint64
+  - :netscalerDbRespLength
+  182:
+  - :uint32
+  - :netscalerClientRTT
+  183:
+  - :string
+  - :netscalerHttpContentType
+  185:
+  - :string
+  - :netscalerHttpReqAuthorization
+  186:
+  - :string
+  - :netscalerHttpReqVia
+  187:
+  - :string
+  - :netscalerHttpResLocation
+  188:
+  - :string
+  - :netscalerHttpResSetCookie
+  189:
+  - :string
+  - :netscalerHttpResSetCookie2
+  190:
+  - :string
+  - :netscalerHttpReqXForwardedFor
+  192:
+  - :octetarray
+  - :netscalerConnectionChainID
+  193:
+  - :uint8
+  - :netscalerConnectionChainHopCount
+  200:
+  - :octetarray
+  - :netscalerICASessionGuid
+  201:
+  - :string
+  - :netscaleIcaClientVersion
+  202:
+  - :uint16
+  - :netscalerIcaClientType
+  203:
+  - :ip4_addr
+  - :netscalerIcaClientIP
+  204:
+  - :string
+  - :netscalerIcaClientHostName
+  205:
+  - :string
+  - :netscalerAaaUsername
+  207:
+  - :string
+  - :netscalerIcaDomainName
+  208:
+  - :uint16
+  - :netscalerIcaClientLauncher
+  209:
+  - :uint32
+  - :netscalerIcaSessionSetupTime
+  210:
+  - :string
+  - :netscalerIcaServerName
+  214:
+  - :uint8
+  - :netscalerIcaSessionReconnects
+  215:
+  - :uint32
+  - :netscalerIcaRTT
+  216:
+  - :uint32
+  - :netscalerIcaClientsideRXBytes
+  217:
+  - :uint32
+  - :netscalerIcaClientsideTXBytes
+  219:
+  - :uint16
+  - :netscalerIcaClientsidePacketsRetransmit
+  220:
+  - :uint16
+  - :netscalerIcaServersidePacketsRetransmit
+  221:
+  - :uint32
+  - :netscalerIcaClientsideRTT
+  222:
+  - :uint32
+  - :netscalerIcaServersideRTT
+  223:
+  - :uint32
+  - :netscalerIcaSessionUpdateBeginSec
+  224:
+  - :uint32
+  - :netscalerIcaSessionUpdateEndSec
+  225:
+  - :uint32
+  - :netscalerIcaChannelId1
+  226:
+  - :uint32
+  - :netscalerIcaChannelId1Bytes
+  227:
+  - :uint32
+  - :netscalerIcaChannelId2
+  228:
+  - :uint32
+  - :netscalerIcaChannelId2Bytes
+  229:
+  - :uint32
+  - :netscalerIcaChannelId3
+  230:
+  - :uint32
+  - :netscalerIcaChannelId3Bytes
+  231:
+  - :uint32
+  - :netscalerIcaChannelId4
+  232:
+  - :uint32
+  - :netscalerIcaChannelId4Bytes
+  233:
+  - :uint32
+  - :netscalerIcaChannelId5
+  234:
+  - :uint32
+  - :netscalerIcaChannelId5Bytes
+  235:
+  - :uint16
+  - :netscalerIcaConnectionPriority
+  236:
+  - :uint32
+  - :netscalerApplicationStartupDuration
+  237:
+  - :uint16
+  - :netscalerIcaLaunchMechanism
+  238:
+  - :string
+  - :netscalerIcaApplicationName
+  239:
+  - :uint32
+  - :netscalerApplicationStartupTime
+  240:
+  - :uint16
+  - :netscalerIcaApplicationTerminationType
+  241:
+  - :uint32
+  - :netscalerIcaApplicationTerminationTime
+  242:
+  - :uint32
+  - :netscalerIcaSessionEndTime
+  243:
+  - :uint32
+  - :netscalerIcaClientsideJitter
+  244:
+  - :uint32
+  - :netscalerIcaServersideJitter
+  245:
+  - :uint32
+  - :netscalerIcaAppProcessID
+  246:
+  - :string
+  - :netscalerIcaAppModulePath
+  247:
+  - :uint32
+  - :netscalerIcaDeviceSerialNo
+  248:
+  - :octetarray
+  - :netscalerMsiClientCookie
+  249:
+  - :uint64
+  - :netscalerIcaFlags
+  250:
+  - :string
+  - :netscalerIcaUsername
+  251:
+  - :uint8
+  - :netscalerLicenseType
+  252:
+  - :uint64
+  - :netscalerMaxLicenseCount
+  253:
+  - :uint64
+  - :netscalerCurrentLicenseConsumed
+  254:
+  - :uint32
+  - :netscalerIcaNetworkUpdateStartTime
+  255:
+  - :uint32
+  - :netscalerIcaNetworkUpdateEndTime
+  256:
+  - :uint32
+  - :netscalerIcaClientsideSRTT
+  257:
+  - :uint32
+  - :netscalerIcaServersideSRTT
+  258:
+  - :uint32
+  - :netscalerIcaClientsideDelay
+  259:
+  - :uint32
+  - :netscalerIcaServersideDelay
+  260:
+  - :uint32
+  - :netscalerIcaHostDelay
+  261:
+  - :uint16
+  - :netscalerIcaClientSideWindowSize
+  262:
+  - :uint16
+  - :netscalerIcaServerSideWindowSize
+  263:
+  - :uint16
+  - :netscalerIcaClientSideRTOCount
+  264:
+  - :uint16
+  - :netscalerIcaServerSideRTOCount
+  265:
+  - :uint32
+  - :netscalerIcaL7ClientLatency
+  266:
+  - :uint32
+  - :netscalerIcaL7ServerLatency
+  267:
+  - :string
+  - :netscalerHttpDomainName
+  268:
+  - :uint32
+  - :netscalerCacheRedirClientConnectionCoreID
+  269:
+  - :uint32
+  - :netscalerCacheRedirClientConnectionTransactionID
+  270:
+  - :uint32
+  - :netscalerUnknown270
+  271:
+  - :uint32
+  - :netscalerUnknown271
+  272:
+  - :uint32
+  - :netscalerUnknown272
+  273:
+  - :uint32
+  - :netscalerUnknown273
+  274:
+  - :uint32
+  - :netscalerUnknown274
+  275:
+  - :uint32
+  - :netscalerUnknown275
+  276:
+  - :uint32
+  - :netscalerUnknown276
+  277:
+  - :uint32
+  - :netscalerUnknown277
+  278:
+  - :uint32
+  - :netscalerUnknown278
+  279:
+  - :uint32
+  - :netscalerUnknown279
+  280:
+  - :uint32
+  - :netscalerUnknown280
+  281:
+  - :uint32
+  - :netscalerUnknown281
+  282:
+  - :uint32
+  - :netscalerUnknown282
+  283:
+  - :uint32
+  - :netscalerUnknown283
+  284:
+  - :uint32
+  - :netscalerUnknown284
+  285:
+  - :uint32
+  - :netscalerUnknown285
+  286:
+  - :uint32
+  - :netscalerUnknown286
+  287:
+  - :uint32
+  - :netscalerUnknown287
+  288:
+  - :uint32
+  - :netscalerUnknown288
+  289:
+  - :uint32
+  - :netscalerUnknown289
+  290:
+  - :uint32
+  - :netscalerUnknown290
+  291:
+  - :uint32
+  - :netscalerUnknown291
+  292:
+  - :uint32
+  - :netscalerUnknown292
+  293:
+  - :uint32
+  - :netscalerUnknown293
+  294:
+  - :uint32
+  - :netscalerUnknown294
+  295:
+  - :uint32
+  - :netscalerUnknown295
+  296:
+  - :uint32
+  - :netscalerUnknown296
+  297:
+  - :uint32
+  - :netscalerUnknown297
+  298:
+  - :uint32
+  - :netscalerUnknown298
+  299:
+  - :uint32
+  - :netscalerUnknown299
+  300:
+  - :uint32
+  - :netscalerUnknown300
+  301:
+  - :uint32
+  - :netscalerUnknown301
+  302:
+  - :uint32
+  - :netscalerUnknown302
+  303:
+  - :uint32
+  - :netscalerUnknown303
+  304:
+  - :uint32
+  - :netscalerUnknown304
+  305:
+  - :uint32
+  - :netscalerUnknown305
+  306:
+  - :uint32
+  - :netscalerUnknown306
+  307:
+  - :uint32
+  - :netscalerUnknown307
+  308:
+  - :uint32
+  - :netscalerUnknown308
+  309:
+  - :uint32
+  - :netscalerUnknown309
+  310:
+  - :uint32
+  - :netscalerUnknown310
+  311:
+  - :uint32
+  - :netscalerUnknown311
+  312:
+  - :uint32
+  - :netscalerUnknown312
+  313:
+  - :uint32
+  - :netscalerUnknown313
+  314:
+  - :uint32
+  - :netscalerUnknown314
+  315:
+  - :uint32
+  - :netscalerUnknown315
+  316:
+  - :string
+  - :netscalerUnknown316
+  317:
+  - :uint32
+  - :netscalerUnknown317
+  318:
+  - :uint32
+  - :netscalerUnknown318
+  319:
+  - :string
+  - :netscalerUnknown319
+  320:
+  - :uint16
+  - :netscalerUnknown320
+  321:
+  - :uint32
+  - :netscalerUnknown321
+  322:
+  - :uint32
+  - :netscalerUnknown322
+  323:
+  - :uint16
+  - :netscalerUnknown323
+  324:
+  - :uint16
+  - :netscalerUnknown324
+  325:
+  - :uint16
+  - :netscalerUnknown325
+  326:
+  - :uint16
+  - :netscalerUnknown326
+  327:
+  - :uint32
+  - :netscalerUnknown327
+  328:
+  - :uint16
+  - :netscalerUnknown328
+  329:
+  - :uint16
+  - :netscalerUnknown329
+  330:
+  - :uint16
+  - :netscalerUnknown330
+  331:
+  - :uint16
+  - :netscalerUnknown331
+  332:
+  - :uint32
+  - :netscalerUnknown332
+  333:
+  - :string
+  - :netscalerUnknown333
+  334:
+  - :string
+  - :netscalerUnknown334
+  335:
+  - :uint32
+  - :netscalerUnknown335
+  336:
+  - :uint32
+  - :netscalerUnknown336
+  337:
+  - :uint32
+  - :netscalerUnknown337
+  338:
+  - :uint32
+  - :netscalerUnknown338
+  339:
+  - :uint32
+  - :netscalerUnknown339
+  340:
+  - :uint32
+  - :netscalerUnknown340
+  341:
+  - :uint32
+  - :netscalerUnknown341
+  342:
+  - :uint32
+  - :netscalerUnknown342
+  343:
+  - :uint32
+  - :netscalerUnknown343
+  344:
+  - :uint32
+  - :netscalerUnknown344
+  345:
+  - :uint32
+  - :netscalerUnknown345
+  346:
+  - :uint32
+  - :netscalerUnknown346
+  347:
+  - :uint32
+  - :netscalerUnknown347
+  348:
+  - :uint16
+  - :netscalerUnknown348
+  349:
+  - :string
+  - :netscalerUnknown349
+  350:
+  - :string
+  - :netscalerUnknown350
+  351:
+  - :string
+  - :netscalerUnknown351
+  352:
+  - :uint16
+  - :netscalerUnknown352
+  353:
+  - :uint32
+  - :netscalerUnknown353
+  354:
+  - :uint32
+  - :netscalerUnknown354
+  355:
+  - :uint32
+  - :netscalerUnknown355
+  356:
+  - :uint32
+  - :netscalerUnknown356
+  357:
+  - :uint32
+  - :netscalerUnknown357
+  363:
+  - :octetarray
+  - :netscalerUnknown363
+  383:
+  - :octetarray
+  - :netscalerUnknown383
+  391:
+  - :uint32
+  - :netscalerUnknown391
+  398:
+  - :uint32
+  - :netscalerUnknown398
+  404:
+  - :uint32
+  - :netscalerUnknown404
+  405:
+  - :uint32
+  - :netscalerUnknown405
+  427:
+  - :uint64
+  - :netscalerUnknown427
+  429:
+  - :uint8
+  - :netscalerUnknown429
+  432:
+  - :uint8
+  - :netscalerUnknown432
+  433:
+  - :uint8
+  - :netscalerUnknown433
+  453:
+  - :uint64
+  - :netscalerUnknown453
+  465:
+  - :uint32
+  - :netscalerUnknown465
 29305:
   1:
   - :uint64