logstash-codec-netflow 3.2.0 → 3.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2c0a3f206c7fe1f106fda91bd4d6ae4859b431cc
-  data.tar.gz: fd0a8240b8b1ea48b5c3c6c200eed186ee9774ee
+  metadata.gz: 8eed13d17d78bcdbbb2788a458fb2d6109e3dfce
+  data.tar.gz: 3886e83de50aded411f7d5ee26832f56998fbd8b
 SHA512:
-  metadata.gz: 0d593484718168a9b28a07616eb1a13b8cf4e8911caec611113af342f4b926d184dc935dddc6bf62eab7ec91f14d2957f7ece359000f45247766eb0894ea71a2
-  data.tar.gz: 290c29bd48ac4248575a8cdcbfec95e11f6a19c10264b4939bcda4cc02f147982dbf5ec82b9d3d92ae3aa235dfe88e4316707f8dbc4731dd41ad2f2981f27ed7
+  metadata.gz: 15b4bacc7bb1d6263cb9ec4f67ea360b5c0686503ace7442a75b8da99090865cf2e6753cf43a465132b5b42b010afede5607e67ae19f7a78e07c67fd62735d07
+  data.tar.gz: 7442867f8718b82330cb1a7c8592ea3c1367e14f1f12966a4db788a751d5a802638706a5c20ce7ccb8cd5e937cf65b210b90fae2c4dde0a5a089430608e17f83

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 3.2.1
+
+  - Fix/Refactor IPFIX microsecond/nanosecond interpretation (NTP Timestamp based)
+  - Note a possible bug in Netscaler implementation where the fraction is proabably output as microseconds
+  - Correct rspec testing for new/correct implementation of microseconds, never noticed the insane values before, mea culpa
+
 ## 3.2.0
 
   - Add Netflow v9/v10 template caching, configurable TTL

data/lib/logstash/codecs/netflow.rb

@@ -414,16 +414,18 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           when /^flow(?:Start|End)Seconds$/
             event[@target][k.to_s] = LogStash::Timestamp.at(v.snapshot).to_iso8601
           when /^flow(?:Start|End)(Milli|Micro|Nano)seconds$/
-            divisor =
-              case $1
-              when 'Milli'
-                1_000
-              when 'Micro'
-                1_000_000
-              when 'Nano'
-                1_000_000_000
-              end
-            event[@target][k.to_s] = LogStash::Timestamp.at(v.snapshot.to_f / divisor).to_iso8601
+            case $1
+            when 'Milli'
+              event[@target][k.to_s] = LogStash::Timestamp.at(v.snapshot.to_f / 1_000).to_iso8601
+            when 'Micro', 'Nano'
+              # For now we'll stick to assuming ntp timestamps,
+              # Netscaler implementation may be buggy though:
+              # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11047
+              # This only affects the fraction though
+              ntp_seconds = (v.snapshot >> 32) & 0xFFFFFFFF
+              ntp_fraction = (v.snapshot & 0xFFFFFFFF).to_f / 2**32
+              event[@target][k.to_s] = LogStash::Timestamp.at(Time.utc(1900,1,1).to_i + ntp_seconds, ntp_fraction * 1000000).to_iso8601
+            end
           else
             event[@target][k.to_s] = v.snapshot
           end

data/logstash-codec-netflow.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-netflow'
-  s.version         = '3.2.0'
+  s.version         = '3.2.1'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows."
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/spec/codecs/netflow_spec.rb

@@ -984,7 +984,7 @@ describe LogStash::Codecs::Netflow do
             "netscalerHttpReqUserAgent": "Mozilla/5.0 (Commodore 64;  kobo.com) Gecko/20100101 Firefox/75.0",
             "destinationTransportPort": 443,
             "netscalerHttpReqCookie": "beer=123456789abcdefghijklmnopqrstuvw; AnotherCookie=1234567890abcdefghijklmnopqr; Shameless.Plug=Thankyou.Rakuten.Kobo.Inc.For.Allowing.me.time.to.work.on.this.and.contribute.back.to.the.community; Padding=aaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbccccccccccccccddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffgggggggggggggggggggggggghhhhhhhhhhhhhhhhhiiiiiiiiiiiiiiiiiiiiiijjjjjjjjjjjjjjjjjjjjjjjjkkkkkkkkkkkkkkkkkklllllllllllllllmmmmmmmmmm; more=less; GJquote=There.is.no.spoon; GarrySays=Nice!!; LastPadding=aaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbcccccccccccccccccccdddddddddddeeeeeeee",
-            "flowEndMicroseconds": "503894-10-15T08:48:16.972Z",
+            "flowEndMicroseconds": "2016-11-11T12:09:19.000Z",
             "netscalerHttpReqUrl": "/aa/bb/ccccc/ddddddddddddddddddddddddd",
             "sourceIPv4Address": "192.168.0.1",
             "netscalerHttpReqMethod": "GET",
@@ -1003,7 +1003,7 @@ describe LogStash::Codecs::Netflow do
             "netscalerHttpReqVia": "1.1 akamai.net(ghost) (AkamaiGHost)",
             "netscalerConnectionId": 14460661,
             "tcpControlBits": 24,
-            "flowStartMicroseconds": "503894-10-15T08:48:16.972Z",
+            "flowStartMicroseconds": "2016-11-11T12:09:19.000Z",
             "ingressInterface": 8,
             "version": 10,
             "packetDeltaCount": 2,
@@ -1031,7 +1031,7 @@ describe LogStash::Codecs::Netflow do
       expect(decode[0].get("[netflow][version]")).to eq(10)
       expect(decode[0].get("[netflow][sourceIPv4Address]")).to eq('192.168.0.1')
       expect(decode[0].get("[netflow][destinationIPv4Address]")).to eq('10.0.0.1')
-      expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('503894-10-15T08:48:16.970Z')
+      expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('2016-11-11T12:09:19.000Z')
       expect(decode[0].get("[netflow][netscalerConnectionId]")).to eq(14460661)
       expect(decode[1].get("[netflow][version]")).to eq(10)
       expect(decode[1].get("[netflow][flowId]")).to eq(14460662)
@@ -1215,7 +1215,7 @@ describe LogStash::Codecs::Netflow, 'configured with template caching', :order =
     it "should decode raw data based on cached templates" do
       expect(decode.size).to eq(3)
       expect(decode[0].get("[netflow][version]")).to eq(10)
-      expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('503894-10-15T08:48:16.970Z')
+      expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('2016-11-11T12:09:19.000Z')
       expect(decode[0].get("[netflow][netscalerConnectionId]")).to eq(14460661)
       expect(decode[1].get("[netflow][version]")).to eq(10)
       expect(decode[1].get("[netflow][observationPointId]")).to eq(167954698)
@@ -1256,7 +1256,7 @@ describe LogStash::Codecs::Netflow, 'configured with include_flowset_id for ipfi
   it "should decode raw data" do
     expect(decode.size).to eq(3)
     expect(decode[0].get("[netflow][version]")).to eq(10)
-    expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('503894-10-15T08:48:16.970Z')
+    expect(decode[0].get("[netflow][flowEndMicroseconds]")).to eq('2016-11-11T12:09:19.000Z')
     expect(decode[0].get("[netflow][netscalerConnectionId]")).to eq(14460661)
     expect(decode[1].get("[netflow][version]")).to eq(10)
     expect(decode[1].get("[netflow][observationPointId]")).to eq(167954698)

metadata

@@ -1,17 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-netflow
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.2.1
 platform: ruby
 authors:
 - Elastic
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-19 00:00:00.000000000 Z
+date: 2016-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: logstash-core-plugin-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
@@ -20,8 +19,9 @@ dependencies:
     - - <=
       - !ruby/object:Gem::Version
         version: '2.99'
-  type: :runtime
+  name: logstash-core-plugin-api
   prerelease: false
+  type: :runtime
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
@@ -31,47 +31,54 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.99'
 - !ruby/object:Gem::Dependency
-  name: bindata
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
-  type: :runtime
+  name: bindata
   prerelease: false
+  type: :runtime
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
 - !ruby/object:Gem::Dependency
-  name: logstash-devutils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.0.0
-  type: :development
+  name: logstash-devutils
   prerelease: false
+  type: :development
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.0.0
-description: This gem is a Logstash plugin required to be installed on top of the
-  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
-  gem is not a stand-alone program
+description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
 email: info@elastic.co
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/codecs/netflow.rb
 - lib/logstash/codecs/netflow/iana2yaml.rb
-- lib/logstash/codecs/netflow/netflow.yaml
 - lib/logstash/codecs/netflow/ipfix.yaml
+- lib/logstash/codecs/netflow/netflow.yaml
 - lib/logstash/codecs/netflow/util.rb
-- lib/logstash/codecs/netflow.rb
+- logstash-codec-netflow.gemspec
 - spec/codecs/ipfix.dat
+- spec/codecs/ipfix_test_netscaler_data.dat
+- spec/codecs/ipfix_test_netscaler_tpl.dat
 - spec/codecs/ipfix_test_openbsd_pflow_data.dat
 - spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
 - spec/codecs/netflow5.dat
@@ -90,27 +97,18 @@ files:
 - spec/codecs/netflow9_test_nprobe_data.dat
 - spec/codecs/netflow9_test_nprobe_tpl.dat
 - spec/codecs/netflow9_test_softflowd_tpl_data.dat
-- spec/codecs/netflow9_test_valid01.dat
-- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
 - spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
 - spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
-- spec/codecs/ipfix_test_netscaler_data.dat
-- spec/codecs/ipfix_test_netscaler_tpl.dat
+- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
+- spec/codecs/netflow9_test_valid01.dat
 - spec/codecs/netflow_spec.rb
-- logstash-codec-netflow.gemspec
-- README.md
-- CHANGELOG.md
-- CONTRIBUTORS
-- Gemfile
-- LICENSE
-- NOTICE.TXT
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
 metadata:
   logstash_plugin: 'true'
   logstash_group: codec
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -125,13 +123,15 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.0.14
-signing_key: 
+rubyforge_project:
+rubygems_version: 2.4.8
+signing_key:
 specification_version: 4
 summary: The netflow codec is for decoding Netflow v5/v9/v10 (IPFIX) flows.
 test_files:
 - spec/codecs/ipfix.dat
+- spec/codecs/ipfix_test_netscaler_data.dat
+- spec/codecs/ipfix_test_netscaler_tpl.dat
 - spec/codecs/ipfix_test_openbsd_pflow_data.dat
 - spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
 - spec/codecs/netflow5.dat
@@ -150,10 +150,8 @@ test_files:
 - spec/codecs/netflow9_test_nprobe_data.dat
 - spec/codecs/netflow9_test_nprobe_tpl.dat
 - spec/codecs/netflow9_test_softflowd_tpl_data.dat
-- spec/codecs/netflow9_test_valid01.dat
-- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
 - spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
 - spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
-- spec/codecs/ipfix_test_netscaler_data.dat
-- spec/codecs/ipfix_test_netscaler_tpl.dat
+- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
+- spec/codecs/netflow9_test_valid01.dat
 - spec/codecs/netflow_spec.rb