logstash-codec-netflow 3.8.0 → 3.8.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/RFC_COMPLIANCE_IPFIX.md +48 -47
- data/RFC_COMPLIANCE_NETFLOW_v9.md +41 -41
- data/docs/index.asciidoc +2 -0
- data/lib/logstash/codecs/netflow/netflow.yaml +3 -0
- data/lib/logstash/codecs/netflow.rb +26 -18
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/netflow9_test_paloalto_panos_data.dat +0 -0
- data/spec/codecs/netflow9_test_paloalto_panos_tpl.dat +0 -0
- data/spec/codecs/netflow_spec.rb +54 -0
- data/spec/codecs/netflow_stress.py +30 -0
- metadata +93 -85
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5b85cd8c1849c1914c49727e17a1775257aee259
|
4
|
+
data.tar.gz: fb97641f2b79c06cc380c27eba5933f40dfc8c87
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2ee8918200546ef2e9d454eadf84bce73abab9fc24c268ce2c90808ddc1c4dba70d8503bad0213b774e71385df5a00a986c738e0abea1105afa9f842e5ed66ce
|
7
|
+
data.tar.gz: 578e1d35533e5053a4b43189bc2581a3e511ae0d152974fa4f3d8bb7aa80c35bc2f6dad837b433b905a7de8c7d644bfb9d81e6efd39b760713bcb82683aaf882
|
data/CHANGELOG.md
CHANGED
data/RFC_COMPLIANCE_IPFIX.md
CHANGED
@@ -71,53 +71,6 @@ Summary of collector-relevant requirements implemented versus the total collecto
|
|
71
71
|
| subTemplateList | No | |
|
72
72
|
| subTemplateMultiList | No | |
|
73
73
|
|
74
|
-
## RFC7012 Information Elements support details
|
75
|
-
|
76
|
-
IE 1-433 are supported
|
77
|
-
|
78
|
-
These are not yet supported:
|
79
|
-
|
80
|
-
|id | name | data type
|
81
|
-
|---|---------------------|-------------------------
|
82
|
-
|434|mibObjectValueInteger|signed32
|
83
|
-
|435|mibObjectValueOctetString|octetArray
|
84
|
-
|436|mibObjectValueOID|octetArray
|
85
|
-
|437|mibObjectValueBits|octetArray
|
86
|
-
|438|mibObjectValueIPAddress|ipv4Address
|
87
|
-
|439|mibObjectValueCounter|unsigned64
|
88
|
-
|440|mibObjectValueGauge|unsigned32
|
89
|
-
|441|mibObjectValueTimeTicks|unsigned32
|
90
|
-
|442|mibObjectValueUnsigned|unsigned32
|
91
|
-
|443|mibObjectValueTable|subTemplateList
|
92
|
-
|444|mibObjectValueRow|subTemplateList
|
93
|
-
|445|mibObjectIdentifier|octetArray
|
94
|
-
|446|mibSubIdentifier|unsigned32
|
95
|
-
|447|mibIndexIndicator|unsigned64
|
96
|
-
|448|mibCaptureTimeSemantics|unsigned8
|
97
|
-
|449|mibContextEngineID|octetArray
|
98
|
-
|450|mibContextName|string
|
99
|
-
|451|mibObjectName|string
|
100
|
-
|452|mibObjectDescription|string
|
101
|
-
|453|mibObjectSyntax|string
|
102
|
-
|454|mibModuleName|string
|
103
|
-
|455|mobileIMSI|string
|
104
|
-
|456|mobileMSISDN|string
|
105
|
-
|457|httpStatusCode|unsigned16
|
106
|
-
|458|sourceTransportPortsLimit|unsigned16
|
107
|
-
|459|httpRequestMethod|string
|
108
|
-
|460|httpRequestHost|string
|
109
|
-
|461|httpRequestTarget|string
|
110
|
-
|462|httpMessageVersion|string
|
111
|
-
|463|natInstanceID|unsigned32
|
112
|
-
|464|internalAddressRealm|octetArray
|
113
|
-
|465|externalAddressRealm|octetArray
|
114
|
-
|466|natQuotaExceededEvent|unsigned32
|
115
|
-
|467|natThresholdEvent|unsigned32
|
116
|
-
|468|httpUserAgent|string
|
117
|
-
|469|httpContentType|string
|
118
|
-
|470|httpReasonPhrase|string
|
119
|
-
|
120
|
-
|
121
74
|
## RFC 7011 collector compliance details
|
122
75
|
|
123
76
|
The tables below detail the collector-relevant requirements, and whether or not they are implemented:
|
@@ -228,3 +181,51 @@ The tables below detail the collector-relevant requirements, and whether or not
|
|
228
181
|
| 11.7 As IPFIX uses length-prefix encodings, Collector implementors should take care to ensure the detection of inconsistent values that could impact IPFIX Message decoding, and proper operation in the presence of such inconsistent values. | | | YES |
|
229
182
|
| 11.7 Specifically, IPFIX Message, Set, and variable-length Information Element lengths must be checked for consistency to avoid buffer-sizing vulnerabilities. | | | YES |
|
230
183
|
|
184
|
+
|
185
|
+
## RFC7012 Information Elements support details
|
186
|
+
|
187
|
+
IE 1-433 are supported
|
188
|
+
|
189
|
+
These are not yet supported:
|
190
|
+
|
191
|
+
|id | name | data type
|
192
|
+
|---|---------------------|-------------------------
|
193
|
+
|434|mibObjectValueInteger|signed32
|
194
|
+
|435|mibObjectValueOctetString|octetArray
|
195
|
+
|436|mibObjectValueOID|octetArray
|
196
|
+
|437|mibObjectValueBits|octetArray
|
197
|
+
|438|mibObjectValueIPAddress|ipv4Address
|
198
|
+
|439|mibObjectValueCounter|unsigned64
|
199
|
+
|440|mibObjectValueGauge|unsigned32
|
200
|
+
|441|mibObjectValueTimeTicks|unsigned32
|
201
|
+
|442|mibObjectValueUnsigned|unsigned32
|
202
|
+
|443|mibObjectValueTable|subTemplateList
|
203
|
+
|444|mibObjectValueRow|subTemplateList
|
204
|
+
|445|mibObjectIdentifier|octetArray
|
205
|
+
|446|mibSubIdentifier|unsigned32
|
206
|
+
|447|mibIndexIndicator|unsigned64
|
207
|
+
|448|mibCaptureTimeSemantics|unsigned8
|
208
|
+
|449|mibContextEngineID|octetArray
|
209
|
+
|450|mibContextName|string
|
210
|
+
|451|mibObjectName|string
|
211
|
+
|452|mibObjectDescription|string
|
212
|
+
|453|mibObjectSyntax|string
|
213
|
+
|454|mibModuleName|string
|
214
|
+
|455|mobileIMSI|string
|
215
|
+
|456|mobileMSISDN|string
|
216
|
+
|457|httpStatusCode|unsigned16
|
217
|
+
|458|sourceTransportPortsLimit|unsigned16
|
218
|
+
|459|httpRequestMethod|string
|
219
|
+
|460|httpRequestHost|string
|
220
|
+
|461|httpRequestTarget|string
|
221
|
+
|462|httpMessageVersion|string
|
222
|
+
|463|natInstanceID|unsigned32
|
223
|
+
|464|internalAddressRealm|octetArray
|
224
|
+
|465|externalAddressRealm|octetArray
|
225
|
+
|466|natQuotaExceededEvent|unsigned32
|
226
|
+
|467|natThresholdEvent|unsigned32
|
227
|
+
|468|httpUserAgent|string
|
228
|
+
|469|httpContentType|string
|
229
|
+
|470|httpReasonPhrase|string
|
230
|
+
|
231
|
+
|
@@ -26,6 +26,47 @@ Summary of collector-relevant requirements implemented versus the total collecto
|
|
26
26
|
| 9. The collector side | 5/5 | 0/3 | |
|
27
27
|
| 10. Security considerations | | | |
|
28
28
|
|
29
|
+
## RFC 3954 collector compliance details
|
30
|
+
|
31
|
+
The tables below detail the collector-relevant requirements, and whether or not they are implemented:
|
32
|
+
|
33
|
+
### 5. Export packet format
|
34
|
+
|
35
|
+
| Requirement |MUST |SHOULD| MAY|
|
36
|
+
|---------------------------------------|-----|-----|-----|
|
37
|
+
| 5.1 Incremental sequence counter of all Export Packets sent from the current Observation Domain by the Exporter. This value MUST be cumulative, and SHOULD be used by the Collector to identify whether any Export Packets have been missed. | | NO | |
|
38
|
+
| 5.1 NetFlow Collectors SHOULD use the combination of the source IP address and the Source ID field to separate different export streams originating from the same Exporter. | | NO | |
|
39
|
+
| 5.3 The Collector MUST use the FlowSet ID to find the corresponding Template Record and decode the Flow Records from the FlowSet. | YES | | |
|
40
|
+
|
41
|
+
### 6. Options
|
42
|
+
|
43
|
+
| Requirement |MUST |SHOULD| MAY|
|
44
|
+
|---------------------------------------|-----|-----|-----|
|
45
|
+
| 6.2 The Collector MUST use the FlowSet ID to map the appropriate type and length to any field values that follow. | YES | | |
|
46
|
+
|
47
|
+
### 7. Template management
|
48
|
+
|
49
|
+
| Requirement |MUST |SHOULD| MAY|
|
50
|
+
|---------------------------------------|-----|-----|-----|
|
51
|
+
| 7. the NetFlow Collector MUST store the Template Record to interpret the corresponding Flow Data Records that are received in subsequent data packets. | YES | | |
|
52
|
+
| 7. A NetFlow Collector that receives Export Packets from several Observation Domains from the same Exporter MUST be aware that the uniqueness of the Template ID is not guaranteed across Observation Domains. | YES | | |
|
53
|
+
| 7. If a Collector should receive a new definition for an already existing Template ID, it MUST discard the previous template definition and use the new one. | YES | | |
|
54
|
+
|
55
|
+
### 9. The collector side
|
56
|
+
|
57
|
+
| Requirement |MUST |SHOULD| MAY|
|
58
|
+
|---------------------------------------|-----|-----|-----|
|
59
|
+
| 9. If the Template Records have not been received at the time Flow Data Records (or Options Data Records) are received, the Collector SHOULD store the Flow Data Records (or Options Data Records) and decode them after the Template Records are received. | | NO | |
|
60
|
+
| 9. A Collector device MUST NOT assume that the Data FlowSet and the associated Template FlowSet (or Options Template FlowSet) are exported in the same Export Packet. | YES | | |
|
61
|
+
| 9. The Collector MUST NOT assume that one and only one Template FlowSet is present in an Export Packet. | YES | | |
|
62
|
+
| 9. The Collector MUST NOT attempt to decode the Flow or Options Data Records with an expired Template. | YES | | |
|
63
|
+
| 9. At any given time the Collector SHOULD maintain the following for all the current Template Records and Options Template Records: Exporter, Observation Domain, Template ID, Template Definition, Last Received. | | NO | |
|
64
|
+
| 9. In the event of a clock configuration change on the Exporter, the Collector SHOULD discard all Template Records and Options Template Records associated with that Exporter, in order for Collector to learn the new set of fields: Exporter, Observation Domain, Template ID, Template Definition, Last Received. | | NO | |
|
65
|
+
| 9. If the Collector receives a new Template Record (for example, in the case of an Exporter restart) it MUST immediately override the existing Template Record. | YES | | |
|
66
|
+
| 9. Finally, note that the Collector MUST accept padding in the Data FlowSet and Options Template FlowSet, which means for the Flow Data Records, the Options Data Records and the Template Records. | YES | | |
|
67
|
+
|
68
|
+
|
69
|
+
|
29
70
|
## RFC 3954 Information Elements support details
|
30
71
|
|
31
72
|
From the IEs 1-127, these are not yet supported:
|
@@ -244,7 +285,6 @@ From the IEs 128-, these are not yet supported:
|
|
244
285
|
|343|informationElementRangeEnd|unsigned64
|
245
286
|
|344|informationElementSemantics|unsigned8
|
246
287
|
|345|informationElementUnits|unsigned16
|
247
|
-
|346|privateEnterpriseNumber|unsigned32
|
248
288
|
|347|virtualStationInterfaceId|octetArray
|
249
289
|
|348|virtualStationInterfaceName|string
|
250
290
|
|349|virtualStationUUID|octetArray
|
@@ -365,43 +405,3 @@ From the IEs 128-, these are not yet supported:
|
|
365
405
|
|469|httpContentType|string
|
366
406
|
|470|httpReasonPhrase|string
|
367
407
|
|
368
|
-
## RFC 3954 collector compliance details
|
369
|
-
|
370
|
-
The tables below detail the collector-relevant requirements, and whether or not they are implemented:
|
371
|
-
|
372
|
-
### 5. Export packet format
|
373
|
-
|
374
|
-
| Requirement |MUST |SHOULD| MAY|
|
375
|
-
|---------------------------------------|-----|-----|-----|
|
376
|
-
| 5.1 Incremental sequence counter of all Export Packets sent from the current Observation Domain by the Exporter. This value MUST be cumulative, and SHOULD be used by the Collector to identify whether any Export Packets have been missed. | | NO | |
|
377
|
-
| 5.1 NetFlow Collectors SHOULD use the combination of the source IP address and the Source ID field to separate different export streams originating from the same Exporter. | | NO | |
|
378
|
-
| 5.3 The Collector MUST use the FlowSet ID to find the corresponding Template Record and decode the Flow Records from the FlowSet. | YES | | |
|
379
|
-
|
380
|
-
### 6. Options
|
381
|
-
|
382
|
-
| Requirement |MUST |SHOULD| MAY|
|
383
|
-
|---------------------------------------|-----|-----|-----|
|
384
|
-
| 6.2 The Collector MUST use the FlowSet ID to map the appropriate type and length to any field values that follow. | YES | | |
|
385
|
-
|
386
|
-
### 7. Template management
|
387
|
-
|
388
|
-
| Requirement |MUST |SHOULD| MAY|
|
389
|
-
|---------------------------------------|-----|-----|-----|
|
390
|
-
| 7. the NetFlow Collector MUST store the Template Record to interpret the corresponding Flow Data Records that are received in subsequent data packets. | YES | | |
|
391
|
-
| 7. A NetFlow Collector that receives Export Packets from several Observation Domains from the same Exporter MUST be aware that the uniqueness of the Template ID is not guaranteed across Observation Domains. | YES | | |
|
392
|
-
| 7. If a Collector should receive a new definition for an already existing Template ID, it MUST discard the previous template definition and use the new one. | YES | | |
|
393
|
-
|
394
|
-
### 9. The collector side
|
395
|
-
|
396
|
-
| Requirement |MUST |SHOULD| MAY|
|
397
|
-
|---------------------------------------|-----|-----|-----|
|
398
|
-
| 9. If the Template Records have not been received at the time Flow Data Records (or Options Data Records) are received, the Collector SHOULD store the Flow Data Records (or Options Data Records) and decode them after the Template Records are received. | | NO | |
|
399
|
-
| 9. A Collector device MUST NOT assume that the Data FlowSet and the associated Template FlowSet (or Options Template FlowSet) are exported in the same Export Packet. | YES | | |
|
400
|
-
| 9. The Collector MUST NOT assume that one and only one Template FlowSet is present in an Export Packet. | YES | | |
|
401
|
-
| 9. The Collector MUST NOT attempt to decode the Flow or Options Data Records with an expired Template. | YES | | |
|
402
|
-
| 9. At any given time the Collector SHOULD maintain the following for all the current Template Records and Options Template Records: Exporter, Observation Domain, Template ID, Template Definition, Last Received. | | NO | |
|
403
|
-
| 9. In the event of a clock configuration change on the Exporter, the Collector SHOULD discard all Template Records and Options Template Records associated with that Exporter, in order for Collector to learn the new set of fields: Exporter, Observation Domain, Template ID, Template Definition, Last Received. | | NO | |
|
404
|
-
| 9. If the Collector receives a new Template Record (for example, in the case of an Exporter restart) it MUST immediately override the existing Template Record. | YES | | |
|
405
|
-
| 9. Finally, note that the Collector MUST accept padding in the Data FlowSet and Options Template FlowSet, which means for the Flow Data Records, the Options Data Records and the Template Records. | YES | | |
|
406
|
-
|
407
|
-
|
data/docs/index.asciidoc
CHANGED
@@ -51,8 +51,10 @@ The following Netflow/IPFIX exporters are known to work with the most recent ver
|
|
51
51
|
|OpenBSD pflow | y | n | y | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
|
52
52
|
|Softflowd | y | y | y | IPFIX supported in https://github.com/djmdjm/softflowd
|
53
53
|
|Streamcore Streamgroomer | | y | |
|
54
|
+
|Palo Alto PAN-OS | | y | |
|
54
55
|
|Ubiquiti Edgerouter X | | y | | With MPLS labels
|
55
56
|
|VMware VDS | | | y | Still some unknown fields
|
57
|
+
|YAF | | | y | With silk and applabel, but no DPI plugin support
|
56
58
|
|===========================================================================================
|
57
59
|
|
58
60
|
==== Usage
|
@@ -51,7 +51,9 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
51
51
|
|
52
52
|
def initialize(params = {})
|
53
53
|
super(params)
|
54
|
-
@threadsafe =
|
54
|
+
@threadsafe = true
|
55
|
+
@decode_mutex_netflow = Mutex.new
|
56
|
+
@decode_mutex_ipfix = Mutex.new
|
55
57
|
end
|
56
58
|
|
57
59
|
def register
|
@@ -212,17 +214,20 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
212
214
|
else
|
213
215
|
key = "#{flowset.source_id}|#{template.template_id}"
|
214
216
|
end
|
215
|
-
|
216
|
-
@
|
217
|
-
|
218
|
-
|
219
|
-
@logger.
|
220
|
-
|
221
|
-
|
222
|
-
|
223
|
-
|
224
|
-
@
|
225
|
-
|
217
|
+
# Prevent netflow_templates array from being concurrently modified
|
218
|
+
@decode_mutex_netflow.synchronize do
|
219
|
+
@netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
|
220
|
+
@logger.debug("Received template #{template.template_id} with fields #{fields.inspect}")
|
221
|
+
@logger.debug("Received template #{template.template_id} of size #{template_length} bytes. Representing in #{@netflow_templates[key].num_bytes} BinData bytes")
|
222
|
+
if template_length != @netflow_templates[key].num_bytes
|
223
|
+
@logger.warn("Received template #{template.template_id} of size #{template_length} bytes doesn't match BinData representation we built (#{@netflow_templates[key].num_bytes} bytes)")
|
224
|
+
end
|
225
|
+
# Purge any expired templates
|
226
|
+
@netflow_templates.cleanup!
|
227
|
+
if @cache_save_path
|
228
|
+
@netflow_templates_cache[key] = fields
|
229
|
+
save_templates_cache(@netflow_templates_cache, "#{@cache_save_path}/netflow_templates.cache")
|
230
|
+
end
|
226
231
|
end
|
227
232
|
end
|
228
233
|
end
|
@@ -316,12 +321,15 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
316
321
|
end
|
317
322
|
# FIXME Source IP address required in key
|
318
323
|
key = "#{flowset.observation_domain_id}|#{template.template_id}"
|
319
|
-
|
320
|
-
|
321
|
-
|
322
|
-
|
323
|
-
@
|
324
|
-
|
324
|
+
# Prevent ipfix_templates array from being concurrently modified
|
325
|
+
@decode_mutex_ipfix.synchronize do
|
326
|
+
@ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
|
327
|
+
# Purge any expired templates
|
328
|
+
@ipfix_templates.cleanup!
|
329
|
+
if @cache_save_path
|
330
|
+
@ipfix_templates_cache[key] = fields
|
331
|
+
save_templates_cache(@ipfix_templates_cache, "#{@cache_save_path}/ipfix_templates.cache")
|
332
|
+
end
|
325
333
|
end
|
326
334
|
end
|
327
335
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
4
|
-
s.version = '3.8.
|
4
|
+
s.version = '3.8.1'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Reads Netflow v5 and Netflow v9 data"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
Binary file
|
Binary file
|
data/spec/codecs/netflow_spec.rb
CHANGED
@@ -1967,6 +1967,60 @@ describe LogStash::Codecs::Netflow do
|
|
1967
1967
|
end
|
1968
1968
|
end
|
1969
1969
|
|
1970
|
+
context "Netflow 9 Palo Alto PAN-OS with app-id" do
|
1971
|
+
let(:data) do
|
1972
|
+
packets = []
|
1973
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_paloalto_panos_tpl.dat"), :mode => "rb")
|
1974
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_paloalto_panos_data.dat"), :mode => "rb")
|
1975
|
+
end
|
1976
|
+
|
1977
|
+
let(:json_events) do
|
1978
|
+
events = []
|
1979
|
+
events << <<-END
|
1980
|
+
{
|
1981
|
+
"netflow": {
|
1982
|
+
"output_snmp": 23,
|
1983
|
+
"icmp_type": 0,
|
1984
|
+
"in_pkts": 1,
|
1985
|
+
"src_tos": 0,
|
1986
|
+
"ipv4_dst_addr": "162.115.24.30",
|
1987
|
+
"first_switched": "2017-11-13T14:33:53.000Z",
|
1988
|
+
"flowset_id": 257,
|
1989
|
+
"l4_src_port": 39702,
|
1990
|
+
"fw_event": 5,
|
1991
|
+
"version": 9,
|
1992
|
+
"flow_seq_num": 207392627,
|
1993
|
+
"ipv4_src_addr": "10.32.105.103",
|
1994
|
+
"in_bytes": 111,
|
1995
|
+
"protocol": 6,
|
1996
|
+
"tcp_flags": 26,
|
1997
|
+
"input_snmp": 24,
|
1998
|
+
"last_switched": "2017-11-13T14:39:32.000Z",
|
1999
|
+
"user_id": "",
|
2000
|
+
"conn_id": 415347,
|
2001
|
+
"privateEnterpriseNumber": 25461,
|
2002
|
+
"l4_dst_port": 443,
|
2003
|
+
"app_id": "ssl",
|
2004
|
+
"direction": 0
|
2005
|
+
},
|
2006
|
+
"@version": "1",
|
2007
|
+
"@timestamp": "2017-11-13T14:39:31.000Z"
|
2008
|
+
}
|
2009
|
+
END
|
2010
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
2011
|
+
end
|
2012
|
+
|
2013
|
+
it "should decode raw data" do
|
2014
|
+
expect(decode.size).to eq(8)
|
2015
|
+
expect(decode[7].get("[netflow][app_id]")).to eq("incomplete")
|
2016
|
+
end
|
2017
|
+
|
2018
|
+
it "should serialize to json" do
|
2019
|
+
expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[0]))
|
2020
|
+
end
|
2021
|
+
end
|
2022
|
+
|
2023
|
+
|
1970
2024
|
context "IPFIX Barracuda firewall" do
|
1971
2025
|
let(:data) do
|
1972
2026
|
packets = []
|
@@ -0,0 +1,30 @@
|
|
1
|
+
import socket
|
2
|
+
import sys
|
3
|
+
import time
|
4
|
+
import random
|
5
|
+
|
6
|
+
## Standalone Netflow v9 stressor
|
7
|
+
## Used to reproduce issue 91 https://github.com/logstash-plugins/logstash-codec-netflow/issues/91
|
8
|
+
|
9
|
+
host = 'host02'
|
10
|
+
port = 2055
|
11
|
+
|
12
|
+
tpl = '\x00\t\x00\x01e\x9c\xc0_XF\x8eU\x01u\xc7\x03\x00\x00\x08\x81\x00\x00\x00d\x01\x04\x00\x17\x00\x02\x00\x04\x00\x01\x00\x04\x00\x08\x00\x04\x00\x0c\x00\x04\x00\n\x00\x04\x00\x0e\x00\x04\x00\x15\x00\x04\x00\x16\x00\x04\x00\x07\x00\x02\x00\x0b\x00\x02\x00\x10\x00\x04\x00\x11\x00\x04\x00\x12\x00\x04\x00\t\x00\x01\x00\r\x00\x01\x00\x04\x00\x01\x00\x06\x00\x01\x00\x05\x00\x01\x00=\x00\x01\x00Y\x00\x01\x000\x00\x02\x00\xea\x00\x04\x00\xeb\x00\x04'
|
13
|
+
|
14
|
+
# 21 flows:
|
15
|
+
data = '\x00\t\x00\x15e\x9c\xbcqXF\x8eT\x01u\xc6\xa1\x00\x00\x08\x81\x01\x04\x05\\\x00\x00\x00\x01\x00\x00\x00(\n\x00\t\x92\n\x00\x1fQ\x00\x00\x00n\x00\x00\x00\x9ee\x9cG\x05e\x9cG\x05\xd3\x01\x01\xbb\x00\x00\x00\x00\x00\x00\xfb\xf0\n\x00\x0e!\x10\x14\x06\x10\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00h\n\x00\x11*\n\x00#\x04\x00\x00\x00W\x00\x00\x00\x9ee\x9cI\x88e\x9cG\x07\x8e\x84\x01\xbb\x00\x00\x00\x00\x00\x00\xfb\xf0\n\x00\x0e!\x15\x10\x06\x10\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x01\x00\x00\x004\n\x00\x16o\n\x00"\x8d\x00\x00\x00h\x00\x00\x00\x9ee\x9cG\ne\x9cG\nA\xae\x01\xbb\x00\x00\x00\x00\x00\x00\xfb\xf0\n\x00\x0e!\x18\x10\x06\x11\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01\xb3\n\x00\x17;\n\x00$\xaa\x00\x00\x00V\x00\x00\x00\x9ee\x9cG\x0ce\x9cG\x0c\x005\xfd,\x00\x00\x00\x00\x00\x00\xfb\xf1\n\x00\x0e\x1f\x19\x13\x11\x00\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x01\x00\x00\x03\xc9\n\x00"G\n\x00\x14\xf2\x00\x00\x00\x9e\x00\x00\x00je\x9cG\re\x9cG\r\x01\xbb\x07\xdd\x00\x00\xfb\xf0\x00\x00\xff\xa2\n\x00\x12\x05\x10\x15\x06\x18\x00\x00@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00h\n\x00\n\x85\n\x00\x1ef\x00\x00\x00n\x00\x00\x00\x9ee\x9cG\re\x9cF\xba\x89\xc9\x00P\x00\x00\x00\x00\x00\x00\xfb\xf0\n\x00\x0e!\x10\x10\x06\x10\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x01\x00\x00\x004\n\x00%\x1d\n\x00\x06\x18\x00\x00\x00f\x00\x00\x00\xa2e\x9cG\x10e\x9cG\x10\x00P\xdd\xc3\x00\x00;\x1d\x00\x00\xff\x97\n\x00\x00\xf2\x18\x10\x06\x10 \x00@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x01\x00\x00\x02f\n\x00 \xb0\n\x00\x0bq\x00\x00\x00\x9e\x00\x00\x00.e\x9cG\x10e\x9cG\x10\x01\xbb\xdd\xfe\x00\x00\xfb\xf0\x00\x00\xff\x98\n\x00\x12i\x14\x10\x06\x18\x00\x00@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x03\x00\x00\x10\xfe\n\x00\x0c\x15\n\x00\x0f&\x00\x00\x00W\x00\x00\x00\x9ee\x9cG\x11e\x9c1\xe7\x01\xbb\x9c\x8e\x00\x00\x80\xa6\x00\x00\xfb\xf2\n\x00\x0e\x1b\x18\x18\x06\x10\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x02\x00\x00\x02\x15\n\x00\x04\xd4\n\x00\x03n\x00\x00\x00\xa2\x00\x00\x00fe\x9cT\x07e\x9cG\x12\xc6\x03\x01\xbb\x00\x00\xff\x97\x00\x00\x00F\n\x00\x10e\x10\x11\x06\x18\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x01E\x00\x005\\\n\x00!z\n\x00\x01\x88\x00\x00\x00\x9e\x00\x00\x00he\x9co\xd0e\x9c"\x1a\xe5\xbe\x00P\x00\x00\xfb\xf1\x00\x00\x00\x00\x00\x00\x00\x00\x15\x1b\x06\x10\x00\x00@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00Y\n\x00\x14\xf2\n\x00"G\x00\x00\x00j\x00\x00\x00\x9ee\x9cG\x14e\x9cG\x14\x07\xdd\x01\xbb\x00\x00\xff\xa2\x00\x00\xfb\xf0\n\x00\x0e!\x15\x10\x06\x18`\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x01\x00\x00\x03A\n\x00\r\x19\n\x00\x0f&\x00\x00\x00W\x00\x00\x00\x9ee\x9cG\x16e\x9cG\x16\x01\xbb\xc9\xa5\x00\x00\x80\xa6\x00\x00\xfb\xf2\n\x00\x0e\x1b\x18\x18\x06\x18\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x02\x00\x00\x06Y\n\x00\x19;\n\x00\x02\x12\x00\x00\x00\x9e\x00\x00\x00ne\x9cG\x18e\x9cF\xbf\x01\xbb\xf4\x00\x00\x00\xfb\xf0\x00\x00\xff\x9d\n\x00\x12~\x10\x10\x06\x18\x00\x00@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00a\x00\x02+h\n\x00\x07I\n\x00\x1b\xa8\x00\x00\x00V\x00\x00\x00\x9ee\x9cu\xabe\x9c1\xfe\xeb\x98\x01\xd1\x00\x00\xff\x9c\x00\x00\xfb\xf0\n\x00\x0e!\x10\x10\x06\x18\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00:\x00\x00\x0b\xc8\n\x00\x132\n\x00\x1b\xa9\x00\x00\x00j\x00\x00\x00\x9ee\x9cO\xcbe\x9cE:\x86\x94\x03\xe3\x00\x00\xff\xb7\x00\x00\xfb\xf0\n\x00\x0e!\x12\x10\x06\x10\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x15\x00\x00{\x0c\n\x00\x1c\x96\n\x00\x18\r\x00\x00\x00\x9e\x00\x00\x00he\x9cHYe\x9cF\xf0\x01\xbb\xc2\xfd\x00\x00\xfb\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x10\x19\x06\x10\x00\x00@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x03\x00\x00\x0bg\n\x00\x1a\xbc\n\x00\x15\xc8\x00\x00\x00\x9e\x00\x00\x00We\x9cGfe\x9cE\xec\x03\xe1\xc4N\x00\x00\xfb\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x10\x19\x06\x18\x00\x00@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x05\x00\x00\x11\xa2\n\x00\x1d"\n\x00\x0f&\x00\x00\x00K\x00\x00\x00\x9ee\x9cm`e\x9cA\xfe\x01\xbb\x8c\x8f\x00\x00;A\x00\x00\xfb\xf2\n\x00\x0e\x1b\x18\x18\x06\x18\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x01\x00\x00\x01F\n\x00\x08\xc8\n\x00\x05\xe0\x00\x00\x00f\x00\x00\x00\xa2e\x9cG\x1de\x9cG\x1dZX\xc9\xd7\x00\x00\x03\x15\x00\x00\xff\x97\n\x00\x00\xf2\x10\x10\x06\x18\x00\x00@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00p\n\x00\x1d.\n\x00\x0f&\x00\x00\x00K\x00\x00\x00\x9ee\x9cG\x1de\x9c@\xea\x01\xbb\xcc\x8c\x00\x00;A\x00\x00\xfb\xf2\n\x00\x0e\x1b\x18\x18\x06\x12\x00\x01@\x00\x01`\x00\x00\x00`\x00\x00\x00\x00\x00\x00'
|
16
|
+
|
17
|
+
|
18
|
+
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
19
|
+
|
20
|
+
print("NETFLOW v9: sending 1 template 1 data packet in an infinite loop")
|
21
|
+
|
22
|
+
duration = 0.0
|
23
|
+
while True:
|
24
|
+
for i in range(0,400):
|
25
|
+
sock.sendto(tpl, (host, port))
|
26
|
+
sock.sendto(data, (host, port))
|
27
|
+
sys.stdout.write('.')
|
28
|
+
sys.stdout.flush()
|
29
|
+
time.sleep(random.random())
|
30
|
+
print
|
metadata
CHANGED
@@ -1,16 +1,17 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-netflow
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.8.
|
4
|
+
version: 3.8.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-11-
|
11
|
+
date: 2017-11-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
+
name: logstash-core-plugin-api
|
14
15
|
requirement: !ruby/object:Gem::Requirement
|
15
16
|
requirements:
|
16
17
|
- - '>='
|
@@ -19,9 +20,8 @@ dependencies:
|
|
19
20
|
- - <=
|
20
21
|
- !ruby/object:Gem::Version
|
21
22
|
version: '2.99'
|
22
|
-
name: logstash-core-plugin-api
|
23
|
-
prerelease: false
|
24
23
|
type: :runtime
|
24
|
+
prerelease: false
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
26
26
|
requirements:
|
27
27
|
- - '>='
|
@@ -31,86 +31,81 @@ dependencies:
|
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: '2.99'
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
|
+
name: bindata
|
34
35
|
requirement: !ruby/object:Gem::Requirement
|
35
36
|
requirements:
|
36
37
|
- - '>='
|
37
38
|
- !ruby/object:Gem::Version
|
38
39
|
version: 1.5.0
|
39
|
-
name: bindata
|
40
|
-
prerelease: false
|
41
40
|
type: :runtime
|
41
|
+
prerelease: false
|
42
42
|
version_requirements: !ruby/object:Gem::Requirement
|
43
43
|
requirements:
|
44
44
|
- - '>='
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: 1.5.0
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
|
+
name: logstash-devutils
|
48
49
|
requirement: !ruby/object:Gem::Requirement
|
49
50
|
requirements:
|
50
51
|
- - '>='
|
51
52
|
- !ruby/object:Gem::Version
|
52
53
|
version: 1.0.0
|
53
|
-
name: logstash-devutils
|
54
|
-
prerelease: false
|
55
54
|
type: :development
|
55
|
+
prerelease: false
|
56
56
|
version_requirements: !ruby/object:Gem::Requirement
|
57
57
|
requirements:
|
58
58
|
- - '>='
|
59
59
|
- !ruby/object:Gem::Version
|
60
60
|
version: 1.0.0
|
61
|
-
description: This gem is a Logstash plugin required to be installed on top of the
|
61
|
+
description: This gem is a Logstash plugin required to be installed on top of the
|
62
|
+
Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
|
63
|
+
gem is not a stand-alone program
|
62
64
|
email: info@elastic.co
|
63
65
|
executables: []
|
64
66
|
extensions: []
|
65
67
|
extra_rdoc_files: []
|
66
68
|
files:
|
67
|
-
- CHANGELOG.md
|
68
|
-
- CONTRIBUTORS
|
69
|
-
- Gemfile
|
70
|
-
- LICENSE
|
71
|
-
- NOTICE.TXT
|
72
|
-
- README.md
|
73
|
-
- RFC_COMPLIANCE_IPFIX.md
|
74
|
-
- RFC_COMPLIANCE_NETFLOW_v9.md
|
75
|
-
- docs/index.asciidoc
|
76
|
-
- lib/logstash/codecs/netflow.rb
|
77
69
|
- lib/logstash/codecs/netflow/iana2yaml.rb
|
78
70
|
- lib/logstash/codecs/netflow/ipfix.yaml
|
79
71
|
- lib/logstash/codecs/netflow/netflow.yaml
|
80
72
|
- lib/logstash/codecs/netflow/util.rb
|
81
|
-
- logstash
|
73
|
+
- lib/logstash/codecs/netflow.rb
|
82
74
|
- spec/codecs/ipfix.dat
|
83
|
-
- spec/codecs/ipfix_test_barracuda_data256.dat
|
84
|
-
- spec/codecs/ipfix_test_barracuda_tpl.dat
|
85
|
-
- spec/codecs/ipfix_test_mikrotik_data258.dat
|
86
|
-
- spec/codecs/ipfix_test_mikrotik_data259.dat
|
87
|
-
- spec/codecs/ipfix_test_mikrotik_tpl.dat
|
88
|
-
- spec/codecs/ipfix_test_netscaler_data.dat
|
89
|
-
- spec/codecs/ipfix_test_netscaler_tpl.dat
|
90
75
|
- spec/codecs/ipfix_test_openbsd_pflow_data.dat
|
91
76
|
- spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
|
92
|
-
- spec/codecs/ipfix_test_vmware_vds_data264.dat
|
93
|
-
- spec/codecs/ipfix_test_vmware_vds_data266.dat
|
94
|
-
- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
|
95
|
-
- spec/codecs/ipfix_test_vmware_vds_tpl.dat
|
96
|
-
- spec/codecs/ipfix_test_yaf_data45841.dat
|
97
|
-
- spec/codecs/ipfix_test_yaf_data45873.dat
|
98
|
-
- spec/codecs/ipfix_test_yaf_data53248.dat
|
99
|
-
- spec/codecs/ipfix_test_yaf_tpl45841.dat
|
100
|
-
- spec/codecs/ipfix_test_yaf_tpls_option_tpl.dat
|
101
77
|
- spec/codecs/netflow5.dat
|
102
78
|
- spec/codecs/netflow5_test_invalid01.dat
|
103
79
|
- spec/codecs/netflow5_test_invalid02.dat
|
104
80
|
- spec/codecs/netflow5_test_juniper_mx80.dat
|
105
81
|
- spec/codecs/netflow5_test_microtik.dat
|
106
|
-
- spec/codecs/netflow9_cisco_asr1001x_tpl259.dat
|
107
|
-
- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
|
108
|
-
- spec/codecs/netflow9_test_cisco_1941K9.dat
|
109
82
|
- spec/codecs/netflow9_test_cisco_asa_1_data.dat
|
110
83
|
- spec/codecs/netflow9_test_cisco_asa_1_tpl.dat
|
111
84
|
- spec/codecs/netflow9_test_cisco_asa_2_data.dat
|
112
85
|
- spec/codecs/netflow9_test_cisco_asa_2_tpl_26x.dat
|
113
86
|
- spec/codecs/netflow9_test_cisco_asa_2_tpl_27x.dat
|
87
|
+
- spec/codecs/netflow9_test_invalid01.dat
|
88
|
+
- spec/codecs/netflow9_test_macaddr_data.dat
|
89
|
+
- spec/codecs/netflow9_test_macaddr_tpl.dat
|
90
|
+
- spec/codecs/netflow9_test_nprobe_data.dat
|
91
|
+
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
92
|
+
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
93
|
+
- spec/codecs/netflow9_test_valid01.dat
|
94
|
+
- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
|
95
|
+
- spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
|
96
|
+
- spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
|
97
|
+
- spec/codecs/ipfix_test_netscaler_data.dat
|
98
|
+
- spec/codecs/ipfix_test_netscaler_tpl.dat
|
99
|
+
- spec/codecs/ipfix_test_vmware_vds_data264.dat
|
100
|
+
- spec/codecs/ipfix_test_vmware_vds_data266.dat
|
101
|
+
- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
|
102
|
+
- spec/codecs/ipfix_test_vmware_vds_tpl.dat
|
103
|
+
- spec/codecs/ipfix_test_barracuda_data256.dat
|
104
|
+
- spec/codecs/ipfix_test_barracuda_tpl.dat
|
105
|
+
- spec/codecs/ipfix_test_mikrotik_data258.dat
|
106
|
+
- spec/codecs/ipfix_test_mikrotik_data259.dat
|
107
|
+
- spec/codecs/ipfix_test_mikrotik_tpl.dat
|
108
|
+
- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
|
114
109
|
- spec/codecs/netflow9_test_cisco_asr9k_data256.dat
|
115
110
|
- spec/codecs/netflow9_test_cisco_asr9k_data260.dat
|
116
111
|
- spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
|
@@ -121,34 +116,44 @@ files:
|
|
121
116
|
- spec/codecs/netflow9_test_cisco_nbar_data262.dat
|
122
117
|
- spec/codecs/netflow9_test_cisco_nbar_opttpl260.dat
|
123
118
|
- spec/codecs/netflow9_test_cisco_nbar_tpl262.dat
|
124
|
-
- spec/codecs/netflow9_test_cisco_wlc_8510_tpl_262.dat
|
125
119
|
- spec/codecs/netflow9_test_cisco_wlc_data261.dat
|
126
120
|
- spec/codecs/netflow9_test_cisco_wlc_tpl.dat
|
127
121
|
- spec/codecs/netflow9_test_fortigate_fortios_521_data256.dat
|
128
122
|
- spec/codecs/netflow9_test_fortigate_fortios_521_data257.dat
|
129
123
|
- spec/codecs/netflow9_test_fortigate_fortios_521_tpl.dat
|
130
|
-
- spec/codecs/netflow9_test_invalid01.dat
|
131
124
|
- spec/codecs/netflow9_test_juniper_srx_tplopt.dat
|
132
|
-
- spec/codecs/netflow9_test_macaddr_data.dat
|
133
|
-
- spec/codecs/netflow9_test_macaddr_tpl.dat
|
134
|
-
- spec/codecs/netflow9_test_nprobe_data.dat
|
135
125
|
- spec/codecs/netflow9_test_nprobe_dpi.dat
|
136
|
-
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
137
|
-
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
138
126
|
- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
|
139
127
|
- spec/codecs/netflow9_test_streamcore_tpl_data260.dat
|
140
|
-
- spec/codecs/
|
141
|
-
- spec/codecs/
|
142
|
-
- spec/codecs/
|
143
|
-
- spec/codecs/
|
128
|
+
- spec/codecs/ipfix_test_yaf_data45841.dat
|
129
|
+
- spec/codecs/ipfix_test_yaf_data45873.dat
|
130
|
+
- spec/codecs/ipfix_test_yaf_data53248.dat
|
131
|
+
- spec/codecs/ipfix_test_yaf_tpl45841.dat
|
132
|
+
- spec/codecs/ipfix_test_yaf_tpls_option_tpl.dat
|
133
|
+
- spec/codecs/netflow9_cisco_asr1001x_tpl259.dat
|
134
|
+
- spec/codecs/netflow9_test_cisco_1941K9.dat
|
135
|
+
- spec/codecs/netflow9_test_cisco_wlc_8510_tpl_262.dat
|
136
|
+
- spec/codecs/netflow9_test_paloalto_panos_data.dat
|
137
|
+
- spec/codecs/netflow9_test_paloalto_panos_tpl.dat
|
144
138
|
- spec/codecs/netflow_spec.rb
|
139
|
+
- spec/codecs/netflow_stress.py
|
140
|
+
- logstash-codec-netflow.gemspec
|
141
|
+
- RFC_COMPLIANCE_NETFLOW_v9.md
|
142
|
+
- README.md
|
143
|
+
- RFC_COMPLIANCE_IPFIX.md
|
144
|
+
- CHANGELOG.md
|
145
|
+
- CONTRIBUTORS
|
146
|
+
- Gemfile
|
147
|
+
- LICENSE
|
148
|
+
- NOTICE.TXT
|
149
|
+
- docs/index.asciidoc
|
145
150
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
146
151
|
licenses:
|
147
152
|
- Apache License (2.0)
|
148
153
|
metadata:
|
149
154
|
logstash_plugin: 'true'
|
150
155
|
logstash_group: codec
|
151
|
-
post_install_message:
|
156
|
+
post_install_message:
|
152
157
|
rdoc_options: []
|
153
158
|
require_paths:
|
154
159
|
- lib
|
@@ -163,44 +168,47 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
163
168
|
- !ruby/object:Gem::Version
|
164
169
|
version: '0'
|
165
170
|
requirements: []
|
166
|
-
rubyforge_project:
|
167
|
-
rubygems_version: 2.
|
168
|
-
signing_key:
|
171
|
+
rubyforge_project:
|
172
|
+
rubygems_version: 2.0.14.1
|
173
|
+
signing_key:
|
169
174
|
specification_version: 4
|
170
175
|
summary: Reads Netflow v5 and Netflow v9 data
|
171
176
|
test_files:
|
172
177
|
- spec/codecs/ipfix.dat
|
173
|
-
- spec/codecs/ipfix_test_barracuda_data256.dat
|
174
|
-
- spec/codecs/ipfix_test_barracuda_tpl.dat
|
175
|
-
- spec/codecs/ipfix_test_mikrotik_data258.dat
|
176
|
-
- spec/codecs/ipfix_test_mikrotik_data259.dat
|
177
|
-
- spec/codecs/ipfix_test_mikrotik_tpl.dat
|
178
|
-
- spec/codecs/ipfix_test_netscaler_data.dat
|
179
|
-
- spec/codecs/ipfix_test_netscaler_tpl.dat
|
180
178
|
- spec/codecs/ipfix_test_openbsd_pflow_data.dat
|
181
179
|
- spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
|
182
|
-
- spec/codecs/ipfix_test_vmware_vds_data264.dat
|
183
|
-
- spec/codecs/ipfix_test_vmware_vds_data266.dat
|
184
|
-
- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
|
185
|
-
- spec/codecs/ipfix_test_vmware_vds_tpl.dat
|
186
|
-
- spec/codecs/ipfix_test_yaf_data45841.dat
|
187
|
-
- spec/codecs/ipfix_test_yaf_data45873.dat
|
188
|
-
- spec/codecs/ipfix_test_yaf_data53248.dat
|
189
|
-
- spec/codecs/ipfix_test_yaf_tpl45841.dat
|
190
|
-
- spec/codecs/ipfix_test_yaf_tpls_option_tpl.dat
|
191
180
|
- spec/codecs/netflow5.dat
|
192
181
|
- spec/codecs/netflow5_test_invalid01.dat
|
193
182
|
- spec/codecs/netflow5_test_invalid02.dat
|
194
183
|
- spec/codecs/netflow5_test_juniper_mx80.dat
|
195
184
|
- spec/codecs/netflow5_test_microtik.dat
|
196
|
-
- spec/codecs/netflow9_cisco_asr1001x_tpl259.dat
|
197
|
-
- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
|
198
|
-
- spec/codecs/netflow9_test_cisco_1941K9.dat
|
199
185
|
- spec/codecs/netflow9_test_cisco_asa_1_data.dat
|
200
186
|
- spec/codecs/netflow9_test_cisco_asa_1_tpl.dat
|
201
187
|
- spec/codecs/netflow9_test_cisco_asa_2_data.dat
|
202
188
|
- spec/codecs/netflow9_test_cisco_asa_2_tpl_26x.dat
|
203
189
|
- spec/codecs/netflow9_test_cisco_asa_2_tpl_27x.dat
|
190
|
+
- spec/codecs/netflow9_test_invalid01.dat
|
191
|
+
- spec/codecs/netflow9_test_macaddr_data.dat
|
192
|
+
- spec/codecs/netflow9_test_macaddr_tpl.dat
|
193
|
+
- spec/codecs/netflow9_test_nprobe_data.dat
|
194
|
+
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
195
|
+
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
196
|
+
- spec/codecs/netflow9_test_valid01.dat
|
197
|
+
- spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
|
198
|
+
- spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
|
199
|
+
- spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
|
200
|
+
- spec/codecs/ipfix_test_netscaler_data.dat
|
201
|
+
- spec/codecs/ipfix_test_netscaler_tpl.dat
|
202
|
+
- spec/codecs/ipfix_test_vmware_vds_data264.dat
|
203
|
+
- spec/codecs/ipfix_test_vmware_vds_data266.dat
|
204
|
+
- spec/codecs/ipfix_test_vmware_vds_data266_267.dat
|
205
|
+
- spec/codecs/ipfix_test_vmware_vds_tpl.dat
|
206
|
+
- spec/codecs/ipfix_test_barracuda_data256.dat
|
207
|
+
- spec/codecs/ipfix_test_barracuda_tpl.dat
|
208
|
+
- spec/codecs/ipfix_test_mikrotik_data258.dat
|
209
|
+
- spec/codecs/ipfix_test_mikrotik_data259.dat
|
210
|
+
- spec/codecs/ipfix_test_mikrotik_tpl.dat
|
211
|
+
- spec/codecs/netflow9_test_0length_fields_tpl_data.dat
|
204
212
|
- spec/codecs/netflow9_test_cisco_asr9k_data256.dat
|
205
213
|
- spec/codecs/netflow9_test_cisco_asr9k_data260.dat
|
206
214
|
- spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
|
@@ -211,24 +219,24 @@ test_files:
|
|
211
219
|
- spec/codecs/netflow9_test_cisco_nbar_data262.dat
|
212
220
|
- spec/codecs/netflow9_test_cisco_nbar_opttpl260.dat
|
213
221
|
- spec/codecs/netflow9_test_cisco_nbar_tpl262.dat
|
214
|
-
- spec/codecs/netflow9_test_cisco_wlc_8510_tpl_262.dat
|
215
222
|
- spec/codecs/netflow9_test_cisco_wlc_data261.dat
|
216
223
|
- spec/codecs/netflow9_test_cisco_wlc_tpl.dat
|
217
224
|
- spec/codecs/netflow9_test_fortigate_fortios_521_data256.dat
|
218
225
|
- spec/codecs/netflow9_test_fortigate_fortios_521_data257.dat
|
219
226
|
- spec/codecs/netflow9_test_fortigate_fortios_521_tpl.dat
|
220
|
-
- spec/codecs/netflow9_test_invalid01.dat
|
221
227
|
- spec/codecs/netflow9_test_juniper_srx_tplopt.dat
|
222
|
-
- spec/codecs/netflow9_test_macaddr_data.dat
|
223
|
-
- spec/codecs/netflow9_test_macaddr_tpl.dat
|
224
|
-
- spec/codecs/netflow9_test_nprobe_data.dat
|
225
228
|
- spec/codecs/netflow9_test_nprobe_dpi.dat
|
226
|
-
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
227
|
-
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
228
229
|
- spec/codecs/netflow9_test_streamcore_tpl_data256.dat
|
229
230
|
- spec/codecs/netflow9_test_streamcore_tpl_data260.dat
|
230
|
-
- spec/codecs/
|
231
|
-
- spec/codecs/
|
232
|
-
- spec/codecs/
|
233
|
-
- spec/codecs/
|
231
|
+
- spec/codecs/ipfix_test_yaf_data45841.dat
|
232
|
+
- spec/codecs/ipfix_test_yaf_data45873.dat
|
233
|
+
- spec/codecs/ipfix_test_yaf_data53248.dat
|
234
|
+
- spec/codecs/ipfix_test_yaf_tpl45841.dat
|
235
|
+
- spec/codecs/ipfix_test_yaf_tpls_option_tpl.dat
|
236
|
+
- spec/codecs/netflow9_cisco_asr1001x_tpl259.dat
|
237
|
+
- spec/codecs/netflow9_test_cisco_1941K9.dat
|
238
|
+
- spec/codecs/netflow9_test_cisco_wlc_8510_tpl_262.dat
|
239
|
+
- spec/codecs/netflow9_test_paloalto_panos_data.dat
|
240
|
+
- spec/codecs/netflow9_test_paloalto_panos_tpl.dat
|
234
241
|
- spec/codecs/netflow_spec.rb
|
242
|
+
- spec/codecs/netflow_stress.py
|