logstash-codec-netflow 4.1.0 → 4.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 07fee1cda04c3df1a3d1d2cb41fe75d6d4e10846
-  data.tar.gz: 2dffcb11a2b8655606f14ffdd1994fb743f9e6de
+  metadata.gz: 05072723b2f9f9f78b2fb55268ddca4e189e641f
+  data.tar.gz: 0316e6c3a82fd2ac4355ef1cd7ede8a73b2b2e28
 SHA512:
-  metadata.gz: f8aa23631113354571dd439f42fa626199a965c4b87d92a98dd7cb2c0e82c7bc86ea379bd5eaab1c1f4adecb6df53dcd2aa3c951d8499abd6b418354acbf0791
-  data.tar.gz: 7b2dcdd89fd40653fc543c12f0b40bf6119b3a219cbb650f879a0dcda8abac5096b6d3f24192e2b2ceb9836b7b6056562eae4a02e10becd5b3d5f320e5d78bc2
+  metadata.gz: 145c03e3407507b71affae3b337b0afe489e474816c33836d6d0df632ac7b840418257aa20d18df31621c2d9bd73b02bc7aa7d032191115bcf4a20e128754045
+  data.tar.gz: d8b4cb2f0305d9a5d0f07132c466125480a41518ba5925f29bf2401117abb27d58f51e7e49698da283db8c11c0667c4630eaece7fd01d1db37ce5d776b3ffb98

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 4.1.1
+
+  - Reduced complexity of creating, persisting, loading an retrieving template caches.
+
 ## 4.1.0
 
   - Added support for Netflow v9 devices with VarString fields (H3C Netstream)

data/CONTRIBUTORS

@@ -32,6 +32,7 @@ Contributors:
 * Raju Nair (rajutech76)
 * Richard Pijnenburg (electrical)
 * Rob Cowart (robcowart)
+* Ry Biesemeyer (yaauie)
 * Salvador Ferrer (salva-ferrer)
 * Vishal Solanki
 * Will Rigby (wrigby)

data/docs/index.asciidoc

@@ -30,30 +30,32 @@ This codec supports:
 * Netflow v9
 * IPFIX
 
-The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
+The following Netflow/IPFIX exporters have been seen and tested with the most recent version of the Netflow Codec:
 
 [cols="6,^2,^2,^2,12",options="header"]
 |===========================================================================================
 |Netflow exporter         | v5 | v9 | IPFIX | Remarks
-|Barracuda Firewall       |    |    |   y   |
+|Barracuda Firewall       |    |    |   y   | With support for Extended Uniflow
 |Cisco ASA                |    | y  |       |  
-|Cisco ASR 1k             |    |    |   n   | Fails because of duplicate fields
+|Cisco ASR 1k             |    |    |   N   | Fails because of duplicate fields
 |Cisco ASR 9k             |    | y  |       |  
 |Cisco IOS 12.x           |    | y  |       |  
-|Cisco ISR w/ HSL         |    | n  |       | Fails because of duplicate fields, see: https://github.com/logstash-plugins/logstash-codec-netflow/issues/93
+|Cisco ISR w/ HSL         |    | N  |       | Fails because of duplicate fields, see: https://github.com/logstash-plugins/logstash-codec-netflow/issues/93
 |Cisco WLC                |    | y  |       |
 |Citrix Netscaler         |    |    |   y   | Still some unknown fields, labeled netscalerUnknown<id>
 |fprobe                   |  y |    |       |
 |Fortigate FortiOS        |    | y  |       |
 |Huawei Netstream         |    | y  |       |
 |ipt_NETFLOW              |  y | y  |   y   |
-|Juniper MX80             |  y |    |       | SW > 12.3R8
+|Juniper MX               |  y |    |   y   | SW > 12.3R8. Fails to decode IPFIX from Junos 16.1 due to duplicate field names which we currently don't support.
 |Mikrotik                 |  y |    |   y   | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
 |nProbe                   |  y | y  |   y   | L7 DPI fields now also supported
 |Nokia BRAS               |    |    |   y   |
-|OpenBSD pflow            |  y | n  |   y   | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
+|OpenBSD pflow            |  y | N  |   y   | http://man.openbsd.org/OpenBSD-current/man4/pflow.4
+|Riverbed                 |    | N  |       | Not supported due to field ID conflicts. Workaround available in the definitions directory over at Elastiflow <https://github.com/robcowart/elastiflow>
 |Sandvine Procera PacketLogic| |    |   y   | v15.1
 |Softflowd                |  y | y  |   y   | IPFIX supported in https://github.com/djmdjm/softflowd
+|Sophos UTM               |    |    |   y   |
 |Streamcore Streamgroomer |    | y  |       |
 |Palo Alto PAN-OS         |    | y  |       |
 |Ubiquiti Edgerouter X    |    | y  |       | With MPLS labels

data/lib/logstash/codecs/netflow.rb

@@ -50,11 +50,8 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   FLOWSET_ID = "flowset_id"
 
   def initialize(params = {})
-    @file_cache_mutex = Mutex.new
     super(params)
     @threadsafe = true
-    @decode_mutex_netflow = Mutex.new
-    @decode_mutex_ipfix = Mutex.new
   end
 
   def clone
@@ -63,8 +60,9 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
 
   def register
     require "logstash/codecs/netflow/util"
-    @netflow_templates = Vash.new()
-    @ipfix_templates = Vash.new()
+
+    @netflow_templates = TemplateRegistry.new(logger, @cache_ttl, @cache_save_path && "#{@cache_save_path}/netflow_templates.cache")
+    @ipfix_templates = TemplateRegistry.new(logger, @cache_ttl, @cache_save_path && "#{@cache_save_path}/ipfix_templates.cache")
 
     # Path to default Netflow v9 field definitions
     filename = ::File.expand_path('netflow/netflow.yaml', ::File.dirname(__FILE__))
@@ -73,32 +71,6 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     # Path to default IPFIX field definitions
     filename = ::File.expand_path('netflow/ipfix.yaml', ::File.dirname(__FILE__))
     @ipfix_fields = load_definitions(filename, @ipfix_definitions)
-
-    if @cache_save_path
-      if @versions.include?(9)
-        cache_save_file_netflow = "#{@cache_save_path}/netflow_templates.cache"
-        if File.exists?(cache_save_file_netflow)
-          raise "#{self.class.name}: Template cache file #{cache_save_file_netflow} not writable" unless File.writable?(cache_save_file_netflow)
-          @netflow_templates_cache = load_templates_cache("#{@cache_save_path}/netflow_templates.cache")
-          @netflow_templates_cache.each{ |key, fields| @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
-        else
-          raise "#{self.class.name}: Template cache directory #{cache_save_path} not writable" unless File.writable?(cache_save_path)
-          @netflow_templates_cache = {}
-        end
-      end
-
-      if @versions.include?(10)
-        cache_save_file_ipfix = "#{@cache_save_path}/ipfix_templates.cache"
-        if File.exists?(cache_save_file_ipfix)
-          raise "#{self.class.name}: Template cache file #{cache_save_file_ipfix} not writable" unless File.writable?(cache_save_file_ipfix)
-          @ipfix_templates_cache = load_templates_cache("#{@cache_save_path}/ipfix_templates.cache")
-          @ipfix_templates_cache.each{ |key, fields| @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields) }
-        else
-          raise "#{self.class.name}: Template cache directory #{cache_save_path} not writable" unless File.writable?(cache_save_path)
-          @ipfix_templates_cache = {}
-        end
-      end
-    end
   end # def register
 
   def decode(payload, metadata = nil, &block)
@@ -228,19 +200,11 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           else
             key = "#{flowset.source_id}|#{template.template_id}"
           end
-          # Prevent netflow_templates array from being concurrently modified
-          @decode_mutex_netflow.synchronize do
-            @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+          @netflow_templates.register(key, fields) do |bindata|
             @logger.debug("Received template #{template.template_id} with fields #{fields.inspect}")
-            @logger.debug("Received template #{template.template_id} of size #{template_length} bytes. Representing in #{@netflow_templates[key].num_bytes} BinData bytes")
-            if template_length != @netflow_templates[key].num_bytes
-              @logger.warn("Received template #{template.template_id} of size #{template_length} bytes doesn't match BinData representation we built (#{@netflow_templates[key].num_bytes} bytes)")
-            end
-            # Purge any expired templates
-            @netflow_templates.cleanup!
-            if @cache_save_path
-              @netflow_templates_cache[key] = fields
-              save_templates_cache(@netflow_templates_cache, "#{@cache_save_path}/netflow_templates.cache")
+            @logger.debug("Received template #{template.template_id} of size #{template_length} bytes. Representing in #{bindata.num_bytes} BinData bytes")
+            if template_length != bindata.num_bytes
+              @logger.warn("Received template #{template.template_id} of size #{template_length} bytes doesn't match BinData representation we built (#{bindata.num_bytes} bytes)")
             end
           end
         end
@@ -255,7 +219,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
         key = "#{flowset.source_id}|#{record.flowset_id}"
       end
 
-      template = @decode_mutex_netflow.synchronize { @netflow_templates[key] }
+      template = @netflow_templates.fetch(key)
 
       if !template
         @logger.warn("Can't (yet) decode flowset id #{record.flowset_id} from source id #{flowset.source_id}, because no template to decode it with has been received. This message will usually go away after 1 minute.")
@@ -338,23 +302,14 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           end
           # FIXME Source IP address required in key
           key = "#{flowset.observation_domain_id}|#{template.template_id}"
-          # Prevent ipfix_templates array from being concurrently modified
-          @decode_mutex_ipfix.synchronize do
-            @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
-            # Purge any expired templates
-            @ipfix_templates.cleanup!
-            if @cache_save_path
-              @ipfix_templates_cache[key] = fields
-              save_templates_cache(@ipfix_templates_cache, "#{@cache_save_path}/ipfix_templates.cache")
-            end
-          end
+
+          @ipfix_templates.register(key, fields)
         end
       end
     when 256..65535
       # Data flowset
       key = "#{flowset.observation_domain_id}|#{record.flowset_id}"
-      
-      template = @decode_mutex_ipfix.synchronize { @ipfix_templates[key] }
+      template = @ipfix_templates.fetch(key)
 
       if !template
         @logger.warn("Can't (yet) decode flowset id #{record.flowset_id} from observation domain id #{flowset.observation_domain_id}, because no template to decode it with has been received. This message will usually go away after 1 minute.")
@@ -431,30 +386,6 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     fields
   end
 
-  def load_templates_cache(file_path)
-    templates_cache = {}
-    begin
-      @logger.debug? and @logger.debug("Loading templates from template cache #{file_path}")
-      file_data = @file_cache_mutex.synchronize { File.read(file_path)}
-      templates_cache = JSON.parse(file_data)
-    rescue Exception => e
-      raise "#{self.class.name}: templates cache file could not be read @ (#{file_path}: #{e.class.name} #{e.message})"
-    end
-
-    templates_cache
-  end
-
-  def save_templates_cache(templates_cache, file_path)
-    begin
-      @logger.debug? and @logger.debug("Writing templates to template cache #{file_path}")
-      @file_cache_mutex.synchronize do
-        File.open(file_path, 'w') {|file| file.write templates_cache.to_json }
-      end
-    rescue Exception => e
-      raise "#{self.class.name}: saving templates cache file failed (#{file_path}) with error #{e}"
-    end
-  end
-
   def uint_field(length, default)
     # If length is 4, return :uint32, etc. and use default if length is 0
     ("uint" + (((length > 0) ? length : default) * 8).to_s).to_sym
@@ -599,4 +530,144 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
       @logger.warn("Definition should be an array", :field => field)
     end
   end
+
+  class TemplateRegistry
+    ##
+    # @param logger [Logger]
+    # @param ttl [Integer]
+    # @param file_path [String] (optional)
+    def initialize(logger, ttl, file_path=nil)
+      @logger = logger
+      @ttl = Integer(ttl)
+      @file_path = file_path
+
+      @mutex = Mutex.new
+
+      @bindata_struct_cache = Vash.new
+      @bindata_spec_cache = Vash.new
+
+      do_load unless file_path.nil?
+    end
+
+    ##
+    # Register a Template by name using an array of type/name tuples.
+    #
+    # @param key [String]: the key under which to save this template
+    # @param field_tuples [Array<Array<String>>]: an array of [type,name] tuples, e.g., ["uint32","fieldName"]
+    # @return [BinData::Struct]
+    #
+    # If a block is given, the template is yielded to the block _before_ being saved in the cache.
+    #
+    # @yieldparam [BinData::Struct]
+    # @yieldreturn [void]
+    # @yieldthrow :invalid_template : if the template is deemed invalid within the block, throwing this symbol causes
+    #                                the template to not be cached.
+    #
+    # @threadsafe
+    def register(key, field_tuples, &block)
+      @mutex.synchronize do
+        do_register(key, field_tuples, &block)
+      end
+    end
+
+    ##
+    # Fetch a Template by name
+    #
+    # @param key [String]
+    # @return [BinData::Struct]
+    #
+    # @threadsafe
+    def fetch(key)
+      @mutex.synchronize do
+        do_fetch(key)
+      end
+    end
+
+    ##
+    # Force persist, potentially cleaning up elements from the file-based cache that have already been evicted from
+    # the memory-based cache
+    def persist()
+      @mutex.synchronize do
+        do_persist
+      end
+    end
+
+    private
+    attr_reader :logger
+    attr_reader :file_path
+
+    ##
+    # @see `TemplateRegistry#register(String,Array<>)`
+    # @api private
+    def do_register(key, field_tuples)
+      template = BinData::Struct.new(:fields => field_tuples, :endian => :big)
+
+      catch(:invalid_template) do
+        yield(template) if block_given?
+
+        @bindata_spec_cache[key] = field_tuples
+        @bindata_struct_cache[key] = template
+
+        do_persist
+
+        template
+      end
+    end
+
+    ##
+    # @api private
+    def do_load
+      unless File.exists?(file_path)
+        logger.warn('Template Cache does not exist', :file_path => file_path)
+        return
+      end
+
+      logger.debug? and logger.debug('Loading templates from template cache', :file_path => file_path)
+      file_data = File.read(file_path)
+      templates_cache = JSON.parse(file_data)
+      templates_cache.each do |key, fields|
+        do_register(key, fields)
+      end
+
+      logger.warn('Template Cache not writable', file_path: file_path) unless File.writable?(file_path)
+    rescue => e
+      logger.error('Template Cache could not be loaded', :file_path => file_path, :exception => e.message)
+    end
+
+    ##
+    # @see `TemplateRegistry#persist`
+    # @api private
+    def do_persist
+      return if file_path.nil?
+
+      logger.debug? and logger.debug('Writing templates to template cache', :file_path => file_path)
+
+      fail('Template Cache not writable') if File.exists?(file_path) && !File.writable?(file_path)
+
+      do_cleanup!
+
+      templates_cache = @bindata_spec_cache
+
+      File.open(file_path, 'w') do |file|
+        file.write(templates_cache.to_json)
+      end
+    rescue Exception => e
+      logger.error('Template Cache could not be saved', :file_path => file_path, :exception => e.message)
+    end
+
+    ##
+    # @see `TemplateRegistry#cleanup`
+    # @api private
+    def do_cleanup!
+      @bindata_spec_cache.cleanup!
+      @bindata_struct_cache.cleanup!
+    end
+
+    ##
+    # @see `TemplateRegistry#fetch(String)`
+    # @api private
+    def do_fetch(key)
+      @bindata_struct_cache[key]
+    end
+  end
 end # class LogStash::Filters::Netflow

data/logstash-codec-netflow.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-netflow'
-  s.version         = '4.1.0'
+  s.version         = '4.1.1'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads Netflow v5, Netflow v9 and IPFIX data"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/spec/codecs/benchmarks/flowStartMilliseconds.rb

@@ -0,0 +1,73 @@
+# encoding: utf-8
+require 'benchmark'
+require 'bindata'
+
+
+Benchmark.bm do |x|
+  x.report {
+    # Original IPFIX version, simplified
+    k = 'flowStartMilliseconds'
+    data = '1000'
+    v = BinData::String.new(:read_length => 4)
+    v.read(data)
+    2000000.times do
+       case k.to_s 
+       when /^flow(?:Start|End)Seconds$/ 
+         event = 'blah'
+       when /^flow(?:Start|End)(Milli|Micro|Nano)seconds$/ 
+         case $1 
+         when 'Milli' 
+           event = v.snapshot.to_f / 1_000
+         end 
+       end
+    end }
+
+  x.report {
+    # Verion that omits v.snapshot, simplified
+    k = 'flowStartMilliseconds'
+    data = '1000'
+    v = BinData::String.new(:read_length => 4)
+    v.read(data)
+    2000000.times do
+       case k.to_s 
+       when /^flow(?:Start|End)Seconds$/ 
+         event = 'blah'
+       when /^flow(?:Start|End)(Milli|Micro|Nano)seconds$/ 
+         case $1 
+         when 'Milli' 
+           event = data.to_f / 1_000
+         end 
+       end
+    end }
+
+  x.report {
+    # Original Netflow9 version, simplified
+    class MockFlowset < BinData::Record
+      endian :little
+      uint8 :uptime
+      uint8 :unix_sec
+    end
+    SWITCHED = /_switched$/
+    data1 = 'AB'
+    flowset = MockFlowset.read(data1)
+    k = 'first_switched'
+    v = 20
+    2000000.times do
+      case k.to_s
+      when SWITCHED
+        millis = flowset.uptime - v
+        seconds = flowset.unix_sec - (millis / 1000)
+        # v9 did away with the nanosecs field
+        micros = 1000000 - (millis % 1000)
+        event = v
+      else
+        event = 'blah'
+      end
+    end }
+
+end
+
+#       user     system      total        real
+#   4.730000   0.000000   4.730000 (  4.731333)
+#   2.400000   0.000000   2.400000 (  2.401072)
+#   2.750000   0.000000   2.750000 (  2.747525)

data/spec/codecs/benchmarks/ipfix_bench_sonicwall.py

@@ -0,0 +1,209 @@
+#!/usr/bin/env python2
+import socket
+import sys
+import time
+
+
+# IPFIX template
+tpl = "000a00585b6b5242000010bda07e8c0000020048010000100001000400020004000400010008000400070002000a0004000b0002000c0004000e0004000f0004001500040016000400e1000400e2000400e3000200e40002".decode("hex")
+'''
+Cisco NetFlow/IPFIX
+    Version: 10
+    Length: 88
+    Timestamp: Aug  8, 2018 14:27:46.000000000 MDT
+        ExportTime: 1533760066
+    FlowSequence: 4285
+    Observation Domain Id: 2692647936
+    Set 1 [id=2] (Data Template): 256
+        FlowSet Id: Data Template (V10 [IPFIX]) (2)
+        FlowSet Length: 72
+        Template (Id = 256, Count = 16)
+            Template Id: 256
+            Field Count: 16
+            Field (1/16): BYTES
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 0001 = Type: BYTES (1)
+                Length: 4
+            Field (2/16): PKTS
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 0010 = Type: PKTS (2)
+                Length: 4
+            Field (3/16): PROTOCOL
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 0100 = Type: PROTOCOL (4)
+                Length: 1
+            Field (4/16): IP_SRC_ADDR
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 1000 = Type: IP_SRC_ADDR (8)
+                Length: 4
+            Field (5/16): L4_SRC_PORT
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 0111 = Type: L4_SRC_PORT (7)
+                Length: 2
+            Field (6/16): INPUT_SNMP
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 1010 = Type: INPUT_SNMP (10)
+                Length: 4
+            Field (7/16): L4_DST_PORT
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 1011 = Type: L4_DST_PORT (11)
+                Length: 2
+            Field (8/16): IP_DST_ADDR
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 1100 = Type: IP_DST_ADDR (12)
+                Length: 4
+            Field (9/16): OUTPUT_SNMP
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 1110 = Type: OUTPUT_SNMP (14)
+                Length: 4
+            Field (10/16): IP_NEXT_HOP
+                0... .... .... .... = Pen provided: No
+                .000 0000 0000 1111 = Type: IP_NEXT_HOP (15)
+                Length: 4
+            Field (11/16): LAST_SWITCHED
+                0... .... .... .... = Pen provided: No
+                .000 0000 0001 0101 = Type: LAST_SWITCHED (21)
+                Length: 4
+            Field (12/16): FIRST_SWITCHED
+                0... .... .... .... = Pen provided: No
+                .000 0000 0001 0110 = Type: FIRST_SWITCHED (22)
+                Length: 4
+            Field (13/16): postNATSourceIPv4Address
+                0... .... .... .... = Pen provided: No
+                .000 0000 1110 0001 = Type: postNATSourceIPv4Address (225)
+                Length: 4
+            Field (14/16): postNATDestinationIPv4Address
+                0... .... .... .... = Pen provided: No
+                .000 0000 1110 0010 = Type: postNATDestinationIPv4Address (226)
+                Length: 4
+            Field (15/16): postNAPTSourceTransportPort
+                0... .... .... .... = Pen provided: No
+                .000 0000 1110 0011 = Type: postNAPTSourceTransportPort (227)
+                Length: 2
+            Field (16/16): postNAPTDestinationTransportPort
+                0... .... .... .... = Pen provided: No
+                .000 0000 1110 0100 = Type: postNAPTDestinationTransportPort (228)
+                Length: 2
+'''
+
+data = "000a011d5b6b86c50000acf0a07e8c000100010d0010d49a000002fa06acd9022501bb00000002a3290a0000ed000000010a00000100dedac800debb88acd90225c0a8a84101bbdd690000009d00000001114b4b4b4b003500000002222c0a0000ed000000010a00000100de715000de71504b4b4b4bc0a8a8410035398f0000024600000005114a7d8a7101bb00000002d3d10a0000ed000000010a00000100de715000de71504a7d8a71c0a8a84101bb9ca40000038300000004114a7d8a7101bb0000000268920a0000ed000000010a00000100de715000de71504a7d8a71c0a8a84101bba46b000001c6000000040623a8ede501bb000000023d1b0a0000ed000000010a00000100de753800023a5023a8ede5c0a8a84101bbeb10".decode("hex")
+
+'''
+Cisco NetFlow/IPFIX
+    Version: 10
+    Length: 285
+    Timestamp: Aug  8, 2018 18:11:49.000000000 MDT
+        ExportTime: 1533773509
+    FlowSequence: 44272
+    Observation Domain Id: 2692647936
+    Set 1 [id=256] (5 flows)
+        FlowSet Id: (Data) (256)
+        FlowSet Length: 269
+        [Template Frame: 54]
+        Flow 1
+            Octets: 1103002
+            Packets: 762
+            Protocol: TCP (6)
+            SrcAddr: 172.217.2.37
+            SrcPort: 443 (443)
+            InputInt: 2
+            DstPort: 41769 (41769)
+            DstAddr: 10.0.0.237
+            OutputInt: 1
+            NextHop: 10.0.0.1
+            [Duration: 8.000000000 seconds (switched)]
+                StartTime: 14597.000000000 seconds
+                EndTime: 14605.000000000 seconds
+            Post NAT Source IPv4 Address: 172.217.2.37
+            Post NAT Destination IPv4 Address: 192.168.168.65
+            Post NAPT Source Transport Port: 443
+            Post NAPT Destination Transport Port: 56681
+        Flow 2
+            Octets: 157
+            Packets: 1
+            Protocol: UDP (17)
+            SrcAddr: 75.75.75.75
+            SrcPort: 53 (53)
+            InputInt: 2
+            DstPort: 8748 (8748)
+            DstAddr: 10.0.0.237
+            OutputInt: 1
+            NextHop: 10.0.0.1
+            [Duration: 0.000000000 seconds (switched)]
+                StartTime: 14578.000000000 seconds
+                EndTime: 14578.000000000 seconds
+            Post NAT Source IPv4 Address: 75.75.75.75
+            Post NAT Destination IPv4 Address: 192.168.168.65
+            Post NAPT Source Transport Port: 53
+            Post NAPT Destination Transport Port: 14735
+        Flow 3
+            Octets: 582
+            Packets: 5
+            Protocol: UDP (17)
+            SrcAddr: 74.125.138.113
+            SrcPort: 443 (443)
+            InputInt: 2
+            DstPort: 54225 (54225)
+            DstAddr: 10.0.0.237
+            OutputInt: 1
+            NextHop: 10.0.0.1
+            [Duration: 0.000000000 seconds (switched)]
+                StartTime: 14578.000000000 seconds
+                EndTime: 14578.000000000 seconds
+            Post NAT Source IPv4 Address: 74.125.138.113
+            Post NAT Destination IPv4 Address: 192.168.168.65
+            Post NAPT Source Transport Port: 443
+            Post NAPT Destination Transport Port: 40100
+        Flow 4
+            Octets: 899
+            Packets: 4
+            Protocol: UDP (17)
+            SrcAddr: 74.125.138.113
+            SrcPort: 443 (443)
+            InputInt: 2
+            DstPort: 26770 (26770)
+            DstAddr: 10.0.0.237
+            OutputInt: 1
+            NextHop: 10.0.0.1
+            [Duration: 0.000000000 seconds (switched)]
+                StartTime: 14578.000000000 seconds
+                EndTime: 14578.000000000 seconds
+            Post NAT Source IPv4 Address: 74.125.138.113
+            Post NAT Destination IPv4 Address: 192.168.168.65
+            Post NAPT Source Transport Port: 443
+            Post NAPT Destination Transport Port: 42091
+        Flow 5
+            Octets: 454
+            Packets: 4
+            Protocol: TCP (6)
+            SrcAddr: 35.168.237.229
+            SrcPort: 443 (443)
+            InputInt: 2
+            DstPort: 15643 (15643)
+            DstAddr: 10.0.0.237
+            OutputInt: 1
+            NextHop: 10.0.0.1
+            [Duration: 14433.000000000 seconds (switched)]
+                StartTime: 146.000000000 seconds
+                EndTime: 14579.000000000 seconds
+            Post NAT Source IPv4 Address: 35.168.237.229
+            Post NAT Destination IPv4 Address: 192.168.168.65
+            Post NAPT Source Transport Port: 443
+            Post NAPT Destination Transport Port: 60176
+'''
+
+host = sys.argv[1]
+port = 2055
+N = 150000
+flowsPerPacket = 5
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.sendto(tpl, (host, port))
+time.sleep(0.2)
+
+ts = time.time()
+print("%d: started sending %d SonicWALL IPFIX flows in %d packets totaling %d bytes" % (ts,N*flowsPerPacket, N, N*len(data)))
+print("%d: flow size %d, packet size %d" % (ts, len(data) / flowsPerPacket, len(data)))
+
+for i in range(0, N):
+    sock.sendto(data, (host, port))