logstash-codec-sflow 0.9.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0dd6c6453a6f16c8f7526f8e210f9c7e6a9de5b3
-  data.tar.gz: 51951483cfd88c3c7a3a310e2c1a4fd064259656
+  metadata.gz: ee69bffd79c2302c265793141d26e6ae3c326632
+  data.tar.gz: 9eacb61fc2d49846dd66157d429fef84389346d4
 SHA512:
-  metadata.gz: f3b2675a5d8f30c131c94751e294723939cacba36b30f008b4a6cc5328f285043076e13298475ceb2e26b4ff7919f66ae3448ed62a877bcf081d517cd4028418
-  data.tar.gz: 3e6510c59a4939d7079f50960657dba71629833ab4f12b37247c9f2af32095ca896fc3db4429b09f0bd295bb142a255e2b0b2b2f6e8c8acb9c68e656f6c245e9
+  metadata.gz: 542aab3cbbd1c11b87914b4533fd38c2451cbfd236b341df4d93aaef680ee253fb1ab57b4144c9be2c8aa13dd1c45b147ef0121d9e11e43728ce9a8ce5d99578
+  data.tar.gz: 7403d549f59c9bedf7a911efd7590e508d1f29531d48680c4bbfb37084b322a1443663e28cd3ebd3016144866709da65816e14b9ea4148966f1a7e3bd493ea25

data/README.md

@@ -1,16 +1,18 @@
 # Logstash Codec SFlow Plugin
 ## Description
-Logstash codec plugin to decode sflow codec
+Logstash codec plugin to decode sflow codec.
+
 This codec manage flow sample and counter flow.
 
-For the flow sample it is able to decode Ethernet, IPv4, UDP and TCP header
+For the flow sample it is able to decode Ethernet, 802.1Q VLAN, IPv4, UDP and TCP header
 
 For the counter flow it is able to decode some records of type:
-    - Generic Interface
-    - Ethernet Interface
-    - VLAN
-    - Processor Information
-    - HTTP
+
+- Generic Interface
+- Ethernet Interface
+- VLAN
+- Processor Information
+- HTTP
 
 
 [![Build

data/lib/logstash/codecs/sflow.rb

@@ -9,23 +9,42 @@ class LogStash::Codecs::Sflow < LogStash::Codecs::Base
   # Specify which Sflow versions you will accept.
   config :versions, :validate => :array, :default => [5]
 
-  # Specify which sflow must not be send in the event
-  config :optional_removed_field, :validate => :array, :default => %w(sflow_version ip_version header_size ip_header_length ip_dscp ip_ecn ip_total_length ip_identification ip_flags ip_fragment_offset ip_ttl ip_checksum ip_options tcp_seq_number tcp_ack_number tcp_header_length tcp_reserved tcp_is_nonce tcp_is_cwr tcp_is_ecn_echo tcp_is_urgent tcp_is_ack tcp_is_push tcp_is_reset tcp_is_syn tcp_is_fin tcp_window_size tcp_checksum tcp_urgent_pointer tcp_options)
+  # Specify which sflow fields must not be send in the event
+  config :optional_removed_field, :validate => :array, :default => %w(sflow_version ip_version header_size
+ ip_header_length ip_dscp ip_ecn ip_total_length ip_identification ip_flags ip_fragment_offset ip_ttl ip_checksum
+ ip_options tcp_seq_number tcp_ack_number tcp_header_length tcp_reserved tcp_is_nonce tcp_is_cwr tcp_is_ecn_echo
+ tcp_is_urgent tcp_is_ack tcp_is_push tcp_is_reset tcp_is_syn tcp_is_fin tcp_window_size tcp_checksum
+ tcp_urgent_pointer tcp_options vlan_cfi sequence_number flow_sequence_number vlan_type udp_length udp_checksum)
 
+  # Specify if codec must perform SNMP call so agent_ip for interface resolution.
+  config :snmp_interface, :validate => :boolean, :default => true
+
+  # Specify if codec must perform SNMP call so agent_ip for interface resolution.
+  config :snmp_community, :validate => :string, :default => 'public'
+
+  # Specify the max number of element in the interface resolution local cache (only if snmp_interface true)
+  config :interface_cache_size, :validate => :number, :default => 1000
+
+  # Specify the duration for each element in the interface resolution local cache (only if snmp_interface true)
+  config :interface_cache_ttl, :validate => :number, :default => 3600
 
   def initialize(params = {})
     super(params)
     @threadsafe = false
-    # noinspection RubyResolve
-    @removed_field = %w(records record_data record_length record_count record_entreprise record_format samples sample_data sample_entreprise sample_format sample_length sample_count sample_header layer3 layer4 layer4_data header udata) | @optional_removed_field
   end
 
   # def initialize
 
   def assign_key_value(event, bindata_kv)
-    bindata_kv.each_pair do |k, v|
-      unless @removed_field.include? k.to_s
-        event["#{k.to_s}"] = v.to_s
+    unless bindata_kv.nil? or bindata_kv.to_s.eql? ''
+      bindata_kv.each_pair do |k, v|
+        if v.is_a?(BinData::Choice)
+          assign_key_value(event, bindata_kv[k])
+        else
+          unless @removed_field.include? k.to_s or v.is_a?(BinData::Array)
+            event["#{k.to_s}"] = v.to_s
+          end
+        end
       end
     end
   end
@@ -34,17 +53,41 @@ class LogStash::Codecs::Sflow < LogStash::Codecs::Base
   # @param [Object] decoded
   # @param [Object] sample
   # @param [Object] record
-  def common_sflow(event, decoded, sample, record)
+  def common_sflow(event, decoded, sample)
+    event['agent_ip'] = decoded['agent_ip'].to_s
     assign_key_value(event, decoded)
     assign_key_value(event, sample)
-    assign_key_value(event, sample['sample_data'])
-    assign_key_value(event, record)
-    assign_key_value(event, record['record_data'])
+  end
+
+  def snmp_call(event)
+    if @snmp_interface
+      if event.include?('source_id_index')
+        event["source_id_index"] = @snmp.get_interface(event["agent_ip"], event["source_id_index"])
+      end
+      if event.include?('input_interface')
+        event["input_interface"] = @snmp.get_interface(event["agent_ip"], event["input_interface"])
+      end
+      if event.include?('output_interface')
+        event["output_interface"] = @snmp.get_interface(event["agent_ip"], event["output_interface"])
+      end
+      if event.include?('interface_index')
+        event["interface_index"] = @snmp.get_interface(event["agent_ip"], event["interface_index"])
+      end
+    end
   end
 
   public
   def register
     require 'logstash/codecs/sflow/datagram'
+    require 'logstash/codecs/snmp/interface_resolver'
+
+    # noinspection RubyResolve
+    @removed_field = %w(record_length record_count record_entreprise record_format sample_entreprise sample_format
+ sample_length sample_count sample_header data storage) | @optional_removed_field
+
+    if @snmp_interface
+      @snmp = SNMPInterfaceResolver.new(@snmp_community, @interface_cache_size, @interface_cache_ttl)
+    end
   end
 
   # def register
@@ -71,7 +114,9 @@ class LogStash::Codecs::Sflow < LogStash::Codecs::Base
       #treat sample flow
       if sample['sample_entreprise'] == 0 && sample['sample_format'] == 1
         # Create the logstash event
-        event = LogStash::Event.new
+        event = LogStash::Event.new({})
+        common_sflow(event, decoded, sample)
+
         sample['sample_data']['records'].each do |record|
           # Ensure that some data exist for the record
           if record['record_data'].to_s.eql? ''
@@ -79,16 +124,7 @@ class LogStash::Codecs::Sflow < LogStash::Codecs::Base
             next
           end
 
-          common_sflow(event, decoded, sample, record)
-
-          unless record['record_data']['sample_header'].to_s.eql? ''
-            assign_key_value(event, record['record_data']['sample_header'])
-
-            if record['record_data']['sample_header'].has_key?('layer3')
-              assign_key_value(event, record['record_data']['sample_header']['layer3']['header'])
-              assign_key_value(event, record['record_data']['sample_header']['layer3']['header']['layer4'])
-            end
-          end
+          assign_key_value(event, record)
 
         end
         #compute frame_length_times_sampling_rate
@@ -97,6 +133,10 @@ class LogStash::Codecs::Sflow < LogStash::Codecs::Base
         end
 
         event["sflow_type"] = 'sample'
+
+        #Get interface dfescr if snmp_interface true
+        snmp_call(event)
+
         events.push(event)
 
         #treat counter flow
@@ -109,11 +149,16 @@ class LogStash::Codecs::Sflow < LogStash::Codecs::Base
           end
 
           # Create the logstash event
-          event = LogStash::Event.new
+          event = LogStash::Event.new({})
+          common_sflow(event, decoded, sample)
 
-          common_sflow(event, decoded, sample, record)
+          assign_key_value(event, record)
 
           event["sflow_type"] = 'counter'
+
+          #Get interface dfescr if snmp_interface true
+          snmp_call(event)
+
           events.push(event)
         end
       end

data/lib/logstash/codecs/sflow/packet_header.rb

@@ -9,7 +9,7 @@ class UnknownHeader < BinData::Record
   mandatory_parameter :size_header
 
   endian :big
-  bit :udata, :nbits => :size_header
+  bit :data, :nbits => :size_header
 end
 
 
@@ -39,7 +39,7 @@ class TcpHeader < BinData::Record
   array :tcp_options, :initial_length => lambda { (((tcp_header_length * 4) - 20)/4).ceil }, :onlyif => :is_options? do
     string :tcp_option, :length => 4, :pad_byte => "\0"
   end
-  bit :layer4_data, :nbits => lambda { size_header - (tcp_header_length * 4 * 8) }
+  bit :data, :nbits => lambda { size_header - (tcp_header_length * 4 * 8) }
 
   def is_options?
     tcp_header_length.to_i > 5
@@ -56,7 +56,7 @@ class UdpHeader < BinData::Record
   uint16 :udp_length
   uint16 :udp_checksum
   #skip :length => lambda { udp_length - 64 } #skip udp data
-  bit :layer4_data, :nbits => lambda { size_header - 64 } #skip udp data
+  bit :data, :nbits => lambda { size_header - 64 } #skip udp data
 end
 
 # noinspection RubyResolve,RubyResolve
@@ -79,7 +79,7 @@ class IPV4Header < BinData::Record
   array :ip_options, :initial_length => lambda { (((ip_header_length * 4) - 20)/4).ceil }, :onlyif => :is_options? do
     string :ip_option, :length => 4, :pad_byte => "\0"
   end
-  choice :layer4, :selection => :ip_protocol do
+  choice :ip_data, :selection => :ip_protocol do
     tcp_header 6, :size_header => lambda { size_header - (ip_header_length * 4 * 8) }
     udp_header 17, :size_header => lambda { size_header - (ip_header_length * 4 * 8) }
     unknown_header :default, :size_header => lambda { size_header - (ip_header_length * 4 * 8) }
@@ -90,19 +90,33 @@ class IPV4Header < BinData::Record
   end
 end
 
-
 # noinspection RubyResolve
 class IPHeader < BinData::Record
   mandatory_parameter :size_header
 
   endian :big
   bit4 :ip_version
-  choice :header, :selection => :ip_version do
+  choice :ip_header, :selection => :ip_version do
     ipv4_header 4, :size_header => :size_header
     unknown_header :default, :size_header => lambda { size_header - 4 }
   end
 end
 
+# noinspection RubyResolve
+class VLANHeader < BinData::Record
+  mandatory_parameter :size_header
+
+  endian :big
+  bit3 :vlan_priority
+  bit1 :vlan_cfi
+  bit12 :vlan_id
+  uint16 :vlan_type
+  choice :vlan_data, :selection => :vlan_type do
+    ip_header 2048, :size_header => lambda { size_header - (4 * 8) }
+    unknown_header :default, :size_header => lambda { size_header - (4 * 8) }
+  end
+end
+
 # noinspection RubyResolve
 class EthernetHeader < BinData::Record
   mandatory_parameter :size_header
@@ -111,8 +125,9 @@ class EthernetHeader < BinData::Record
   sflow_mac_address :eth_dst
   sflow_mac_address :eth_src
   uint16 :eth_type
-  choice :layer3, :selection => :eth_type do
+  choice :eth_data, :selection => :eth_type do
     ip_header 2048, :size_header => lambda { size_header - (14 * 8) }
+    vlan_header 33024, :size_header => lambda { size_header - (14 * 8) }
     unknown_header :default, :size_header => lambda { size_header - (14 * 8) }
   end
 end

data/lib/logstash/codecs/snmp/interface_resolver.rb

@@ -0,0 +1,21 @@
+require 'snmp'
+require 'lru_redux'
+
+class SNMPInterfaceResolver
+  def initialize(community, cache_size, cache_ttl)
+    @community = community
+    @cacheSnmpInterface = LruRedux::TTL::Cache.new(cache_size, cache_ttl)
+  end
+
+  def get_interface(host, ifIndex)
+    unless @cacheSnmpInterface.key?("#{host}-#{ifIndex}")
+      SNMP::Manager.open(:host => host, :community => @community, :version => :SNMPv2c) do |manager|
+        response = manager.get("ifDescr.#{ifIndex}")
+        response.each_varbind do |vb|
+          @cacheSnmpInterface["#{host}-#{ifIndex}"] = vb.value.to_s
+        end
+      end
+    end
+    return @cacheSnmpInterface["#{host}-#{ifIndex}"]
+  end
+end

data/logstash-codec-sflow.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name = 'logstash-codec-sflow'
-  s.version = '0.9.0'
+  s.version = '0.10.0'
   s.licenses = ['Apache License (2.0)']
   s.summary = "The sflow codec is for decoding SFlow v5 flows."
   s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
@@ -22,6 +22,8 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core", ">= 1.4.0", "< 3.0.0"
   s.add_runtime_dependency 'bindata', ['>= 2.1.0']
+  s.add_runtime_dependency 'lru_redux', ['>= 1.1.0']
+  s.add_runtime_dependency 'snmp', ['>= 1.2.0']
   s.add_development_dependency 'logstash-devutils'
 end
 

data/spec/codecs/sflow/packet_header_spec.rb

@@ -42,53 +42,67 @@ end
 
 
 describe IPHeader do
-  it "should decode ipv4 over tcp header" do
-    payload = IO.read(File.join(File.dirname(__FILE__), "ipv4_over_tcp_header.dat"), :mode => "rb")
+  it "should decode ipv4 tcp header" do
+    payload = IO.read(File.join(File.dirname(__FILE__), "ipv4_tcp_header.dat"), :mode => "rb")
     decoded = IPHeader.new(:size_header => payload.bytesize * 8).read(payload)
 
     decoded["ip_version"].to_s.should eq("4")
-    decoded["header"]["ip_header_length"].to_s.should eq("5")
-    decoded["header"]["ip_dscp"].to_s.should eq("0")
-    decoded["header"]["ip_ecn"].to_s.should eq("0")
-    decoded["header"]["ip_total_length"].to_s.should eq("476")
-    decoded["header"]["ip_identification"].to_s.should eq("30529")
-    decoded["header"]["ip_flags"].to_s.should eq("2")
-    decoded["header"]["ip_fragment_offset"].to_s.should eq("0")
-    decoded["header"]["ip_ttl"].to_s.should eq("62")
-    decoded["header"]["ip_protocol"].to_s.should eq("6")
-    decoded["header"]["ip_checksum"].to_s.should eq("37559")
-    decoded["header"]["src_ip"].to_s.should eq("10.243.27.17")
-    decoded["header"]["dst_ip"].to_s.should eq("10.243.0.45")
-    decoded["header"]["layer4"]["src_port"].to_s.should eq("5672")
-    decoded["header"]["layer4"]["dst_port"].to_s.should eq("59451")
-    decoded["header"]["layer4"]["tcp_seq_number"].to_s.should eq("2671357038")
-    decoded["header"]["layer4"]["tcp_ack_number"].to_s.should eq("2651945969")
-    (decoded["header"]["layer4"]["tcp_header_length"].to_i*4).to_s.should eq("32")
-    decoded["header"]["layer4"]["tcp_is_nonce"].to_s.should eq("0")
-    decoded["header"]["layer4"]["tcp_is_cwr"].to_s.should eq("0")
-    decoded["header"]["layer4"]["tcp_is_ecn_echo"].to_s.should eq("0")
-    decoded["header"]["layer4"]["tcp_is_urgent"].to_s.should eq("0")
-    decoded["header"]["layer4"]["tcp_is_ack"].to_s.should eq("1")
-    decoded["header"]["layer4"]["tcp_is_push"].to_s.should eq("1")
-    decoded["header"]["layer4"]["tcp_is_reset"].to_s.should eq("0")
-    decoded["header"]["layer4"]["tcp_is_syn"].to_s.should eq("0")
-    decoded["header"]["layer4"]["tcp_is_fin"].to_s.should eq("0")
-    decoded["header"]["layer4"]["tcp_window_size"].to_s.should eq("147")
-    decoded["header"]["layer4"]["tcp_checksum"].to_s.should eq("13042")
-    decoded["header"]["layer4"]["tcp_urgent_pointer"].to_s.should eq("0")
+    decoded["ip_header"]["ip_header_length"].to_s.should eq("5")
+    decoded["ip_header"]["ip_dscp"].to_s.should eq("0")
+    decoded["ip_header"]["ip_ecn"].to_s.should eq("0")
+    decoded["ip_header"]["ip_total_length"].to_s.should eq("476")
+    decoded["ip_header"]["ip_identification"].to_s.should eq("30529")
+    decoded["ip_header"]["ip_flags"].to_s.should eq("2")
+    decoded["ip_header"]["ip_fragment_offset"].to_s.should eq("0")
+    decoded["ip_header"]["ip_ttl"].to_s.should eq("62")
+    decoded["ip_header"]["ip_protocol"].to_s.should eq("6")
+    decoded["ip_header"]["ip_checksum"].to_s.should eq("37559")
+    decoded["ip_header"]["src_ip"].to_s.should eq("10.243.27.17")
+    decoded["ip_header"]["dst_ip"].to_s.should eq("10.243.0.45")
+    decoded["ip_header"]["ip_data"]["src_port"].to_s.should eq("5672")
+    decoded["ip_header"]["ip_data"]["dst_port"].to_s.should eq("59451")
+    decoded["ip_header"]["ip_data"]["tcp_seq_number"].to_s.should eq("2671357038")
+    decoded["ip_header"]["ip_data"]["tcp_ack_number"].to_s.should eq("2651945969")
+    (decoded["ip_header"]["ip_data"]["tcp_header_length"].to_i*4).to_s.should eq("32")
+    decoded["ip_header"]["ip_data"]["tcp_is_nonce"].to_s.should eq("0")
+    decoded["ip_header"]["ip_data"]["tcp_is_cwr"].to_s.should eq("0")
+    decoded["ip_header"]["ip_data"]["tcp_is_ecn_echo"].to_s.should eq("0")
+    decoded["ip_header"]["ip_data"]["tcp_is_urgent"].to_s.should eq("0")
+    decoded["ip_header"]["ip_data"]["tcp_is_ack"].to_s.should eq("1")
+    decoded["ip_header"]["ip_data"]["tcp_is_push"].to_s.should eq("1")
+    decoded["ip_header"]["ip_data"]["tcp_is_reset"].to_s.should eq("0")
+    decoded["ip_header"]["ip_data"]["tcp_is_syn"].to_s.should eq("0")
+    decoded["ip_header"]["ip_data"]["tcp_is_fin"].to_s.should eq("0")
+    decoded["ip_header"]["ip_data"]["tcp_window_size"].to_s.should eq("147")
+    decoded["ip_header"]["ip_data"]["tcp_checksum"].to_s.should eq("13042")
+    decoded["ip_header"]["ip_data"]["tcp_urgent_pointer"].to_s.should eq("0")
   end
 end
 
 
 describe EthernetHeader do
-  it "should decode ipv4 over udp header" do
-    payload = IO.read(File.join(File.dirname(__FILE__), "ethernet_ipv4_over_udp_header.dat"), :mode => "rb")
+  it "should decode ethernet ipv4 udp header" do
+    payload = IO.read(File.join(File.dirname(__FILE__), "ethernet_ipv4_udp_header.dat"), :mode => "rb")
     decoded = EthernetHeader.new(:size_header => payload.bytesize * 8).read(payload)
 
     decoded["eth_dst"].to_s.should eq("00:23:e9:78:16:c6")
     decoded["eth_src"].to_s.should eq("58:f3:9c:81:4b:81")
     decoded["eth_type"].to_s.should eq("2048")
-    decoded["layer3"]["header"]["dst_ip"].to_s.should eq("10.243.27.9")
-    decoded["layer3"]["header"]["layer4"]["dst_port"].to_s.should eq("514")
+    decoded["eth_data"]["ip_header"]["dst_ip"].to_s.should eq("10.243.27.9")
+    decoded["eth_data"]["ip_header"]["ip_data"]["dst_port"].to_s.should eq("514")
+  end
+end
+
+
+describe EthernetHeader do
+  it "should decode ethernet vlan ipv4 tcp header" do
+    payload = IO.read(File.join(File.dirname(__FILE__), "ethernet_vlan_ipv4_tcp_header.dat"), :mode => "rb")
+    decoded = EthernetHeader.new(:size_header => payload.bytesize * 8).read(payload)
+
+    decoded["eth_dst"].to_s.should eq("a0:36:9f:71:d2:e0")
+    decoded["eth_src"].to_s.should eq("00:09:0f:09:37:1c")
+    decoded["eth_type"].to_s.should eq("33024")
+    decoded["eth_data"]["vlan_id"].to_s.should eq("2422")
+    decoded["eth_data"]["vlan_type"].to_s.should eq("2048")
   end
 end

data/spec/codecs/sflow_spec.rb

@@ -15,9 +15,13 @@ describe SFlow do
     decoded = SFlow.read(payload)
   end
 
-
   it "should decode sflow sample" do
     payload = IO.read(File.join(File.dirname(__FILE__), "sflow_flow_sample.dat"), :mode => "rb")
     decoded = SFlow.read(payload)
   end
+
+  it "should decode sflow sample eth vlan" do
+    payload = IO.read(File.join(File.dirname(__FILE__), "sflow_flow_sample_eth_vlan.dat"), :mode => "rb")
+    decoded = SFlow.read(payload)
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-sflow
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Nicolas Fraison
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-12-22 00:00:00.000000000 Z
+date: 2015-12-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -44,6 +44,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.1.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  name: lru_redux
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  name: snmp
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.0
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -77,15 +105,18 @@ files:
 - lib/logstash/codecs/sflow/packet_header.rb
 - lib/logstash/codecs/sflow/sample.rb
 - lib/logstash/codecs/sflow/util.rb
+- lib/logstash/codecs/snmp/interface_resolver.rb
 - logstash-codec-sflow.gemspec
-- spec/codecs/sflow/ethernet_ipv4_over_udp_header.dat
-- spec/codecs/sflow/ipv4_over_tcp_header.dat
+- spec/codecs/sflow/ethernet_ipv4_udp_header.dat
+- spec/codecs/sflow/ethernet_vlan_ipv4_tcp_header.dat
+- spec/codecs/sflow/ipv4_tcp_header.dat
 - spec/codecs/sflow/packet_header_spec.rb
 - spec/codecs/sflow/tcp.dat
 - spec/codecs/sflow/udp.dat
 - spec/codecs/sflow_1_counters_sample.dat
 - spec/codecs/sflow_counters_sample.dat
 - spec/codecs/sflow_flow_sample.dat
+- spec/codecs/sflow_flow_sample_eth_vlan.dat
 - spec/codecs/sflow_spec.rb
 homepage: ''
 licenses:
@@ -114,12 +145,14 @@ signing_key:
 specification_version: 4
 summary: The sflow codec is for decoding SFlow v5 flows.
 test_files:
-- spec/codecs/sflow/ethernet_ipv4_over_udp_header.dat
-- spec/codecs/sflow/ipv4_over_tcp_header.dat
+- spec/codecs/sflow/ethernet_ipv4_udp_header.dat
+- spec/codecs/sflow/ethernet_vlan_ipv4_tcp_header.dat
+- spec/codecs/sflow/ipv4_tcp_header.dat
 - spec/codecs/sflow/packet_header_spec.rb
 - spec/codecs/sflow/tcp.dat
 - spec/codecs/sflow/udp.dat
 - spec/codecs/sflow_1_counters_sample.dat
 - spec/codecs/sflow_counters_sample.dat
 - spec/codecs/sflow_flow_sample.dat
+- spec/codecs/sflow_flow_sample_eth_vlan.dat
 - spec/codecs/sflow_spec.rb