Fix NetFlow 9 type parsing

Jochen Schalanda · Jochen Schalanda · commit 167d0919b4b6 · 2017-07-31T18:16:32.000+02:00
The NetFlowV9Parser ignored unknown/invalid type definitions which lead
to wrong byte offsets when processing NetFlowV9 flows.
Additionally, custom length specifications were ignored when converting the
field types to unsigned integers so that too many or too few bytes would be
read.
diff --git a/src/main/java/org/graylog/plugins/netflow/flows/NetFlowFormatter.java b/src/main/java/org/graylog/plugins/netflow/flows/NetFlowFormatter.java
@@ -55,9 +55,9 @@ private static String toMessageString(NetFlowV9BaseRecord record) {
         final long octetCount = (long) fields.get("in_bytes");
         final String srcAddr = (String) fields.get("ipv4_src_addr");
         final String dstAddr = (String) fields.get("ipv4_dst_addr");
-        final int srcPort = (int) fields.get("l4_src_port");
-        final int dstPort = (int) fields.get("l4_dst_port");
-        final short protocol = (short) fields.get("protocol");
+        final Integer srcPort = (Integer) fields.get("l4_src_port");
+        final Integer dstPort = (Integer) fields.get("l4_dst_port");
+        final Short protocol = (Short) fields.get("protocol");
 
         return String.format("NetFlowV9 [%s]:%d <> [%s]:%d proto:%d pkts:%d bytes:%d",
                 srcAddr, srcPort,
@@ -125,11 +125,11 @@ public static Message toMessage(NetFlowV9Header header,
 
         final String srcAddr = (String) fields.get("ipv4_src_addr");
         final String dstAddr = (String) fields.get("ipv4_dst_addr");
-        final int srcPort = (int) fields.get("l4_src_port");
-        final int dstPort = (int) fields.get("l4_dst_port");
+        final Object srcPort = fields.get("l4_src_port");
+        final Object dstPort = fields.get("l4_dst_port");
         final String ipv4NextHop = (String) fields.get("ipv4_next_hop");
-        final long first = (long) fields.get("first_switched");
-        final long last = (long) fields.get("last_switched");
+        final Long first = (Long) fields.get("first_switched");
+        final Long last = (Long) fields.get("last_switched");
 
         message.addField(MF_FLOW_PACKET_ID, header.sequence());
         message.addField(MF_TOS, fields.get("ip_tos"));
@@ -148,18 +148,22 @@ public static Message toMessage(NetFlowV9Header header,
         message.addField(MF_DST_MASK, fields.get("dst_mask"));
         message.addField(MF_SRC_AS, fields.get("src_as"));
         message.addField(MF_DST_AS, fields.get("dst_as"));
-        message.addField(MF_PROTO, fields.get("protocol"));
-        final Protocol protocolInfo = Protocol.getByNumber((short) fields.get("protocol"));
-        if (protocolInfo != null) {
-            message.addField(MF_PROTO_NAME, protocolInfo.getAlias());
+        final Object protocol = fields.get("protocol");
+        if (protocol != null) {
+            message.addField(MF_PROTO, protocol);
+            short protocolNumber = ((Number) protocol).shortValue();
+            final Protocol protocolInfo = Protocol.getByNumber(protocolNumber);
+            if (protocolInfo != null) {
+                message.addField(MF_PROTO_NAME, protocolInfo.getAlias());
+            }
         }
         message.addField(MF_TCP_FLAGS, fields.get("tcp_flags"));
 
-        if (first > 0) {
+        if (first != null && first > 0) {
             long start = timestamp - (header.sysUptime() - first);
             message.addField(MF_START, new DateTime(start, DateTimeZone.UTC));
         }
-        if (last > 0) {
+        if (last != null && last > 0) {
             long stop = timestamp - (header.sysUptime() - last);
             message.addField(MF_STOP, new DateTime(stop, DateTimeZone.UTC));
         }
diff --git a/src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9FieldDef.java b/src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9FieldDef.java
@@ -46,29 +46,21 @@ public Optional<Object> parse(ByteBuf bb) {
         int len = length() != 0 ? length() : type().valueType().getDefaultLength();
         switch (type().valueType()) {
             case UINT8:
-                return Optional.of(bb.readUnsignedByte());
+            case UINT16:
+            case UINT24:
+            case UINT32:
+            case UINT64:
+                return parseUnsignedNumber(bb, len);
             case INT8:
                 return Optional.of(bb.readByte());
-            case UINT16:
-                return Optional.of(bb.readUnsignedShort());
             case INT16:
                 return Optional.of(bb.readShort());
-            case UINT24:
-                return Optional.of(bb.readUnsignedMedium());
             case INT24:
                 return Optional.of(bb.readMedium());
-            case UINT32:
-                return Optional.of(bb.readUnsignedInt());
             case INT32:
                 return Optional.of(bb.readInt());
-            case UINT64:
-                byte[] uint64Bytes = new byte[8];
-                bb.readBytes(uint64Bytes);
-                return Optional.of(new BigInteger(uint64Bytes));
             case INT64:
                 return Optional.of(bb.readLong());
-            case VARINT:
-                return Optional.of(parseLong(bb, len));
             case IPV4:
                 byte[] b = new byte[4];
                 bb.readBytes(b);
@@ -98,12 +90,23 @@ public Optional<Object> parse(ByteBuf bb) {
         }
     }
 
-    private long parseLong(ByteBuf bb, int length) {
-        long l = 0;
-        for (int i = 0; i < length; i++) {
-            l <<= 8;
-            l |= bb.readUnsignedByte();
+    private Optional<Object> parseUnsignedNumber(ByteBuf bb, int length) {
+        switch (length) {
+            case 1:
+                return Optional.of(bb.readUnsignedByte());
+            case 2:
+                return Optional.of(bb.readUnsignedShort());
+            case 3:
+                return Optional.of(bb.readUnsignedMedium());
+            case 4:
+                return Optional.of(bb.readUnsignedInt());
+            case 8:
+                return Optional.of(bb.readLong());
+            default:
+                byte[] uint64Bytes = new byte[length];
+                bb.readBytes(uint64Bytes);
+                return Optional.of(new BigInteger(uint64Bytes));
         }
-        return l;
+
     }
 }
diff --git a/src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9FieldType.java b/src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9FieldType.java
@@ -53,5 +53,18 @@ public enum ValueType {
         public int getDefaultLength() {
             return defaultLength;
         }
+
+        public static ValueType byLength(int length) {
+            switch (length) {
+                case 1: return UINT8;
+                case 2: return UINT16;
+                case 3: return UINT24;
+                case 4: return UINT32;
+                case 6: return MAC;
+                case 8: return UINT64;
+                case 16: return IPV6;
+                default: return VARINT;
+            }
+        }
     }
 }
diff --git a/src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9Parser.java b/src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9Parser.java
@@ -34,14 +34,15 @@ public static NetFlowV9Packet parsePacket(ByteBuf bb, NetFlowV9TemplateCache cac
         final int dataLength = bb.readableBytes();
         final NetFlowV9Header header = parseHeader(bb);
 
-        List<NetFlowV9Template> templates = Collections.emptyList();
+        final ImmutableList.Builder<NetFlowV9Template> allTemplates = ImmutableList.builder();
         NetFlowV9OptionTemplate optTemplate = null;
         List<NetFlowV9BaseRecord> records = Collections.emptyList();
         while (bb.isReadable()) {
             bb.markReaderIndex();
             int flowSetId = bb.readUnsignedShort();
             if (flowSetId == 0) {
-                templates = parseTemplates(bb, typeRegistry);
+                final List<NetFlowV9Template> templates = parseTemplates(bb, typeRegistry);
+                allTemplates.addAll(templates);
                 for (NetFlowV9Template t : templates) {
                     cache.put(t);
                 }
@@ -56,7 +57,7 @@ public static NetFlowV9Packet parsePacket(ByteBuf bb, NetFlowV9TemplateCache cac
 
         return NetFlowV9Packet.create(
                 header,
-                templates,
+                allTemplates.build(),
                 optTemplate,
                 records,
                 dataLength);
@@ -116,10 +117,13 @@ public static List<NetFlowV9Template> parseTemplates(ByteBuf bb, NetFlowV9FieldT
             for (int i = 0; i < fieldCount; i++) {
                 int fieldType = bb.readUnsignedShort();
                 int fieldLength = bb.readUnsignedShort();
-                final NetFlowV9FieldType type = typeRegistry.get(fieldType);
-                if (type == null) {
-                    // Skip unknown/invalid field type
-                    continue;
+                final NetFlowV9FieldType registeredType = typeRegistry.get(fieldType);
+                final NetFlowV9FieldType type;
+                if (registeredType == null) {
+                    // Unknown/invalid field type
+                    type = NetFlowV9FieldType.create(fieldType, NetFlowV9FieldType.ValueType.byLength(fieldLength), "nf_field_" + fieldType);
+                } else {
+                    type = registeredType;
                 }
                 final NetFlowV9FieldDef fieldDef = NetFlowV9FieldDef.create(type, fieldLength);
                 fieldDefs.add(fieldDef);
diff --git a/src/test/java/org/graylog/plugins/netflow/codecs/NetFlowCodecTest.java b/src/test/java/org/graylog/plugins/netflow/codecs/NetFlowCodecTest.java
@@ -197,8 +197,8 @@ public void decodeMessagesSuccessfullyDecodesNetFlowV9() throws Exception {
                 .containsEntry("nf_src_address", "192.168.124.1")
                 .containsEntry("nf_dst_address", "239.255.255.250")
                 .containsEntry("nf_proto_name", "UDP")
-                .containsEntry("nf_src_as", 0)
-                .containsEntry("nf_dst_as", 0)
+                .containsEntry("nf_src_as", 0L)
+                .containsEntry("nf_dst_as", 0L)
                 .containsEntry("nf_snmp_input", 0)
                 .containsEntry("nf_snmp_output", 0);
 
@@ -215,14 +215,14 @@ public void decodeMessagesSuccessfullyDecodesNetFlowV9() throws Exception {
                 .containsEntry("nf_src_address", "192.168.124.20")
                 .containsEntry("nf_dst_address", "121.161.231.32")
                 .containsEntry("nf_proto_name", "UDP")
-                .containsEntry("nf_src_as", 0)
-                .containsEntry("nf_dst_as", 0)
+                .containsEntry("nf_src_as", 0L)
+                .containsEntry("nf_dst_as", 0L)
                 .containsEntry("nf_snmp_input", 0)
                 .containsEntry("nf_snmp_output", 0);
     }
 
     @Test
-    public void pcapNetFlowV5() throws Exception {
+    public void pcap_softflowd_NetFlowV5() throws Exception {
         final List<Message> allMessages = new ArrayList<>();
         try (InputStream inputStream = Resources.getResource("netflow-data/netflow5.pcap").openStream()) {
             final Pcap pcap = Pcap.openStream(inputStream);
@@ -244,7 +244,29 @@ public void pcapNetFlowV5() throws Exception {
     }
 
     @Test
-    public void pcapNetFlowV9() throws Exception {
+    public void pcap_pmacctd_NetFlowV5() throws Exception {
+        final List<Message> allMessages = new ArrayList<>();
+        try (InputStream inputStream = Resources.getResource("netflow-data/pmacctd-netflow5.pcap").openStream()) {
+            final Pcap pcap = Pcap.openStream(inputStream);
+            pcap.loop(packet -> {
+                        if (packet.hasProtocol(Protocol.UDP)) {
+                            final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
+                            final InetSocketAddress source = new InetSocketAddress(udp.getSourceIP(), udp.getSourcePort());
+                            final Collection<Message> messages = codec.decodeMessages(new RawMessage(udp.getPayload().getArray(), source));
+                            assertThat(messages)
+                                    .isNotNull()
+                                    .isNotEmpty();
+                            allMessages.addAll(messages);
+                        }
+                        return true;
+                    }
+            );
+            assertThat(allMessages).hasSize(42);
+        }
+    }
+
+    @Test
+    public void pcap_softflowd_NetFlowV9() throws Exception {
         final List<Message> allMessages = new ArrayList<>();
         try (InputStream inputStream = Resources.getResource("netflow-data/netflow9.pcap").openStream()) {
             final Pcap pcap = Pcap.openStream(inputStream);
@@ -264,4 +286,26 @@ public void pcapNetFlowV9() throws Exception {
         }
         assertThat(allMessages).hasSize(19);
     }
+
+    @Test
+    public void pcap_pmacctd_NetFlowV9() throws Exception {
+        final List<Message> allMessages = new ArrayList<>();
+        try (InputStream inputStream = Resources.getResource("netflow-data/pmacctd-netflow9.pcap").openStream()) {
+            final Pcap pcap = Pcap.openStream(inputStream);
+            pcap.loop(packet -> {
+                        if (packet.hasProtocol(Protocol.UDP)) {
+                            final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
+                            final InetSocketAddress source = new InetSocketAddress(udp.getSourceIP(), udp.getSourcePort());
+                            final Collection<Message> messages = codec.decodeMessages(new RawMessage(udp.getPayload().getArray(), source));
+                            assertThat(messages)
+                                    .isNotNull()
+                                    .isNotEmpty();
+                            allMessages.addAll(messages);
+                        }
+                        return true;
+                    }
+            );
+        }
+        assertThat(allMessages).hasSize(6);
+    }
 }
diff --git a/src/test/java/org/graylog/plugins/netflow/v5/NetFlowV5ParserTest.java b/src/test/java/org/graylog/plugins/netflow/v5/NetFlowV5ParserTest.java
@@ -17,12 +17,19 @@
 
 import com.google.common.io.Resources;
 import com.google.common.net.InetAddresses;
+import io.netty.buffer.ByteBuf;
 import io.netty.buffer.Unpooled;
+import io.pkts.Pcap;
+import io.pkts.packet.UDPPacket;
+import io.pkts.protocol.Protocol;
 import org.junit.Test;
 
 import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
 import java.util.List;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 
@@ -119,4 +126,44 @@ public void testParse2() throws IOException {
         assertEquals(0, r.dstMask());
         assertEquals(110L, r.packetCount());
     }
+
+    @Test
+    public void pcap_softflowd_NetFlowV5() throws Exception {
+        final List<NetFlowV5Record> allRecords = new ArrayList<>();
+        try (InputStream inputStream = Resources.getResource("netflow-data/netflow5.pcap").openStream()) {
+            final Pcap pcap = Pcap.openStream(inputStream);
+            pcap.loop(packet -> {
+                        if (packet.hasProtocol(Protocol.UDP)) {
+                            final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
+                            final ByteBuf byteBuf = Unpooled.wrappedBuffer(udp.getPayload().getArray());
+                            final NetFlowV5Packet netFlowV5Packet = NetFlowV5Parser.parsePacket(byteBuf);
+                            assertThat(netFlowV5Packet).isNotNull();
+                            allRecords.addAll(netFlowV5Packet.records());
+                        }
+                        return true;
+                    }
+            );
+        }
+        assertThat(allRecords).hasSize(4);
+    }
+
+    @Test
+    public void pcap_pmacctd_NetFlowV5() throws Exception {
+        final List<NetFlowV5Record> allRecords = new ArrayList<>();
+        try (InputStream inputStream = Resources.getResource("netflow-data/pmacctd-netflow5.pcap").openStream()) {
+            final Pcap pcap = Pcap.openStream(inputStream);
+            pcap.loop(packet -> {
+                        if (packet.hasProtocol(Protocol.UDP)) {
+                            final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
+                            final ByteBuf byteBuf = Unpooled.wrappedBuffer(udp.getPayload().getArray());
+                            final NetFlowV5Packet netFlowV5Packet = NetFlowV5Parser.parsePacket(byteBuf);
+                            assertThat(netFlowV5Packet).isNotNull();
+                            allRecords.addAll(netFlowV5Packet.records());
+                        }
+                        return true;
+                    }
+            );
+        }
+        assertThat(allRecords).hasSize(42);
+    }
 }
diff --git a/src/test/java/org/graylog/plugins/netflow/v9/NetFlowV9ParserTest.java b/src/test/java/org/graylog/plugins/netflow/v9/NetFlowV9ParserTest.java
diff --git a/src/test/resources/netflow-data/pmacctd-netflow5.pcap b/src/test/resources/netflow-data/pmacctd-netflow5.pcap
diff --git a/src/test/resources/netflow-data/pmacctd-netflow9.pcap b/src/test/resources/netflow-data/pmacctd-netflow9.pcap

Original file line number	Diff line number	Diff line change
`@@ -53,5 +53,18 @@ public enum ValueType {`
`53`	`53`	`public int getDefaultLength() {`
`54`	`54`	`return defaultLength;`
`55`	`55`	`}`
	`56`	`+`
	`57`	`+ public static ValueType byLength(int length) {`
	`58`	`+ switch (length) {`
	`59`	`+ case 1: return UINT8;`
	`60`	`+ case 2: return UINT16;`
	`61`	`+ case 3: return UINT24;`
	`62`	`+ case 4: return UINT32;`
	`63`	`+ case 6: return MAC;`
	`64`	`+ case 8: return UINT64;`
	`65`	`+ case 16: return IPV6;`
	`66`	`+ default: return VARINT;`
	`67`	`+ }`
	`68`	`+ }`
`56`	`69`	`}`
`57`	`70`	`}`