Skip to content
This repository was archived by the owner on Mar 21, 2023. It is now read-only.

Commit 353a785

Browse files
dennisoelkersJochen Schalanda
dennisoelkers
authored and
Jochen Schalanda
committed
Add nprobe Netflow 5/9 pcap and tests
1 parent 3cdb4f1 commit 353a785

File tree

4 files changed

+177
-0
lines changed

4 files changed

+177
-0
lines changed

src/test/java/org/graylog/plugins/netflow/codecs/NetFlowCodecTest.java

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -340,4 +340,47 @@ public void pcap_netgraph_NetFlowV5() throws Exception {
340340
.hasSize(120)
341341
.allSatisfy(message -> assertThat(message.getField("nf_version")).isEqualTo(5));
342342
}
343+
344+
@Test
345+
public void pcap_nprobe_NetFlowV9_mixed() throws Exception {
346+
final List<Message> allMessages = new ArrayList<>();
347+
try (InputStream inputStream = Resources.getResource("netflow-data/nprobe-netflow9.pcap").openStream()) {
348+
final Pcap pcap = Pcap.openStream(inputStream);
349+
pcap.loop(packet -> {
350+
if (packet.hasProtocol(Protocol.UDP)) {
351+
final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
352+
final InetSocketAddress source = new InetSocketAddress(udp.getSourceIP(), udp.getSourcePort());
353+
final Collection<Message> messages = codec.decodeMessages(new RawMessage(udp.getPayload().getArray(), source));
354+
assertThat(messages).isNotNull();
355+
allMessages.addAll(messages);
356+
}
357+
return true;
358+
}
359+
);
360+
}
361+
assertThat(allMessages)
362+
.hasSize(152);
363+
}
364+
365+
@Test
366+
public void pcap_nprobe_NetFlowV9_2() throws Exception {
367+
final List<Message> allMessages = new ArrayList<>();
368+
try (InputStream inputStream = Resources.getResource("netflow-data/nprobe-netflow9-2.pcap").openStream()) {
369+
final Pcap pcap = Pcap.openStream(inputStream);
370+
pcap.loop(packet -> {
371+
if (packet.hasProtocol(Protocol.UDP)) {
372+
final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
373+
final InetSocketAddress source = new InetSocketAddress(udp.getSourceIP(), udp.getSourcePort());
374+
final Collection<Message> messages = codec.decodeMessages(new RawMessage(udp.getPayload().getArray(), source));
375+
assertThat(messages).isNotNull();
376+
allMessages.addAll(messages);
377+
}
378+
return true;
379+
}
380+
);
381+
}
382+
assertThat(allMessages)
383+
.hasSize(6)
384+
.allSatisfy(message -> assertThat(message.getField("nf_version")).isEqualTo(9));
385+
}
343386
}

src/test/java/org/graylog/plugins/netflow/v9/NetFlowV9ParserTest.java

Lines changed: 134 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -238,6 +238,140 @@ public void pcap_pmacctd_NetFlowV9() throws Exception {
238238
);
239239
}
240240

241+
@Test
242+
public void pcap_nprobe_NetFlowV9_2() throws Exception {
243+
final List<NetFlowV9BaseRecord> allRecords = new ArrayList<>();
244+
final List<NetFlowV9Template> allTemplates = new ArrayList<>();
245+
try (InputStream inputStream = Resources.getResource("netflow-data/nprobe-netflow9-2.pcap").openStream()) {
246+
final Pcap pcap = Pcap.openStream(inputStream);
247+
pcap.loop(packet -> {
248+
if (packet.hasProtocol(Protocol.UDP)) {
249+
final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
250+
final ByteBuf byteBuf = Unpooled.wrappedBuffer(udp.getPayload().getArray());
251+
final NetFlowV9Packet netFlowV9Packet = NetFlowV9Parser.parsePacket(byteBuf, cache, typeRegistry);
252+
assertThat(netFlowV9Packet).isNotNull();
253+
allTemplates.addAll(netFlowV9Packet.templates());
254+
allRecords.addAll(netFlowV9Packet.records());
255+
}
256+
return true;
257+
}
258+
);
259+
}
260+
assertThat(allTemplates).contains(
261+
NetFlowV9Template.create(257, 18,
262+
ImmutableList.<NetFlowV9FieldDef>builder().add(
263+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(1, NetFlowV9FieldType.ValueType.UINT32, "in_bytes"), 4),
264+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(2, NetFlowV9FieldType.ValueType.UINT32, "in_pkts"), 4),
265+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(4, NetFlowV9FieldType.ValueType.UINT8, "protocol"), 1),
266+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(5, NetFlowV9FieldType.ValueType.UINT8, "src_tos"), 1),
267+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(6, NetFlowV9FieldType.ValueType.UINT8, "tcp_flags"), 1),
268+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(7, NetFlowV9FieldType.ValueType.UINT16, "l4_src_port"), 2),
269+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(8, NetFlowV9FieldType.ValueType.IPV4, "ipv4_src_addr"), 4),
270+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(9, NetFlowV9FieldType.ValueType.UINT8, "src_mask"), 1),
271+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(10, NetFlowV9FieldType.ValueType.UINT16, "input_snmp"), 4),
272+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(11, NetFlowV9FieldType.ValueType.UINT16, "l4_dst_port"), 2),
273+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(12, NetFlowV9FieldType.ValueType.IPV4, "ipv4_dst_addr"), 4),
274+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(13, NetFlowV9FieldType.ValueType.UINT8, "dst_mask"), 1),
275+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(14, NetFlowV9FieldType.ValueType.UINT16, "output_snmp"), 4),
276+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(15, NetFlowV9FieldType.ValueType.IPV4, "ipv4_next_hop"), 4),
277+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(16, NetFlowV9FieldType.ValueType.UINT16, "src_as"), 4),
278+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(17, NetFlowV9FieldType.ValueType.UINT16, "dst_as"), 4),
279+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(21, NetFlowV9FieldType.ValueType.UINT32, "last_switched"), 4),
280+
NetFlowV9FieldDef.create(NetFlowV9FieldType.create(22, NetFlowV9FieldType.ValueType.UINT32, "first_switched"), 4)
281+
).build()
282+
)
283+
);
284+
assertThat(allRecords)
285+
.hasSize(7)
286+
.contains(
287+
NetFlowV9Record.create(
288+
ImmutableMap.<String, Object>builder()
289+
.put("in_bytes", 375L)
290+
.put("in_pkts", 7L)
291+
.put("ipv4_src_addr", "172.17.0.2")
292+
.put("ipv4_dst_addr", "93.184.216.34")
293+
.put("ipv4_next_hop", "0.0.0.0")
294+
.put("l4_src_port", 43296)
295+
.put("l4_dst_port", 80)
296+
.put("protocol", (short) 6)
297+
.put("src_tos", (short) 0)
298+
.put("tcp_flags", (short) 27)
299+
.put("src_mask", (short) 0)
300+
.put("dst_mask", (short) 0)
301+
.put("input_snmp", 0L)
302+
.put("output_snmp", 0L)
303+
.put("src_as", 0L)
304+
.put("dst_as", 15133L)
305+
.put("first_switched", 3L)
306+
.put("last_switched", 413L)
307+
.build())
308+
,
309+
NetFlowV9Record.create(
310+
ImmutableMap.<String, Object>builder()
311+
.put("in_bytes", 1829L)
312+
.put("in_pkts", 6L)
313+
.put("ipv4_src_addr", "93.184.216.34")
314+
.put("ipv4_dst_addr", "172.17.0.2")
315+
.put("ipv4_next_hop", "0.0.0.0")
316+
.put("l4_src_port", 80)
317+
.put("l4_dst_port", 43296)
318+
.put("protocol", (short) 6)
319+
.put("src_tos", (short) 0)
320+
.put("tcp_flags", (short) 27)
321+
.put("src_mask", (short) 0)
322+
.put("dst_mask", (short) 0)
323+
.put("input_snmp", 0L)
324+
.put("output_snmp", 0L)
325+
.put("src_as", 15133L)
326+
.put("dst_as", 0L)
327+
.put("first_switched", 138L)
328+
.put("last_switched", 413L)
329+
.build()),
330+
NetFlowV9Record.create(
331+
ImmutableMap.<String, Object>builder()
332+
.put("in_bytes", 68L)
333+
.put("in_pkts", 1L)
334+
.put("ipv4_src_addr", "172.17.0.2")
335+
.put("ipv4_dst_addr", "8.8.4.4")
336+
.put("ipv4_next_hop", "0.0.0.0")
337+
.put("l4_src_port", 60546)
338+
.put("l4_dst_port", 53)
339+
.put("protocol", (short) 17)
340+
.put("src_tos", (short) 0)
341+
.put("tcp_flags", (short) 0)
342+
.put("src_mask", (short) 0)
343+
.put("dst_mask", (short) 0)
344+
.put("input_snmp", 0L)
345+
.put("output_snmp", 0L)
346+
.put("src_as", 0L)
347+
.put("dst_as", 15169L)
348+
.put("first_switched", 284L)
349+
.put("last_switched", 284L)
350+
.build()),
351+
NetFlowV9Record.create(
352+
ImmutableMap.<String, Object>builder()
353+
.put("in_bytes", 84L)
354+
.put("in_pkts", 1L)
355+
.put("ipv4_src_addr", "8.8.4.4")
356+
.put("ipv4_dst_addr", "172.17.0.2")
357+
.put("ipv4_next_hop", "0.0.0.0")
358+
.put("l4_src_port", 53)
359+
.put("l4_dst_port", 60546)
360+
.put("protocol", (short) 17)
361+
.put("src_tos", (short) 0)
362+
.put("tcp_flags", (short) 0)
363+
.put("src_mask", (short) 0)
364+
.put("dst_mask", (short) 0)
365+
.put("input_snmp", 0L)
366+
.put("output_snmp", 0L)
367+
.put("src_as", 15169L)
368+
.put("dst_as", 0L)
369+
.put("first_switched", 321L)
370+
.put("last_switched", 321L)
371+
.build())
372+
);
373+
}
374+
241375
private String name(NetFlowV9FieldDef def) {
242376
return def.type().name().toLowerCase();
243377
}

src/test/resources/netflow-data/nprobe-netflow9-2.pcap

786 Bytes
Binary file not shown.

src/test/resources/netflow-data/nprobe-netflow9.pcap

8.26 KB
Binary file not shown.

0 commit comments

Comments
 (0)