search

Edgio / vflow

Enterprise Network Flow Collector (IPFIX, sFlow, Netflow)
http://www.verizonmedia.com
Apache License 2.0
1.07k stars 226 forks source link

Failed decoding short IPFix sets #128

Open bdollma opened 3 years ago

bdollma commented 3 years ago

Hi, I am using your tool to verify an implementation of IPFix by decoding IPFix payloads. It successfully decodes in most of the cases but I came upon the following case which failed. I have a simple set, with 1 template, with 1 field, protocol field as you can see in the following picture:

Screen Shot 2020-10-06 at 20 01 44

Now, when we look at the data, it has 1 set, with 2 flows:

Screen Shot 2020-10-06 at 20 04 42

From what I know, according to RFC 7011, this is a valid IPFix packet. No padding is mandatory, we have only 1 set.

When I decode the data, I get the following JSON:

{"AgentID":"127.0.0.1","Header": {"Version":10,"Length":22,"ExportTime":0,"SequenceNo":305419896,"DomainID":7777},"DataSets":[]}

I looked a bit in the code, and the problem seems to be in the following line:

https://github.com/VerizonDigital/vflow/blob/b7cc5a3b5454b09ff915e07d36a225cf7588689a/ipfix/decoder.go#L183

This line demands that the length of the records (flows) be at least 4 (without the set header), hence the data set is not treated by the decoder. Why is this so? I printed the values of the variables in this case for your convenience:

Set Header ID = 261
Set Header Length = 6
d.reader.ReadCount() = 20
d.reader.Len() = 2
startCount = 16

Let me know what you think, in case there is some point from the RFC that I am missing please point me to it.

bdollma commented 3 years ago

Hi, Please, let me know what you think about this. Thanks