search

Edgio / vflow

Enterprise Network Flow Collector (IPFIX, sFlow, Netflow)
http://www.verizonmedia.com
Apache License 2.0
1.07k stars 224 forks source link

Netflow element key (X) not exist #74

Open alexeigr opened 5 years ago

alexeigr commented 5 years ago

Hello,

Following issue #71 - any flow with a private element is not handled at all and logs the error (which also inflates eventually). Instead, @avimas and I suggest to append the field using the size from the template record and some default type ("octetArray"). The fix was tested on several devices and showed great results:

in ipfix/decoder.go, line 495: Replace:

return nil, nonfatalError(fmt.Errorf("IPFIX element key (%d) not exist", tr.FieldSpecifiers[i].ElementID))

With:

fields = append(fields, DecodedField{
       ID:    tr.FieldSpecifiers[i].ElementID,
       Value: Interpret(&b, FieldTypes["octetArray"]),
})
continue

and the same in netflow/v9/decoder.go, line 339: Replace:

return nil, nonfatalError(fmt.Errorf("Netflow element key (%d) not exist", tr.FieldSpecifiers[i].ElementID))

With:

fields = append(fields, DecodedField{
     ID:    tr.FieldSpecifiers[i].ElementID,
     Value: ipfix.Interpret(&b, ipfix.FieldTypes["octetArray"]),
})
continue
mikets-gc commented 2 years ago

continue used in the fix suggested skips reading the element bytes and thus makes the subsequent stream inconsistent. Instead the suggested 

if !ok {
        fields = append(fields, DecodedField{
        ID:    tr.FieldSpecifiers[i].ElementID,
        Value: Interpret(&b, FieldTypes["octetArray"]),
})
continue

I've added

if !ok {
        m = InfoElementEntry{
                FieldID: tr.FieldSpecifiers[i].ElementID,
                Name:    "customField",
                Type:    FieldTypes["octetArray"],
        }
}