search

Graylog2 / graylog-plugin-netflow

[DEPRECATED] Graylog NetFlow plugin
https://www.graylog.org/
Apache License 2.0
39 stars 17 forks source link

IndexOutOfBoundsException when parsing Netflow v9 #16

Closed dennisoelkers closed 6 years ago

dennisoelkers commented 6 years ago

When parsing Netflow v9 packets generated by nprobe or netgraph, the following exception is thrown:

2017-08-08 12:00:43,624 ERROR: org.graylog2.shared.buffers.processors.DecodingProcessor - Unable to decode raw message RawMessage{id=349f0d10-7c31-11e7-a394-0242ac110004, journalOffset=1296, codec=netflow, payloadSize=1408, timestamp=2017-08-08T12:00:43.617Z, remoteAddress=/192.168.1.3:32087} on input <596cc5f34cedfd0001ba5b18>.
2017-08-08 12:00:43,625 ERROR: org.graylog2.shared.buffers.processors.DecodingProcessor - Error processing message RawMessage{id=349f0d10-7c31-11e7-a394-0242ac110004, journalOffset=1296, codec=netflow, payloadSize=1408, timestamp=2017-08-08T12:00:43.617Z, remoteAddress=/192.168.1.3:32087}
java.lang.IndexOutOfBoundsException: readerIndex(1408) + length(1) exceeds writerIndex(1408): UnpooledHeapByteBuf(ridx: 1408, widx: 1408, cap: 1408/1408)
    at io.netty.buffer.AbstractByteBuf.checkReadableBytes0(AbstractByteBuf.java:1395) ~[graylog.jar:?]
    at io.netty.buffer.AbstractByteBuf.readByte(AbstractByteBuf.java:687) ~[graylog.jar:?]
    at io.netty.buffer.AbstractByteBuf.readUnsignedByte(AbstractByteBuf.java:701) ~[graylog.jar:?]
    at org.graylog.plugins.netflow.v9.NetFlowV9Parser.parseRecords(NetFlowV9Parser.java:257) ~[?:?]
    at org.graylog.plugins.netflow.v9.NetFlowV9Parser.parsePacket(NetFlowV9Parser.java:54) ~[?:?]
    at org.graylog.plugins.netflow.flows.NetFlowParser.parse(NetFlowParser.java:63) ~[?:?]
    at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:107) ~[?:?]
    at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:144) ~[graylog.jar:?]
    at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
    at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
    at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
    at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
    at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
    at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]