lspgn
commented
4 years ago Thanks a lot for the bugfix! (also referencing #31 as it was mentioning Enterprise Templates). Do you have some samples I could test this with?
Open shyam334 opened 4 years ago
lspgn
commented
4 years ago Thanks a lot for the bugfix! (also referencing #31 as it was mentioning Enterprise Templates). Do you have some samples I could test this with?
shyam334
commented
4 years ago @lspgn Thanks for promptly looking into this. I just realised that I don't have a representative pcap that I can share publicly. Let me work that out and get back.
Separately, Is there a more ad-hoc channel to collaborate. (slack or such)
shyam334
commented
4 years ago lspgn
commented
4 years ago There is no slack for GoFlow but feel free to email me: louis at cloudflare.com
Thank you for the sample, will test it out.
raghurampai
commented
4 years ago @lspgn I guess merge is pending for this request. So, is this planned for next release?
Bug: Decoding of IPFIX templates with Enterprise Number field
The goflow IPFIX template decoder isn't aware of the Enterprise Number field, which results in malformed template(s) and processing, when decoding IPFIX templates with Enterprise Number field.
Following is the field specifier format from RFC7011#section-3.2, Figure G :
When goflow tries to decode an IPFIX template with Enterprise Number, It attempts to decode the Enterprise Number field as a regular
Fieldin the template.This results in a malformed template. As a result the corresponding IPFIX Datasets would not be processed. (i.e. goflow would not emit any records)
Patch
The patch adds a seperate path for IPFIX template parsing, where it checks for the
Enterprise bitcondition and skips theEnterprise Numberfield.This will enable the IPFIX Template(s) to be decoded correctly and the corresponding IPFIX Datasets to be processed.