infinite loop and OOM caused by malformed IPFIX template

[karel-un]

We have one server collecting about 10000 IPFIX flows per second from about 15 Mikrotik devices. Few times in a day (usually in the morning, don't know why) thread which receive and parse IPFIX packets starts eating 100% of CPU and memory usage for daemon goes up indefinitely. We temporary solved this by using cgroups to limit memory and detecting OOM by checking memory usage each minute by cron script and restarting daemon if OOM is detected. From the start I suspected some kind of bug in our code, but last two days I ended up with adding perf dump (for two seconds) and call stack dump (three times) for given thread before daemon restart if OOM is detected.

It looks like there is possible infinite loop in

https://github.com/mikemiles-dev/netflow_parser/blob/9e0235262bb7c4a93ab8a9a5195e3fc5a7d1d32c/src/variable_versions/ipfix.rs#L243

By looking at several stack backtraces when OOM occured infinite loop in program hits lines 221, 246, 248, 250 in ipfix.rs.

I would guess that in some conditions length of remaining after parse_field stays same and infinite loop is allocating and pushing data_field indefinitely.

I can provide stack backtraces if needed.

[mikemiles-dev]

I will look at this immediately. I suspect some issue with parse fields.

[mikemiles-dev]

Do you happen to have the cached template info handy?

[karel-un]

I have not, but I could probably insert some code inside the loop that will compare remaining length with previous value and dump some variables if length is the same. Can you point me to which values would you like to dump? Or better can you provide code snippet?

[mikemiles-dev]

If you could add println!("{:?} {:?}", remaining, fields); to lines 244 after the while clause it would help.

[mikemiles-dev]

Added branch ISSUE_56 for testing to see if this fixes the issue. https://github.com/mikemiles-dev/netflow_parser/pull/57

[mikemiles-dev]

let me know and I can merge and publish

[karel-un]

Testing now, can take some time because it happens only few times a day.

[karel-un]

Looks like patch is working, no OOM now. I have modified it a little bit:

• added dump of remaining and fields if last_remaining and remaining.len() have same value
• dropped modification to common.rs so from_field_type behaves the same as before patch

After about two hours dump appeared in a log.

    let mut error_detected = false;

    // While we have bytes remaining
    while !remaining.is_empty() && !error_detected {
        if last_remaining == remaining.len() {
            println!("remaining: {:?}, fields: {:?}", remaining, fields);
            error_detected = true;
        }

Dump here: remaining_dump.txt

Do you want more dumps or should I test unmodified patch?

[mikemiles-dev]

The remaining_dump.txt appears to be empty?

[karel-un]

The remaining_dump.txt appears to be empty?

No, I can download it without problem. Two more dumps appeared, I will upload it ASAP.

[karel-un]

All three again:

remaining_dump.txt

[karel-un]

And all three in text if there are problems with download:

remaining: [187, 17, 42, 14, 53, 0, 194, 7, 1, 3, 196, 8, 125, 194, 126, 97, 155, 27, 42, 0, 20, 80, 64, 20, 8, 15, 0, 0, 0, 0, 0, 0, 32, 10, 6, 149, 165, 182, 196, 149, 165, 182, 196, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 16, 0, 0, 32, 99, 1, 187, 202, 232, 6, 42, 0, 20, 80, 64, 20, 8, 15, 0, 0, 0, 0, 0, 0, 32, 2, 42, 14, 53, 0, 194, 7, 1, 3, 33, 90, 170, 173, 248, 225, 161, 30, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 6, 218, 18, 12, 76, 175, 3, 128, 47, 162, 100, 231, 52, 242, 92, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 6, 218, 18, 12, 76, 175, 3, 128, 47, 162, 100, 231, 52, 242, 92, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 36, 6, 218, 18, 12, 76, 175, 3, 128, 47, 162, 100, 231, 52, 242, 92, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 36, 6, 218, 18, 12, 76, 175, 3, 128, 47, 162, 100, 231, 52, 242, 92, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 6, 218, 18, 12, 76, 175, 3, 128, 47, 162, 100, 231, 52, 242, 92, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 5, 0, 0, 1, 148, 1, 187, 192, 11, 17, 42, 0, 20, 80, 64, 20, 8, 15, 0, 0, 0, 0, 0, 0, 32, 10, 42, 14, 53, 0, 194, 7, 1, 3, 196, 8, 125, 194, 126, 97, 155, 27, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 4, 194, 192, 143, 65, 239, 2, 208, 9, 9, 43, 129, 56, 246, 25, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 36, 6, 218, 18, 12, 76, 175, 3, 128, 47, 162, 100, 231, 52, 242, 92, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 4, 194, 192, 143, 65, 239, 2, 208, 9, 9, 43, 129, 56, 246, 25, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 36, 4, 194, 192, 143, 65, 239, 2, 208, 9, 9, 43, 129, 56, 246, 25, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 12, 0, 0, 30, 139, 1, 187, 202, 229, 6, 42, 0, 20, 80, 64, 37, 4, 1, 0, 0, 0, 0, 0, 0, 0, 154, 42, 14, 53, 0, 194, 7, 1, 3, 33, 90, 170, 173, 248, 225, 161, 30, 6, 149, 165, 182, 206, 149, 165, 182, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 36, 4, 194, 192, 143, 65, 239, 2, 208, 9, 9, 43, 129, 56, 246, 25, 6, 149, 165, 182, 226, 149, 165, 182, 226, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 15, 0, 0, 13, 245, 202, 233, 1, 187, 6, 42, 14, 53, 0, 194, 7, 1, 3, 33, 90, 170, 173, 248, 225, 161, 30, 42, 0, 20, 80, 64, 20, 8, 15, 0, 0, 0, 0, 0, 0, 32, 10, 6, 149, 165, 182, 236, 149, 165, 182, 236, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 25, 0, 0, 43, 51, 1, 187, 202, 233, 6, 42, 0, 20, 80, 64, 20, 8, 15, 0, 0, 0, 0, 0, 0, 32, 10, 42, 14, 53, 0, 194, 7, 1, 3, 33, 90, 170, 173, 248, 225, 161, 30, 6, 149, 165, 183, 0, 149, 165, 183, 0, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 61, 196, 177, 1, 187, 6, 42, 14, 53, 0, 194, 7, 1, 3, 164, 193, 118, 19, 148, 58, 99, 151, 38, 3, 16, 32, 7, 5, 0, 8, 0, 0, 0, 0, 0, 0, 4, 2, 6, 149, 165, 183, 10, 149, 165, 183, 10, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 38, 0, 0, 18, 219, 202, 236, 1, 187, 6, 42, 14, 53, 0, 194, 7, 1, 3, 33, 90, 170, 173, 248, 225, 161, 30, 38, 0, 144, 0, 33, 39, 198, 0, 0, 17, 243, 158, 105, 64, 147, 161, 6, 149, 165, 183, 20, 149, 165, 183, 20, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 9, 0, 0, 9, 45, 202, 237, 1, 187, 6, 42, 14, 53, 0, 194, 7, 1, 3, 33, 90, 170, 173, 248, 225, 161, 30, 38, 0, 144, 0, 33, 39, 198, 0, 0, 17, 243, 158, 105, 64, 147, 161, 6, 149, 165, 183, 20, 149, 165, 183, 20, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 6, 218, 18, 12, 76, 175, 2, 115, 36, 43, 179, 66, 42, 248, 248, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 149, 165, 183, 20, 149, 165, 183, 20, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 6, 218, 18, 12, 76, 175, 2, 115, 36, 43, 179, 66, 42, 248, 248, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 24, 253], fields: [{AssignedforNetFlowv9compatibility: Vec([])}]
remaining: [104, 192, 26, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 36, 6, 218, 18, 12, 76, 175, 2, 81, 237, 60, 212, 157, 46, 46, 7, 6, 150, 104, 192, 26, 150, 104, 192, 26, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 36, 6, 218, 18, 12, 76, 175, 2, 81, 237, 60, 212, 157, 46, 46, 7, 6, 150, 104, 192, 26, 150, 104, 192, 26, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 2, 182, 196, 77, 221, 146, 131, 253, 132, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 6, 150, 104, 192, 26, 150, 104, 192, 26, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 2, 182, 196, 77, 221, 146, 131, 253, 132, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 150, 104, 192, 26, 150, 104, 192, 26, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 2, 182, 196, 77, 221, 146, 131, 253, 132, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 26, 150, 104, 192, 26, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 42, 5, 208, 18, 5, 75, 29, 2, 182, 196, 77, 221, 146, 131, 253, 132, 6, 150, 104, 192, 26, 150, 104, 192, 26, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 42, 5, 208, 18, 5, 75, 29, 2, 182, 196, 77, 221, 146, 131, 253, 132, 6, 150, 104, 192, 26, 150, 104, 192, 26, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 42, 5, 208, 18, 5, 75, 29, 2, 182, 196, 77, 221, 146, 131, 253, 132, 6, 150, 104, 192, 36, 150, 104, 192, 36, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 0, 127, 192, 143, 13, 229, 1, 134, 62, 211, 131, 195, 173, 192, 45, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 150, 104, 192, 36, 150, 104, 192, 36, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 36, 0, 127, 192, 143, 13, 229, 1, 134, 62, 211, 131, 195, 173, 192, 45, 6, 150, 104, 192, 46, 150, 104, 192, 46, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 0, 127, 192, 143, 13, 229, 1, 134, 62, 211, 131, 195, 173, 192, 45, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 46, 150, 104, 192, 46, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 36, 0, 127, 192, 143, 13, 229, 1, 134, 62, 211, 131, 195, 173, 192, 45, 6, 150, 104, 192, 46, 150, 104, 192, 46, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 0, 127, 192, 143, 13, 229, 1, 134, 62, 211, 131, 195, 173, 192, 45, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 6, 150, 104, 192, 46, 150, 104, 192, 46, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 36, 0, 127, 192, 143, 13, 229, 1, 134, 62, 211, 131, 195, 173, 192, 45, 6, 150, 104, 192, 76, 150, 104, 192, 76, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 64, 0, 0, 0, 0, 58, 38, 0, 20, 8, 236, 0, 0, 27, 0, 0, 0, 0, 23, 213, 246, 11, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 76, 150, 104, 192, 76, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 64, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 38, 0, 20, 8, 236, 0, 0, 27, 0, 0, 0, 0, 23, 213, 246, 11, 6, 150, 104, 192, 86, 150, 104, 192, 86, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 0, 247, 234, 80, 224, 217, 14, 36, 89, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 6, 150, 104, 192, 86, 150, 104, 192, 86, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 0, 247, 234, 80, 224, 217, 14, 36, 89, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 150, 104, 192, 86, 150, 104, 192, 86, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 0, 247, 234, 80, 224, 217, 14, 36, 89, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 86, 150, 104, 192, 86, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 42, 5, 208, 18, 5, 75, 29, 0, 247, 234, 80, 224, 217, 14, 36, 89, 6, 150, 104, 192, 86, 150, 104, 192, 86, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 42, 5, 208, 18, 5, 75, 29, 0, 247, 234, 80, 224, 217, 14, 36, 89, 6, 150, 104, 192, 86, 150, 104, 192, 86, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 42, 5, 208, 18, 5, 75, 29, 0, 247, 234, 80, 224, 217, 14, 36, 89, 24, 253], fields: [{AssignedforNetFlowv9compatibility: Vec([])}]
remaining: [104, 192, 96, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 38, 0, 31, 24, 91, 117, 184, 3, 91, 213, 191, 193, 72, 51, 10, 218, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 96, 150, 104, 192, 96, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 38, 0, 31, 24, 91, 117, 184, 3, 91, 213, 191, 193, 72, 51, 10, 218, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 150, 104, 192, 96, 150, 104, 192, 96, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 38, 0, 31, 24, 91, 117, 184, 3, 91, 213, 191, 193, 72, 51, 10, 218, 6, 150, 104, 192, 106, 150, 104, 192, 106, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 38, 0, 31, 24, 91, 117, 184, 3, 91, 213, 191, 193, 72, 51, 10, 218, 6, 150, 104, 192, 106, 150, 104, 192, 106, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 38, 0, 31, 24, 91, 117, 184, 3, 91, 213, 191, 193, 72, 51, 10, 218, 6, 150, 104, 192, 106, 150, 104, 192, 106, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 64, 0, 0, 0, 0, 58, 38, 0, 20, 6, 0, 63, 0, 0, 0, 0, 0, 0, 23, 206, 195, 235, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 106, 150, 104, 192, 106, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 64, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 38, 0, 20, 6, 0, 63, 0, 0, 0, 0, 0, 0, 23, 206, 195, 235, 6, 150, 104, 192, 126, 150, 104, 192, 126, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 64, 0, 0, 0, 0, 58, 42, 2, 38, 240, 0, 119, 0, 9, 0, 0, 0, 0, 78, 152, 43, 229, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 126, 150, 104, 192, 126, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 64, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 42, 2, 38, 240, 0, 119, 0, 9, 0, 0, 0, 0, 78, 152, 43, 229, 6, 150, 104, 192, 136, 150, 104, 192, 136, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 6, 218, 18, 12, 76, 175, 3, 228, 7, 96, 15, 66, 104, 97, 95, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 6, 150, 104, 192, 136, 150, 104, 192, 136, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 6, 218, 18, 12, 76, 175, 3, 228, 7, 96, 15, 66, 104, 97, 95, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 136, 150, 104, 192, 136, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 36, 6, 218, 18, 12, 76, 175, 3, 228, 7, 96, 15, 66, 104, 97, 95, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 150, 104, 192, 136, 150, 104, 192, 136, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 36, 6, 218, 18, 12, 76, 175, 3, 228, 7, 96, 15, 66, 104, 97, 95, 6, 150, 104, 192, 136, 150, 104, 192, 136, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 36, 6, 218, 18, 12, 76, 175, 3, 228, 7, 96, 15, 66, 104, 97, 95, 6, 150, 104, 192, 136, 150, 104, 192, 136, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 36, 6, 218, 18, 12, 76, 175, 3, 228, 7, 96, 15, 66, 104, 97, 95, 6, 150, 104, 192, 176, 150, 104, 192, 176, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 1, 227, 250, 61, 30, 50, 131, 43, 238, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 150, 104, 192, 176, 150, 104, 192, 176, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 1, 227, 250, 61, 30, 50, 131, 43, 238, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 6, 150, 104, 192, 176, 150, 104, 192, 176, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 42, 5, 208, 18, 5, 75, 29, 1, 227, 250, 61, 30, 50, 131, 43, 238, 6, 150, 104, 192, 176, 150, 104, 192, 176, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 5, 208, 18, 5, 75, 29, 1, 227, 250, 61, 30, 50, 131, 43, 238, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 6, 150, 104, 192, 176, 150, 104, 192, 176, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 1, 0, 0, 0, 0, 0, 0, 0, 1, 37, 42, 5, 208, 18, 5, 75, 29, 1, 227, 250, 61, 30, 50, 131, 43, 238, 6, 150, 104, 192, 176, 150, 104, 192, 176, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 1, 0, 0, 0, 56, 0, 0, 0, 0, 58, 42, 14, 53, 0, 194, 7, 0, 0, 0, 0, 0, 2, 0, 0, 0, 2, 42, 5, 208, 18, 5, 75, 29, 1, 227, 250, 61, 30, 50, 131, 43, 238, 6, 150, 104, 192, 206, 150, 104, 192, 206, 0, 0, 1, 142, 255, 210, 166, 62, 0, 0, 0, 2, 0, 0, 0, 159, 243, 58, 1, 187, 6, 42, 14, 53, 0, 194, 7, 1, 3, 105, 3, 184, 209, 102, 7, 35, 184, 42, 2, 5, 152, 0, 12, 1, 137, 0, 0, 0, 0, 0, 0, 0, 81, 24, 253], fields: [{AssignedforNetFlowv9compatibility: Vec([])}]

[mikemiles-dev]

This is great info. However there is one more piece I need. Can you modify to be: println!("remaining: {:?}, fields: {:?}, template_fields: {:?}", remaining, fields, template_fields);. The code will take n length listed in that field so it would be critical to know and potential parse the data.

[karel-un]

Added template_fields dump. It may take few hours again before malformed packet will appear.

[mikemiles-dev]

Thank you for being understanding. I hope this let's us fix the issue to the level of being able to parse this flow.

[karel-un]

This morning around 400 dumps appeared, probably enough to solve this :) I am attaching last 30. Looks like the common pattern is template_fields with just one "Reserved" field with zero length.

template_fields:  [TemplateField { field_type_number: 0, field_type: Reserved, field_length: 0, enterprise_number: None }]

remaining_dump2.txt

Just in case of downloading problems again here are three dumps in text:

remaining: [253, 6, 42, 2, 38, 240, 124, 0, 0, 0, 0, 0, 0, 0, 92, 122, 48, 41, 42, 14, 53, 0, 194, 1, 2, 0, 224, 82, 65, 160, 127, 177, 158, 165, 6, 77, 231, 63, 248, 77, 231, 63, 248, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 61, 200, 170, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 185, 173, 103, 98, 167, 118, 104, 133, 38, 0, 25, 1, 0, 0, 71, 252, 0, 0, 0, 0, 0, 0, 0, 0, 6, 77, 231, 63, 248, 77, 231, 63, 248, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 72, 1, 187, 200, 170, 6, 38, 0, 25, 1, 0, 0, 71, 252, 0, 0, 0, 0, 0, 0, 0, 0, 42, 14, 53, 0, 194, 1, 2, 0, 185, 173, 103, 98, 167, 118, 104, 133, 6, 77, 231, 64, 92, 77, 231, 64, 92, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 0, 0, 0, 16, 78, 194, 134, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 38, 32, 1, 236, 12, 17, 0, 0, 0, 0, 0, 0, 0, 0, 2, 57, 6, 77, 231, 64, 92, 77, 231, 64, 92, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 8, 84, 194, 135, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 38, 32, 1, 236, 12, 17, 0, 0, 0, 0, 0, 0, 0, 0, 2, 57, 6, 77, 231, 64, 92, 77, 231, 64, 92, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 13, 0, 0, 0, 0, 0, 0, 14, 236, 194, 136, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 38, 3, 16, 38, 48, 0, 1, 80, 0, 0, 0, 0, 0, 0, 0, 10, 6, 77, 231, 64, 92, 77, 231, 64, 92, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 14, 0, 0, 0, 0, 0, 0, 32, 170, 1, 187, 194, 134, 6, 38, 32, 1, 236, 12, 17, 0, 0, 0, 0, 0, 0, 0, 0, 2, 57, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 64, 92, 77, 231, 64, 92, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 24, 124, 1, 187, 194, 135, 6, 38, 32, 1, 236, 12, 17, 0, 0, 0, 0, 0, 0, 0, 0, 2, 57, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 64, 112, 77, 231, 64, 112, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, 0, 0, 31, 147, 1, 187, 194, 136, 6, 38, 3, 16, 38, 48, 0, 1, 80, 0, 0, 0, 0, 0, 0, 0, 10, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 64, 122, 77, 231, 64, 122, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 15, 168, 194, 139, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 38, 32, 1, 236, 11, 223, 0, 0, 0, 0, 0, 0, 0, 0, 0, 69, 6, 77, 231, 64, 132, 77, 231, 64, 132, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 13, 0, 0, 0, 0, 0, 0, 33, 12, 1, 187, 194, 139, 6, 38, 32, 1, 236, 11, 223, 0, 0, 0, 0, 0, 0, 0, 0, 0, 69, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 64, 162, 77, 231, 64, 162, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 61, 197, 30, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 176, 232, 6, 199, 178, 181, 158, 7, 38, 3, 16, 99, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 6, 77, 231, 64, 182, 77, 231, 64, 182, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 72, 1, 187, 197, 30, 6, 38, 3, 16, 99, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 42, 14, 53, 0, 194, 1, 2, 0, 176, 232, 6, 199, 178, 181, 158, 7, 6, 77, 231, 14, 2, 77, 231, 64, 182, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 1, 92, 0, 0, 0, 0, 0, 0, 205, 32, 229, 32, 1, 187, 17, 42, 14, 53, 0, 194, 1, 2, 0, 153, 241, 12, 140, 72, 92, 176, 87, 42, 2, 38, 240, 71, 0, 0, 0, 0, 0, 0, 0, 23, 212, 110, 10, 6, 77, 231, 14, 12, 77, 231, 64, 192, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 3, 254, 0, 0, 0, 0, 0, 15, 78, 182, 1, 187, 229, 32, 17, 42, 2, 38, 240, 71, 0, 0, 0, 0, 0, 0, 0, 23, 212, 110, 10, 42, 14, 53, 0, 194, 1, 2, 0, 153, 241, 12, 140, 72, 92, 176, 87, 6, 77, 231, 64, 232, 77, 231, 64, 232, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, 0, 0, 15, 45, 194, 140, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 42, 2, 38, 240, 227, 0, 0, 0, 0, 0, 0, 0, 95, 100, 146, 64, 6, 77, 231, 64, 242, 77, 231, 64, 242, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 14, 0, 0, 0, 0, 0, 0, 23, 216, 1, 187, 194, 140, 6, 42, 2, 38, 240, 227, 0, 0, 0, 0, 0, 0, 0, 95, 100, 146, 64, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 60, 216, 77, 231, 65, 6, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 15, 85, 194, 132, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 38, 32, 1, 236, 0, 33, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 6, 77, 231, 60, 226, 77, 231, 65, 16, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 41, 168, 1, 187, 194, 132, 6, 38, 32, 1, 236, 0, 33, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 65, 36, 77, 231, 65, 36, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 5, 148, 1, 187, 197, 137, 6, 38, 3, 16, 38, 3, 2, 0, 140, 0, 0, 0, 0, 0, 0, 0, 2, 42, 14, 53, 0, 194, 1, 2, 0, 224, 113, 11, 85, 215, 165, 66, 182], fields: [{Reserved: Vec([])}], template_fields:  [TemplateField { field_type_number: 0, field_type: Reserved, field_length: 0, enterprise_number: None }]
remaining: [0, 0, 0, 0, 23, 212, 110, 49, 42, 14, 53, 0, 194, 1, 2, 0, 240, 225, 86, 22, 60, 165, 28, 67, 6, 77, 231, 37, 54, 77, 231, 73, 178, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 1, 104, 1, 187, 198, 144, 6, 38, 6, 40, 0, 1, 51, 32, 110, 19, 21, 34, 165, 32, 6, 36, 253, 42, 14, 53, 0, 194, 1, 2, 0, 240, 225, 86, 22, 60, 165, 28, 67, 6, 77, 231, 74, 22, 77, 231, 74, 22, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 14, 0, 0, 0, 0, 0, 0, 23, 242, 197, 104, 1, 187, 17, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 42, 0, 20, 80, 64, 20, 8, 10, 0, 0, 0, 0, 0, 0, 32, 10, 6, 77, 231, 74, 32, 77, 231, 74, 32, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 0, 0, 0, 41, 119, 1, 187, 197, 104, 17, 42, 0, 20, 80, 64, 20, 8, 10, 0, 0, 0, 0, 0, 0, 32, 10, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 74, 42, 77, 231, 74, 42, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 9, 11, 194, 147, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 42, 0, 20, 80, 64, 20, 8, 10, 0, 0, 0, 0, 0, 0, 32, 10, 6, 77, 231, 74, 52, 77, 231, 74, 52, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 28, 159, 1, 187, 194, 147, 6, 42, 0, 20, 80, 64, 20, 8, 10, 0, 0, 0, 0, 0, 0, 32, 10, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 37, 204, 77, 231, 74, 72, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 1, 104, 1, 187, 198, 133, 6, 32, 1, 72, 154, 54, 4, 0, 0, 0, 0, 0, 0, 0, 0, 7, 192, 42, 14, 53, 0, 194, 1, 2, 0, 240, 225, 86, 22, 60, 165, 28, 67, 6, 77, 231, 74, 242, 77, 231, 74, 242, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 61, 197, 252, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 240, 225, 86, 22, 60, 165, 28, 67, 38, 3, 16, 38, 36, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 77, 231, 75, 6, 77, 231, 75, 6, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 72, 1, 187, 197, 252, 6, 38, 3, 16, 38, 36, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 42, 14, 53, 0, 194, 1, 2, 0, 240, 225, 86, 22, 60, 165, 28, 67, 6, 77, 231, 75, 156, 77, 231, 75, 156, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 12, 148, 194, 149, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 38, 3, 16, 38, 36, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 77, 231, 68, 8, 77, 231, 75, 156, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 27, 255, 1, 187, 227, 244, 6, 38, 3, 16, 38, 36, 5, 0, 1, 0, 0, 0, 0, 0, 0, 0, 18, 42, 14, 53, 0, 194, 1, 2, 0, 73, 9, 59, 147, 40, 142, 211, 142, 6, 77, 231, 75, 176, 77, 231, 75, 176, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 2, 54, 217, 66, 0, 80, 6, 42, 14, 53, 0, 194, 1, 2, 0, 224, 82, 65, 160, 127, 177, 158, 165, 42, 2, 3, 208, 6, 96, 160, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 77, 231, 75, 186, 77, 231, 75, 186, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 10, 0, 0, 0, 0, 0, 0, 56, 167, 1, 187, 194, 149, 6, 38, 3, 16, 38, 36, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 42, 14, 53, 0, 194, 1, 2, 0, 104, 192, 183, 25, 213, 236, 195, 169, 6, 77, 231, 75, 196, 77, 231, 75, 196, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 7, 175, 0, 80, 217, 66, 6, 42, 2, 3, 208, 6, 96, 160, 0, 0, 0, 0, 0, 0, 0, 0, 1, 42, 14, 53, 0, 194, 1, 2, 0, 224, 82, 65, 160, 127, 177, 158, 165, 6, 77, 231, 67, 234, 77, 231, 75, 216, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 10, 84, 227, 244, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 73, 9, 59, 147, 40, 142, 211, 142, 38, 3, 16, 38, 36, 5, 0, 1, 0, 0, 0, 0, 0, 0, 0, 18], fields: [{Reserved: Vec([])}], template_fields:  [TemplateField { field_type_number: 0, field_type: Reserved, field_length: 0, enterprise_number: None }]
remaining: [0, 0, 0, 0, 23, 212, 110, 8, 42, 14, 53, 0, 194, 1, 2, 0, 109, 27, 34, 78, 0, 212, 202, 142, 6, 77, 231, 83, 28, 77, 231, 83, 28, 0, 0, 1, 143, 76, 15, 57, 245, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 7, 129, 216, 125, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 104, 22, 84, 58, 201, 225, 161, 48, 38, 3, 16, 38, 36, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 6, 77, 231, 63, 138, 77, 231, 83, 48, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 228, 200, 4, 23, 50, 6, 42, 14, 53, 0, 194, 1, 2, 0, 217, 166, 232, 34, 62, 171, 135, 6, 42, 0, 17, 192, 0, 50, 3, 81, 2, 23, 1, 70, 0, 33, 1, 54, 6, 77, 231, 83, 68, 77, 231, 83, 68, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 178, 202, 235, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 208, 96, 209, 183, 163, 6, 10, 232, 42, 1, 1, 17, 241, 0, 160, 4, 0, 0, 0, 0, 191, 235, 138, 52, 6, 77, 231, 83, 68, 77, 231, 83, 68, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 27, 178, 1, 187, 216, 125, 6, 38, 3, 16, 38, 36, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 42, 14, 53, 0, 194, 1, 2, 0, 104, 22, 84, 58, 201, 225, 161, 48, 6, 77, 231, 83, 98, 77, 231, 83, 98, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 107, 1, 187, 202, 235, 6, 42, 1, 1, 17, 241, 0, 160, 4, 0, 0, 0, 0, 191, 235, 138, 52, 42, 14, 53, 0, 194, 1, 2, 0, 208, 96, 209, 183, 163, 6, 10, 232, 6, 77, 231, 63, 158, 77, 231, 83, 98, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 204, 23, 50, 200, 4, 6, 42, 0, 17, 192, 0, 50, 3, 81, 2, 23, 1, 70, 0, 33, 1, 54, 42, 14, 53, 0, 194, 1, 2, 0, 217, 166, 232, 34, 62, 171, 135, 6, 6, 77, 230, 193, 194, 77, 231, 83, 178, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 137, 0, 0, 0, 0, 0, 1, 13, 94, 252, 60, 1, 187, 6, 42, 14, 53, 0, 194, 1, 2, 0, 217, 35, 130, 255, 57, 255, 127, 49, 42, 2, 5, 152, 0, 10, 0, 0, 0, 0, 0, 0, 0, 120, 0, 48, 6, 77, 230, 193, 204, 77, 231, 83, 178, 0, 0, 1, 143, 76, 15, 57, 244, 0, 0, 0, 0, 0, 0, 0, 148, 0, 0, 0, 0, 0, 0, 62, 76, 1, 187, 252, 60, 6, 42, 2, 5, 152, 0, 10, 0, 0, 0, 0, 0, 0, 0, 120, 0, 48, 42, 14, 53, 0, 194, 1, 2, 0, 217, 35, 130, 255, 57, 255, 127, 49], fields: [{Reserved: Vec([])}], template_fields:  [TemplateField { field_type_number: 0, field_type: Reserved, field_length: 0, enterprise_number: None }]

Most of remaining dumps starts with zeroes but for the three text samples here I deliberately selected the one which does not.

[karel-un]

Thinking about it template containing one "Reserved" field with zero length should not exist and parser should drop it with warning when encounter such template instead adding it into template cache.

[mikemiles-dev]

Fields not listed I try to parse as unknown if data does exist. I think a length of 0 points to the bigger clue as to not try to parse such data. I think I will add a check for this aside from the other changes.

[mikemiles-dev]

If the field isn’t know but provides a non zero length then it makes sense to me to try to attempt to parse it.

[mikemiles-dev]

However I can be sold either way

[karel-un]

Both ways have upsides and downsides:

a) parsing unknown fields with NON zero length

• future proof design, if new fields will be added to specification
• can miss opportunity to drop malformed packet early and maybe run into another kind of problems

b) dropping unknown fields regardless of their length

• possible dropping valid fields if new fields will be added to specification
• foolproof design, drop malformed packet early

I vote for b). Stability is more important and new field definitions can be added with update if required.

Or maybe let default behaviour is b) and introduce option to change it to a).

[mikemiles-dev]

So I omitted those fields as listed here for Netflow v9 compatibility: https://www.iana.org/assignments/ipfix/ipfix.xhtml.

My only concern is if the template tells you There is data available and we don’t parse it then we potentially lose other data in that flow. My original thought was to provide the bytes to the caller to do with what is needed if anything. However I did not think there would be a 0 length case. I am leaning on option a if fields are added you have the ability to do with what.

[mikemiles-dev]

If you strongly agree on b then I will start adding a feature flag to toggle behavior to support both.

[karel-un]

Ok, I vote for feature flag.

I would guess that rather than your code is missing some fields or formatting logic this is a case of malformed template packets from Mikrotik (they have pretty long history of various bugs in their firmware). I would expect that even if unknown field types would be parsed they (and the following fields) will have no meaning and introduce another hurdles and potential bugs to upper software layer. Even false positives are possible in such cases and you will have no chance to distinguish them from valid data ...

[mikemiles-dev]

I will have it default to option b I think

[mikemiles-dev]

And again thank you for your patience I have been a bit busy with work but I will have this done today

[karel-un]

Well I thank you for great piece of software !

[mikemiles-dev]

Added parse_unknown_fields to attemp to parse Unknown fields. Also did some modification to IPFIX. When we iter through fields we now skip ones that have a 0 length. Additionally added a check if we are stuck in a loop of not parsing to raise an error (Don't think this can happen anymore but it is a good guard. Finally, the library know aligns more with the spec as we only parse the number of bytes listed in the set header. Please test and let me know how this works.

[karel-un]

I assume this is intended and easy to fix in upper level, but I do report this anyway because introduction of body of set breaks API. But I am fine with it if it means cleaner code.

error[E0609]: no field `data` on type `&Set`
   --> src/probes/flow_capture.rs:142:51
    |
142 |                         if let Some(data) = &dset.data {
    |                                                   ^^^^ unknown field
    |
help: one of the expressions' fields has a field of the same name
    |
142 |                         if let Some(data) = &dset.body.data {
    |                                                   +++++

[karel-un]

Running updated ISSUE_56 branch version now. On the first sight there are missing error messages in log:

Thread c1-eth0:4739-IPFIX error parsing NetFlow data: Unsupported Version

Actual error message from netflow_parser is Unsupported Version. Before update there were around 10 such messages per second and now there are none.

[mikemiles-dev]

I don’t even try to parse 0 length fields so there should be no error. We will give you what we parsed this far. Unless you want me to make it error.

[mikemiles-dev]

Is this ok behavior?

[karel-un]

Some kind of error message should be there to be aware of a possible problem. But let it be special kind of error to easy filter out to keep logs from flooding.

[mikemiles-dev]

So instead of skipping 0 length fields you want an error message.

[mikemiles-dev]

The branch is broken I am working on some More fixes

[mikemiles-dev]

Ok you should now receive an error in those cases with 0 packet length on the flow. Additionally I have added a greedy_parsing feature in cases where we have errors but we want to return data we at least attempted to parse. Currently only supported in ipfix and set to false by default.

[mikemiles-dev]

Let me know if this works

[mikemiles-dev]

I reworked how the parsing counts are generated and how the length grabs the bytes to be parsed. Added several tests. Closing for now. Publishing 0.3.0. If still an issue we can re-open.

[karel-un]

Just let you know I am testing 0.3.1 now and so far it looks good.

[mikemiles-dev]

Great to hear! Thanks for your patience .