search

splunk / ipfix

Splunk TA for IPFIX
3 stars 7 forks source link

Port id and MAC addresses not interpreted #2

Open French7 opened 6 years ago

French7 commented 6 years ago

Splunk displays "--" instead of the portId and lineCardId, and "0", "16", "20", etc. instead of the MAC addresses (sourceMacAddress and destinationMacAddress). A Wireshark dump confirms that the data is correctly sent on the network, as it can interpret it.

The portId/lineCardId error comes from the unpack function that expect 8 bytes, but 4 are given.

The MAC address is never interpreted in the code, unlike ipv4 and ipv6. The script juste take the 1st byte of the decoded address.

I run Splunk on Windows.

Extract of the log:

2018-05-09 09:49:46,496 ERROR pid=2196 tid=MainThread file=IPFIXData.py:__init__:151 | Parsing lineCardId of type unsigned32 (2) [Id 0:141] for template 348. Data(!2L): Got an exception from the data (0001) 
 error: unpack requires a string argument of length 8: Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_ipfix\bin\IPFIX\IPFIXData.py", line 121, in __init__
    output = unpack(code, data[start:start + field.length])[0]
error: unpack requires a string argument of length 8

2018-05-09 09:49:46,500 ERROR pid=2196 tid=MainThread file=IPFIXData.py:__init__:151 | Parsing portId of type unsigned32 (2) [Id 0:142] for template 348. Data(!2L): Got an exception from the data (001f) 
 error: unpack requires a string argument of length 8: Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_ipfix\bin\IPFIX\IPFIXData.py", line 121, in __init__
    output = unpack(code, data[start:start + field.length])[0]
error: unpack requires a string argument of length 8

Cheers Emile

cy8aer commented 6 years ago

I can confirm this problem (edgerouterX -> Splunk/linux)

dixonl90 commented 6 years ago

The workaround for this issue it to add the following lines to IPFIXData.py file located at: /opt/splunk/etc/apps/Splunk_TA_ipfix/bin/IPFIX/

# Added in code for macAddress field, takes data as array of decimal numbers,
# converts them to hex numbers (2 digits), then joins them together by ":"
elif field.type_name == 'macAddress':
temp = data[start:start + field.length].encode('hex')
output = ":".join(temp[i:i+2] for i in range(0, len(temp), 2))