goflow
goflow copied to clipboard
cloudflare
Fix: Decoding of IPFIX templates with Enterprise Number field
Bug: Decoding of IPFIX templates with Enterprise Number field
The goflow IPFIX template decoder isn't aware of the Enterprise Number field, which results in malformed template(s) and processing, when decoding IPFIX templates with Enterprise Number field.
Following is the field specifier format from RFC7011#section-3.2, Figure G :
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|E| Information Element ident. | Field Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Enterprise Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
When goflow tries to decode an IPFIX template with Enterprise Number, It attempts to decode the Enterprise Number field as a regular Field in the template.
This results in a malformed template. As a result the corresponding IPFIX Datasets would not be processed. (i.e. goflow would not emit any records)
Patch
The patch adds a seperate path for IPFIX template parsing, where it checks for the Enterprise bit condition and skips the Enterprise Number field.
This will enable the IPFIX Template(s) to be decoded correctly and the corresponding IPFIX Datasets to be processed.
Thanks a lot for the bugfix! (also referencing #31 as it was mentioning Enterprise Templates). Do you have some samples I could test this with?
@lspgn Thanks for promptly looking into this. I just realised that I don't have a representative pcap that I can share publicly. Let me work that out and get back.
Separately, Is there a more ad-hoc channel to collaborate. (slack or such)
There is no slack for GoFlow but feel free to email me: louis at cloudflare.com
Thank you for the sample, will test it out.
@lspgn I guess merge is pending for this request. So, is this planned for next release?
