Added Netflow9 IE 150,151,154,155 and rspec test

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.9.1
+
+  - Added Netflow v9 IE150 IE151, IE154, IE155
+
 ## 3.9.0
 
   - Added vIPtela support

CONTRIBUTORS

@@ -37,6 +37,7 @@ Contributors:
 * niempy
 * jstopinsek
 * sliddjur
+* szhong12
 
 Maintainer:
 * Jorrit Folmer (jorritfolmer)

lib/logstash/codecs/netflow/netflow.yaml

@@ -244,12 +244,24 @@
 148:
 - :uint32
 - :conn_id
+150:
+- :uint32
+- :flowStartSeconds
+151:
+- :uint32
+- :flowEndSeconds
 152:
 - 8
 - :flow_start_msec
 153:
 - 8
 - :flow_end_msec
+154:
+- :uint64
+- :flowStartMicroseconds
+155:
+- :uint64
+- :flowEndMicroseconds
 176:
 - :uint8
 - :icmp_type

logstash-codec-netflow.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-netflow'
-  s.version         = '3.9.0'
+  s.version         = '3.9.1'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads Netflow v5 and Netflow v9 data"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

spec/codecs/netflow_spec.rb

@@ -905,6 +905,85 @@
 
   end
 
+  context "Netflow 9 IE150 IE151" do
+    let(:data) do
+      packets = []
+      packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_unknown_tpl266_292_data.dat"), :mode => "rb")
+    end
+
+    let(:json_events) do
+      events = []
+      events << <<-END
+      {
+        "@version": "1",
+        "netflow": {
+          "in_pkts": 1,
+          "ipv4_dst_addr": "192.168.0.2",
+          "src_tos": 0,
+          "flowset_id": 266,
+          "l4_src_port": 137,
+          "version": 9,
+          "flow_seq_num": 35088,
+          "ipv4_src_addr": "192.168.0.3",
+          "protocol": 17,
+          "in_bytes": 78,
+          "egressVRFID": 0,
+          "input_snmp": 13,
+          "flow_sampler_id": 1,
+          "ingressVRFID": 0,
+          "flowEndSeconds": 1512147866,
+          "l4_dst_port": 137,
+          "flowStartSeconds": 1512147866,
+          "direction": 0
+        },
+        "@timestamp": "2017-12-01T17:04:39.000Z"
+      }
+      END
+
+      events << <<-END
+      {
+        "@version": "1",
+        "netflow": {
+          "output_snmp": 13,
+          "in_pkts": 1,
+          "ipv4_dst_addr": "192.168.0.5",
+          "src_tos": 0,
+          "flowset_id": 292,
+          "l4_src_port": 58130,
+          "version": 9,
+          "flow_seq_num": 35088,
+          "ipv4_src_addr": "192.168.0.4",
+          "protocol": 17,
+          "in_bytes": 232,
+          "egressVRFID": 0,
+          "flow_sampler_id": 1,
+          "ingressVRFID": 0,
+          "flowEndSeconds": 1512147869,
+          "l4_dst_port": 6343,
+          "flowStartSeconds": 1512147869,
+          "direction": 1
+        },
+        "@timestamp": "2017-12-01T17:04:39.000Z"
+      }
+      END
+      events.map{|event| event.gsub(/\s+/, "")}
+    end
+
+    it "should decode raw data" do
+      expect(decode.size).to eq(2)
+      expect(decode[1].get("[netflow][flowStartSeconds]")).to eq(1512147869)
+      expect(decode[1].get("[netflow][flowEndSeconds]")).to eq(1512147869)
+    end
+
+    it "should serialize to json" do
+      expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
+      expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[1]))
+    end
+
+  end
+
+
+
   context "Netflow 9 Ubiquiti Edgerouter with MPLS labels" do
     let(:data) do
       packets = []