Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

inputs.netflow: TCP flags are not decoded properly when using sFlow v5 decoder if more that one flag is present #16247

Closed
joseluisgonzalezca opened this issue Nov 29, 2024 · 0 comments
Closed

inputs.netflow: TCP flags are not decoded properly when using sFlow v5 decoder if more that one flag is present #16247

joseluisgonzalezca opened this issue Nov 29, 2024 · 0 comments
Labels
bug unexpected problem or unintended behavior

Comments

@joseluisgonzalezca
Copy link
Contributor

Relevant telegraf.conf

[[inputs.netflow]]
  service_address = "udp://:2055"
  protocol = "sflow v5"

[[outputs.file]]
  files = ["stdout"]
  data_format = "json"

Logs from Telegraf

{"fields":{"agent_ip":"192.168.227.2","agent_subid":0,"datalink_frame_type":"IPv4","direction":"ingress","dst":"192.168.100.221","fragment_flags":"......D.","fragment_offset":0,"in_snmp":27,"in_total_packets":3633958918,"ip_total_len":1500,"ip_version":4,"ipv4_id":34151,"ipv4_inet_header_len":5,"ipv4_total_len":1500,"l2_bytes":1518,"l2_protocol":"ETHERNET-ISO8023","out_snmp":33,"protocol":"tcp","sampling_drops":21405750,"sampling_interval":200,"seq_number":18721933,"src":"192.168.100.223","src_tos":0,"sys_uptime":2042522488,"tcp_ack_number":1885360632,"tcp_flags":"...A....","tcp_seq_number":3443873179,"tcp_urgent_ptr":0,"tcp_window_size":514,"ttl":64,"vlan_dst":100,"vlan_dst_priority":0,"vlan_src":100,"vlan_src_priority":0},"name":"netflow","tags":{"host":"40f2df22e0c0","source":"::1","version":"sFlowV5"},"timestamp":1726823867}

System info

Telegraf v1.32.3 running on Docker, Debian 12 as base OS

Docker

docker-compose example:

services:
  telegraf:
    image: telegraf:1.32.3
    container_name: telegraf
    ports:
      - 2055:2055/udp
    restart: unless-stopped
    volumes:
    - ./telegraf.conf:/etc/telegraf/telegraf.conf:ro
    - ./sflow-packet.bin:/tmp/sflow-packet.bin:ro

Steps to reproduce

Steps described in issue #15918 (comment) are valid.

Expected behavior

Decoder must be able to detect multiple enabled TCP flags and generate the correct string for tcp_flags field.

Actual behavior

In TCP headers, multiple flags can be checked at the same time. Current code does not support multiple flags due to the behavior of switch statements in Golang (no automatic fallthrough):

telegraf/plugins/inputs/netflow/sflow_v5.go

Lines 420 to 439 in 2636612

flags := []byte("........")
switch {
case l.FIN:
flags[7] = byte('F')
case l.SYN:
flags[6] = byte('S')
case l.RST:
flags[5] = byte('R')
case l.PSH:
flags[4] = byte('P')
case l.ACK:
flags[3] = byte('A')
case l.URG:
flags[2] = byte('U')
case l.ECE:
flags[1] = byte('E')
case l.CWR:
flags[0] = byte('C')
}
fields["tcp_flags"] = string(flags)

For example, if a packet contains SYN and ACK flags, only SYN would be included because is the first matching case in the switch.

Additional info

I will open a PR as soon as I can to fix this issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug unexpected problem or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joseluisgonzalezca