Package org.graylog.integrations.ipfix

Class IpfixParser

java.lang.Object
org.graylog.integrations.ipfix.IpfixParser
public class IpfixParser extends Object
A Graylog specific IPFIX parser.

This IPFIX parser supports two modes:

  1. Parse as little of a packet as possible to be used in the input, just enough to make sure that we have all template sets for the data sets we've received.
  2. Completely parse the content of a packet, requiring all template sets to be known as well as all information elements to be declared (possibly via configuration files).

  • Constructor Details

  • Method Details

    • shallowParseMessage

      public IpfixParser.MessageDescription shallowParseMessage(io.netty.buffer.ByteBuf packet)
      Parse an IPFIX message out of the given packet buffer.

      Decodes enough of the given packet to be able to tell whether we have all necessary information to parse the contained sets completely. This typically means to see whether any unknown template ids are referenced, in which case we need to hang on to the data records until we have received the missing templates.

      Parameters:
      packet - buffer containing the received packet bytes
      Returns:
      the packet description

    • parseMessage

      public IpfixMessage parseMessage(io.netty.buffer.ByteBuf packet)
      Parse the given packet buffer into an IPFIX message.

      This method requires that all templates are contained in the given packet buffer, contrary to what RFC 7011 requires. Specifically, RFC 7011 Sec 8 "Template Management" says: 

       However, a Collecting Process MUST NOT assume that the Data Set and the associated Template Set (or Options
 Template Set) are exported in the same IPFIX Message.
      For the purposes of Graylog's input mechanism, we need to ensure that each journal entry can be decoded on its own which either requires some out of band communication of (options) templates, or storing the relevant templates with the datasets in each journal entry.

      Parameters:
      packet -
      Returns:

    • parseDataSet

      public Set<Flow> parseDataSet(com.google.common.collect.ImmutableList<InformationElement> informationElements, Map<Integer,TemplateRecord> templateMap, io.netty.buffer.ByteBuf setContent)
      Parses a data set into its individual flows, based on the informationElements from the template ID the data set specified.

      In order to be able to parse subtemplateList and subtemplateMultilist information elements, the entire templateMap is also passed in. Unfortunately it is not possible to determine which templates lists refer to without actually parsing the data first.

      Parameters:
      informationElements - the field information from the template used by this data set
      templateMap - map from template id to its information elements, used for subtemplateLists
      setContent - the data set bytes to parse
      Returns:
      collection of parsed flows

    • parseTemplateRecord

      public TemplateRecord parseTemplateRecord(io.netty.buffer.ByteBuf bytes)