IP address fields in debug output are packed and therefor are packed when retrieved by the Kafka consumer

[landonstewart]

I'm having a problem where the IP address values added to Elasticsearch via logstash are packed. I spent quite a while trying to figure out why and then realized that even the debug output of goflow has them packed. I think Logstash is doing exactly what it has been told to do and the issue might be with goflow...

Debug output from ./goflow-v2.0.4-linux-x86_64 -loglevel debug -kafka=false

DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&<V" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&=\252" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&:\266" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&:\265" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&:\264" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&9\212" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&9\211" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&9\236" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&9\235" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  
DEBU[2278] Packet received: Type:NFV9 TimeRecvd:1531427723 SequenceNum:55500 TimeFlow:1531427711 SrcIP:"F&9\234" DstIP:"\n\n\0032" IPversion:IPv4 RouterAddr:"\n\n\000\002" NextHop:"@\017\220\001" SrcNet:32 DstNet:32 SrcIf:5 DstIf:6 Proto:1  

Incidentally the issue is the same using v1.1.0 and compiling flow.proto from it's source but the debug output does not contain enough information to see the same problem.

DEBU[0325] Message processed                             count_flowmessages=24 samplingRate=16834 seqnum=56009 source="10.10.0.2:65356" type=NetFlow/IPFIX version=9
DEBU[0327] Message processed                             count_flowmessages=21 samplingRate=16834 seqnum=56010 source="10.10.0.2:65356" type=NetFlow/IPFIX version=9
DEBU[0329] Message processed                             count_flowmessages=23 samplingRate=16834 seqnum=31730 source="10.10.0.2:65356" type=NetFlow/IPFIX version=9

[lspgn]

It is technically debug output and not meant to be pushed directly to logstash for analysis.
Right now, it is directly printing the protobuf. Since the IPs are bytes, it will be serialized as base64. I was hoping to improve this for clarity anyway.

[simPod]

@lspgn how would you decode it?

I serialized protobuf generated by goflow to json in php script:

{"Type":"SFLOW","TimeRecvd":1537348610,"SamplingRate":16383,"SequenceNum":2702862506,"TimeFlow":1537348610,"SrcIP":"uWbaPA==","DstIP":"uWbbjw==","IPversion":"IPv4","Bytes":1522,"Packets":1,"RouterAddr":"uWba/g==","NextHop":"lQ6PeQ==","SrcNet":27,"SrcIf":1000013,"DstIf":1000001,"Proto":6,"SrcPort":1918,"DstPort":34379,"IPTTL":64,"TCPFlags":16,"VlanId":970,"Etype":2048}

And when I take src ip uWbaPA== and try to decode it it seems like it's somehow corrupted 🤔

[lspgn]

The protobuf serializer will encode bytes directly into Base64.
I will take a look at improving this.

$ echo -n "uWbaPA==" | openssl enc -a -d -A | hexdump -C
00000000  b9 66 da 3c                                       |.f.<|
00000004

When you convert it
b9 66 da 3c => 185.102.218.60

[simPod]

Yup, got it. Thanks!

[lspgn]

Updated debug message. Now converting bytes into readable string.