From f75b108bd3a5ad165a952a41dcfdc8e557ac5a0d Mon Sep 17 00:00:00 2001
From: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
Date: Thu, 28 Mar 2019 09:43:12 +0100
Subject: [PATCH 1/2] nfs: enforce unique ILLEGEL opname when failed to match
 operation

When we fail to map packet to a valid NFS4 operation, then opname
ILLEGAL with opcode it used, like `ILLEGAL (4294967295)`. While
this points to a bug in packet detection, such 'random' illegal
opnames create multiple new operations that confuse kibana.

Do not include opcode into opname ILLEGAL.

Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
---
 CHANGELOG.next.asciidoc       | 1 +
 packetbeat/protos/nfs/nfs4.go | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index adf00981d1b3..93f237434dc9 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -31,6 +31,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Packetbeat*
 
 - Add support for mongodb opcode 2013 (OP_MSG). {issue}6191[6191] {pull}8594[8594]
+- NFSv4: Always use opname `ILLEGAL` when failed to match request to a valid nfs operation.
 
 *Winlogbeat*
 
diff --git a/packetbeat/protos/nfs/nfs4.go b/packetbeat/protos/nfs/nfs4.go
index a9b829e64620..596b73843eed 100644
--- a/packetbeat/protos/nfs/nfs4.go
+++ b/packetbeat/protos/nfs/nfs4.go
@@ -17,8 +17,6 @@
 
 package nfs
 
-import "fmt"
-
 const (
 	opAccess             = 3
 	opClose              = 4
@@ -234,7 +232,7 @@ func (nfs *nfs) findV4MainOpcode(xdr *xdr) string {
 		opname, ok := nfsOpnum4[op]
 
 		if !ok {
-			return fmt.Sprintf("ILLEGAL (%d)", op)
+			return "ILLEGAL"
 		}
 		currentOpname = opname
 

From 0451a4e9ee50fda7d239c80d774668532b689d30 Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Mon, 29 Apr 2019 18:37:37 +0200
Subject: [PATCH 2/2] Add PR number to CHANGELOG

---
 CHANGELOG.next.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 93f237434dc9..9f8b13819c43 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -31,7 +31,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Packetbeat*
 
 - Add support for mongodb opcode 2013 (OP_MSG). {issue}6191[6191] {pull}8594[8594]
-- NFSv4: Always use opname `ILLEGAL` when failed to match request to a valid nfs operation.
+- NFSv4: Always use opname `ILLEGAL` when failed to match request to a valid nfs operation. {pull}11503[11503]
 
 *Winlogbeat*