Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

inputs.netflow: Inconsistent IP version field in sFlow decoder #16402

Closed
joseluisgonzalezca opened this issue Jan 15, 2025 · 0 comments · Fixed by #16403
Closed

inputs.netflow: Inconsistent IP version field in sFlow decoder #16402

joseluisgonzalezca opened this issue Jan 15, 2025 · 0 comments · Fixed by #16403
Labels
bug unexpected problem or unintended behavior

Comments

@joseluisgonzalezca
Copy link
Contributor

Relevant telegraf.conf

[[inputs.netflow]]
  service_address = "udp://:2055"
  protocol = "sflow v5"

[[outputs.file]]
  files = ["stdout"]
  data_format = "json"

Logs from Telegraf

{"fields":{"agent_ip":"192.168.227.2","agent_subid":0,"datalink_frame_type":"IPv4","direction":"ingress","dst":"192.168.100.221","fragment_flags":"......D.","fragment_offset":0,"in_snmp":27,"in_total_packets":3633958918,"ip_total_len":1500,"ip_version":4,"ipv4_id":34151,"ipv4_inet_header_len":5,"ipv4_total_len":1500,"l2_bytes":1518,"l2_protocol":"ETHERNET-ISO8023","out_snmp":33,"protocol":"tcp","sampling_drops":21405750,"sampling_interval":200,"seq_number":18721933,"src":"192.168.100.223","src_tos":0,"sys_uptime":2042522488,"tcp_ack_number":1885360632,"tcp_flags":"...A....","tcp_seq_number":3443873179,"tcp_urgent_ptr":0,"tcp_window_size":514,"ttl":64,"vlan_dst":100,"vlan_dst_priority":0,"vlan_src":100,"vlan_src_priority":0},"name":"netflow","tags":{"host":"40f2df22e0c0","source":"::1","version":"sFlowV5"},"timestamp":1726823867}

System info

Telegraf v1.33.1 running on Docker, Debian 12 as base OS

Docker

services:
  telegraf:
    image: telegraf:1.33.1
    container_name: telegraf
    ports:
      - 2055:2055/udp
    restart: unless-stopped
    volumes:
    - ./telegraf.conf:/etc/telegraf/telegraf.conf:ro
    - ./sflow-packet.bin:/tmp/sflow-packet.bin:ro

Steps to reproduce

Steps described in issue #15918 (comment) are valid.

Expected behavior

ip_version field must always be of type string, with values IPv4, IPv6 or unknown depending of decodeSflowIPVersion() return value. Furthermore, README for netflow input plugin includes some examples of metrics which includes this field as a string value.

Actual behavior

There are some inconsistencies with ip_version field when using the sFlow decoder for Netflow input plugin. This field can sometimes display values as numeric values (4 or 6) and at other times as text (IPv4 or IPv6).

Additional info

In this image you can see the different values that we have received during a period of time:

Image

After some investigation, I have concluded that the problem comes from these lines of code:

telegraf/plugins/inputs/netflow/sflow_v5.go

Line 383 in f8e7aec

fields["ip_version"] = l.Version

telegraf/plugins/inputs/netflow/sflow_v5.go

Line 407 in f8e7aec

fields["ip_version"] = l.Version

As described in other parts of the code, the correct way to include the ip_version field is as text, by converting the numeric value using the function decodeSflowIPVersion.

I will open a PR with the fix as soon as I can
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug unexpected problem or unintended behavior
Projects
None yet
Milestone
No milestone
1 participant
@joseluisgonzalezca