Graylog2/graylog2-server

Netflow plugin, tries to show ipv4 addresses in the message for ipv6 flows

Open

#6076 opened on Jul 3, 2019

View on GitHub
 (0 comments) (0 reactions) (1 assignee)Java (6,945 stars) (1,032 forks)batch import
#Mbuggood first issuetriaged

Description

Redirecting netflow statistics directly to graylog using sysctl net.netflow.destination=ip:port and configuring an Netflow UDP input to process all the incoming stats.

Expected Behavior

In the message it should show source and destination ip.

Current Behavior

Only does so for ipv4

Possible Solution

Change toMessage to use either ipv4 or ipv6 header for the flow.

Steps to Reproduce (for bugs)

  1. Configure a flow accounting on a ipv6 enabled interface with netflow pointing to Graylog Netflow input
  2. Look for messages with null values for source and destination
  • Graylog Version: Graylog 3.0.2+1686930 on aac10c1cf381 (Oracle Corporation 1.8.0_212 on Linux 5.1.0)
  • Elasticsearch Version:
  • MongoDB Version:
  • Operating System:
  • Browser version:

Contributor guide

Tech stack
java
Domain
backend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic JavaUnderstanding of netflow protocol
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
The issue is in the NetFlowFormatter.java file at line 131, specifically in the toMessage method. The current implementation only handles IPv4 headers; it needs to be extended to support IPv6 headers. Look at the netflow protocol structure for IPv6 addresses and modify the code to correctly extract source and destination IPs for both IPv4 and IPv6 flows.