v9 + Ipfix cleanup (#41)

V9/IPFix parse cleanup

---------

Co-authored-by: Michael Mileusnich <[email protected]>

Author: mikemiles-dev

Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "netflow_parser"
 description = "Parser for Netflow Cisco V5, V7, V9, IPFIX"
-version = "0.2.3"
+version = "0.2.4"
 edition = "2021"
 author = "[email protected]"
 license = "MIT OR Apache-2.0"

RELEASES.md

@@ -1,3 +1,7 @@
+# 0.2.4
+  * Fixes for V9 parsing.  Now supports processing multiple templates.
+  * General code cleanup/Removal of uneeded code.
+
 # 0.2.3
   * Small performance improvement by not parsing netflow version twice each packet.
   * General Code cleanup for field_types and DataNumbers.

SECURITY.md

@@ -4,6 +4,7 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
+| 0.2.4   | :white_check_mark: |
 | 0.2.3   | :white_check_mark: |
 | 0.2.2   | :white_check_mark: |
 | 0.2.1   | :white_check_mark: |

src/lib.rs

@@ -75,9 +75,10 @@ pub mod protocol;
 pub mod static_versions;
 pub mod variable_versions;
 
+use nom_derive::Parse;
 use serde::Serialize;
 
-use netflow_header::{NetflowHeader, NetflowVersion};
+use netflow_header::{NetflowHeader, NetflowHeaderResult};
 use static_versions::{v5::V5, v7::V7};
 use variable_versions::ipfix::{IPFix, IPFixParser};
 use variable_versions::v9::{V9Parser, V9};
@@ -121,24 +122,44 @@ impl NetflowPacketResult {
     }
 }
 
+impl From<V5> for NetflowPacketResult {
+    fn from(v5: V5) -> Self {
+        Self::V5(v5)
+    }
+}
+
+impl From<V7> for NetflowPacketResult {
+    fn from(v7: V7) -> Self {
+        Self::V7(v7)
+    }
+}
+
+impl From<V9> for NetflowPacketResult {
+    fn from(v9: V9) -> Self {
+        Self::V9(v9)
+    }
+}
+
+impl From<IPFix> for NetflowPacketResult {
+    fn from(ipfix: IPFix) -> Self {
+        Self::IPFix(ipfix)
+    }
+}
+
 #[derive(Debug, Clone)]
 struct ParsedNetflow {
     remaining: Vec<u8>,
     /// Parsed Netflow Packet
     netflow_packet: NetflowPacketResult,
 }
 
-/// Trait provided for all static parser versions
-trait NetflowByteParserStatic {
-    fn parse_bytes(packet: &[u8]) -> Result<ParsedNetflow, Box<dyn std::error::Error>>;
-}
-
-/// Trait provided for all variable parser versions.  We need a mutable self reference to store things like tempalates.
-trait NetflowByteParserVariable {
-    fn parse_bytes(
-        &mut self,
-        packet: &[u8],
-    ) -> Result<ParsedNetflow, Box<dyn std::error::Error>>;
+impl ParsedNetflow {
+    fn new(remaining: &[u8], netflow_packet: NetflowPacketResult) -> Self {
+        Self {
+            remaining: remaining.to_vec(),
+            netflow_packet,
+        }
+    }
 }
 
 #[derive(Default, Debug)]
@@ -148,28 +169,50 @@ pub struct NetflowParser {
 }
 
 impl NetflowParser {
-    /// We match versions to parsers.
+    /// Parses a Netflow by version packet and returns a Parsed Netflow.
     fn parse_by_version<'a>(
         &'a mut self,
         packet: &'a [u8],
     ) -> Result<ParsedNetflow, Box<dyn std::error::Error>> {
         match NetflowHeader::parse_header(packet) {
-            Ok((i, netflow_header)) if netflow_header.version == NetflowVersion::V5 => {
-                V5::parse_bytes(i)
-            }
-            Ok((i, netflow_header)) if netflow_header.version == NetflowVersion::V7 => {
-                V7::parse_bytes(i)
-            }
-            Ok((i, netflow_header)) if netflow_header.version == NetflowVersion::V9 => {
-                self.v9_parser.parse_bytes(i)
-            }
-            Ok((i, netflow_header)) if netflow_header.version == NetflowVersion::IPFix => {
-                self.ipfix_parser.parse_bytes(i)
-            }
+            Ok(NetflowHeaderResult::V5(v5_packet)) => Self::parse_v5(v5_packet),
+            Ok(NetflowHeaderResult::V7(v7_packet)) => Self::parse_v7(v7_packet),
+            Ok(NetflowHeaderResult::V9(v9_packet)) => self.parse_v9(v9_packet),
+            Ok(NetflowHeaderResult::IPFix(ipfix_packet)) => self.parse_ipfix(ipfix_packet),
             _ => Err("Not Supported".to_string().into()),
         }
     }
 
+    fn parse_v5(v5_packet: &[u8]) -> Result<ParsedNetflow, Box<dyn std::error::Error>> {
+        V5::parse(v5_packet)
+            .map_err(|e| format!("Could not parse V5 packet: {e}").into())
+            .map(|(remaining, v5_parsed)| ParsedNetflow::new(remaining, v5_parsed.into()))
+    }
+
+    fn parse_v7(v7_packet: &[u8]) -> Result<ParsedNetflow, Box<dyn std::error::Error>> {
+        V7::parse(v7_packet)
+            .map_err(|e| format!("Could not parse V7 packet: {e}").into())
+            .map(|(remaining, v5_parsed)| ParsedNetflow::new(remaining, v5_parsed.into()))
+    }
+
+    fn parse_v9(
+        &mut self,
+        v9_packet: &[u8],
+    ) -> Result<ParsedNetflow, Box<dyn std::error::Error>> {
+        V9::parse(v9_packet, &mut self.v9_parser)
+            .map_err(|e| format!("Could not parse V9 packet: {e}").into())
+            .map(|(remaining, v9_parsed)| ParsedNetflow::new(remaining, v9_parsed.into()))
+    }
+
+    fn parse_ipfix(
+        &mut self,
+        ipfix_packet: &[u8],
+    ) -> Result<ParsedNetflow, Box<dyn std::error::Error>> {
+        IPFix::parse(ipfix_packet, &mut self.ipfix_parser)
+            .map_err(|e| format!("Could not parse v10_packet: {e}").into())
+            .map(|(remaining, ipfix_parsed)| ParsedNetflow::new(remaining, ipfix_parsed.into()))
+    }
+
     /// Takes a Netflow packet slice and returns a vector of Parsed Netflows.
     /// If we reach some parse error we return what items be have.
     ///

src/netflow_header.rs

@@ -1,5 +1,4 @@
 use nom::number::complete::be_u16;
-use nom::IResult;
 use nom_derive::{Nom, Parse};
 
 /// Struct is used simply to match how to handle the result of the packet
@@ -10,9 +9,24 @@ pub struct NetflowHeader {
     pub version: NetflowVersion,
 }
 
+pub enum NetflowHeaderResult<'a> {
+    V5(&'a [u8]),
+    V7(&'a [u8]),
+    V9(&'a [u8]),
+    IPFix(&'a [u8]),
+}
+
 impl NetflowHeader {
-    pub fn parse_header(packet: &[u8]) -> IResult<&[u8], NetflowHeader> {
-        NetflowHeader::parse_be(packet)
+    pub fn parse_header(
+        packet: &[u8],
+    ) -> Result<NetflowHeaderResult, Box<dyn std::error::Error>> {
+        match NetflowHeader::parse_be(packet) {
+            Ok((i, header)) if header.version.is_v5() => Ok(NetflowHeaderResult::V5(i)),
+            Ok((i, header)) if header.version.is_v7() => Ok(NetflowHeaderResult::V7(i)),
+            Ok((i, header)) if header.version.is_v9() => Ok(NetflowHeaderResult::V9(i)),
+            Ok((i, header)) if header.version.is_ipfix() => Ok(NetflowHeaderResult::IPFix(i)),
+            _ => Err(("Unsupported Version").into()),
+        }
     }
 }
 
@@ -25,6 +39,21 @@ pub enum NetflowVersion {
     Unsupported,
 }
 
+impl NetflowVersion {
+    pub fn is_v5(&self) -> bool {
+        *self == NetflowVersion::V5
+    }
+    pub fn is_v7(&self) -> bool {
+        *self == NetflowVersion::V7
+    }
+    pub fn is_v9(&self) -> bool {
+        *self == NetflowVersion::V9
+    }
+    pub fn is_ipfix(&self) -> bool {
+        *self == NetflowVersion::IPFix
+    }
+}
+
 impl From<u16> for NetflowVersion {
     fn from(version: u16) -> Self {
         match version {

src/snapshots/netflow_parser__tests__it_parses_ipfix_with_no_template_fields_raises_error.snap

@@ -2,25 +2,19 @@
 source: src/lib.rs
 expression: parser.parse_bytes(&packet)
 ---
+- IPFix:
+    header:
+      version: 10
+      length: 26
+      export_time:
+        secs: 1
+        nanos: 0
+      sequence_number: 1
+      observation_domain_id: 0
+    sets: []
 - Error:
-    error_message: "Could not parse v10_set: Parsing Error: Error { input: [0, 8, 0, 0, 1, 1], code: Fail }"
+    error_message: Not Supported
     bytes:
-      - 0
-      - 10
-      - 0
-      - 26
-      - 0
-      - 0
-      - 0
-      - 1
-      - 0
-      - 0
-      - 0
-      - 1
-      - 0
-      - 0
-      - 0
-      - 0
       - 1
       - 2
       - 0

src/static_versions/v5.rs

@@ -4,7 +4,6 @@
 //! - <https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html>
 
 use crate::protocol::ProtocolTypes;
-use crate::{NetflowByteParserStatic, NetflowPacketResult, ParsedNetflow};
 
 use nom::number::complete::be_u32;
 #[cfg(feature = "unix_timestamp")]
@@ -16,25 +15,14 @@ use Nom;
 use std::net::Ipv4Addr;
 use std::time::Duration;
 
-#[derive(Debug, Nom, Clone, Serialize)]
+#[derive(Nom, Debug, Clone, Serialize)]
 pub struct V5 {
     /// V5 Header
     pub header: Header,
     /// V5 Body
     pub body: Body,
 }
 
-impl NetflowByteParserStatic for V5 {
-    #[inline]
-    fn parse_bytes(packet: &[u8]) -> Result<ParsedNetflow, Box<dyn std::error::Error>> {
-        let parsed_packet = V5::parse_be(packet).map_err(|e| format!("{e}"))?;
-        Ok(ParsedNetflow {
-            remaining: parsed_packet.0.to_vec(),
-            netflow_packet: NetflowPacketResult::V5(parsed_packet.1),
-        })
-    }
-}
-
 #[derive(Debug, PartialEq, Eq, Clone, Copy, Serialize, Nom)]
 pub struct Header {
     /// NetFlow export format version number

src/static_versions/v7.rs

@@ -4,7 +4,6 @@
 //! - <https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html>
 
 use crate::protocol::ProtocolTypes;
-use crate::{NetflowByteParserStatic, NetflowPacketResult, ParsedNetflow};
 
 use nom::number::complete::be_u32;
 #[cfg(feature = "unix_timestamp")]
@@ -24,17 +23,6 @@ pub struct V7 {
     pub body: Body,
 }
 
-impl NetflowByteParserStatic for V7 {
-    #[inline]
-    fn parse_bytes(packet: &[u8]) -> Result<ParsedNetflow, Box<dyn std::error::Error>> {
-        let parsed_packet = V7::parse_be(packet).map_err(|e| format!("{e}"))?;
-        Ok(ParsedNetflow {
-            remaining: parsed_packet.0.to_vec(),
-            netflow_packet: NetflowPacketResult::V7(parsed_packet.1),
-        })
-    }
-}
-
 #[derive(Debug, PartialEq, Eq, Clone, Copy, Nom, Serialize)]
 pub struct Header {
     /// NetFlow export format version number

src/variable_versions/ipfix.rs

@@ -8,11 +8,11 @@
 
 use super::common::*;
 use crate::variable_versions::ipfix_lookup::*;
-use crate::{NetflowByteParserVariable, NetflowPacketResult, ParsedNetflow};
 
 use nom::bytes::complete::take;
+use nom::combinator::complete;
 use nom::error::{Error as NomError, ErrorKind};
-use nom::multi::count;
+use nom::multi::{count, many0};
 use nom::number::complete::be_u32;
 use nom::Err as NomErr;
 use nom::IResult;
@@ -35,11 +35,13 @@ pub struct IPFixParser {
     pub options_templates: BTreeMap<TemplateId, OptionsTemplate>,
 }
 
-#[derive(Debug, PartialEq, Clone, Serialize)]
+#[derive(Nom, Debug, PartialEq, Clone, Serialize)]
+#[nom(ExtraArgs(parser: &mut IPFixParser))]
 pub struct IPFix {
     /// IPFix Header
     pub header: Header,
     /// Sets
+    #[nom(Parse = "many0(complete(|i| Set::parse(i, parser)))")]
     pub sets: Vec<Set>,
 }
 
@@ -239,43 +241,3 @@ fn parse_fields<'a, T: CommonTemplate>(
     }
     Ok((&[], fields))
 }
-
-impl NetflowByteParserVariable for IPFixParser {
-    /// Takes a byte stream, returns either a Parsed Netflow or a Boxed Error.
-    #[inline]
-    fn parse_bytes<'a>(
-        &'a mut self,
-        packet: &'a [u8],
-    ) -> Result<ParsedNetflow, Box<dyn std::error::Error>> {
-        let mut sets = vec![];
-
-        let (mut remaining, v10_header) =
-            Header::parse(packet).map_err(|_| "Could not parse v10_packet".to_string())?;
-
-        let mut total_left = v10_header.length as usize;
-
-        // dbg!("remaining: {}", remaining);
-
-        while total_left != 0 {
-            let (left_remaining, v10_set) = Set::parse(remaining, self)
-                .map_err(|e| format!("Could not parse v10_set: {e}"))?;
-            // dbg!("left remaining: {}", left_remaining);
-            remaining = left_remaining;
-            let parsed = total_left
-                .checked_sub(remaining.len())
-                .unwrap_or(total_left);
-            total_left -= parsed;
-            sets.push(v10_set);
-        }
-
-        let v10_parsed = IPFix {
-            header: v10_header,
-            sets,
-        };
-
-        Ok(ParsedNetflow {
-            remaining: remaining.to_vec(),
-            netflow_packet: NetflowPacketResult::IPFix(v10_parsed),
-        })
-    }
-}