Add support for MPLS labels in flow reports

[wrigby]

Previously, NetFlow v9 templates with MPLS label fields in them weren't getting parsed, so any flow reports with MPLS labels in them were getting ignored. This PR adds support for flow reports containing the MPLS label stack.

• New class in util.rb for MPLS stack labels
• New entries in netflow.yaml for MPLS stack entries 1-10
• Build an array for the MPLS stack, rather than just putting the raw mpls_label_x fields on the event
• Change the type of mpls_top_label_ip_addr to ip4_addr instead of uint32

See also:

• RFC 3954
• RFC 5462
• NetFlow Version 9 Flow-Record Format

[wrigby]

After looking into this further, I'm going to have to restructure how the label stack is stored:

I'm thinking:

mpls_label_stack: {
    0: {
      label: 16,
      traffic_class: 0
    },
    1: {
      label: 3265,
      traffic_class: 0
    }
  }

[wrigby]

@bodgit I would love a quick sanity check on how you think this should work before I spend the time rebasing it after #8 (will probably wait until #10 gets merged, realistically).

I'm wondering if it's better to just define the netflow fields and leave them in the event as mpls_label_0 ... mpls_label_N, or to build the mpls_label_stack structure like I did in my initial implementation.

[bodgit]

I would probably leave them as individual fields, of course with IPFIX and its complex data types an exporting device could send an actual list of MPLS labels if it chose to.

I noticed you added a new type that breaks apart the bit-fields which is handy 👍 . I was thinking of maybe doing something similar for the TCP flags field (ID 6) rather than just report a single number.

[wrigby]

Makes sense! I'll re-implement this and submit a new PR with the changes.

[elasticsearch-release]

Jenkins standing by to test this. If you aren't a maintainer, you can ignore this comment. Someone with commit access, please review this and clear it for Jenkins to run; then say 'jenkins, test it'.

[jorritfolmer]

Hi @wrigby any chance you can provide a .pcap with MPLS label containing flows?

[wrigby]

@jorritfolmer I'm at a different company now, and I don't think I have any .pcap files left from that project (they were all on my work laptop). 😞

I can maybe throw together a quick test set up, but I have to make sure the ISR I have laying around supports MPLS and Netflow. It will be a good learning experience anyway.

[karmi]

Hi @wrigby, we have found your signature in our records, but it seems like you have signed with a different e-mail than the one used in yout Git commit. Can you please add both of these e-mails into your Github profile (they can be hidden), so we can match your e-mails to your Github profile?

[wrigby]

@karmi Unfortunately, I don't have access to that email address anymore, as I've since left O3b. I'm not sure if this PR is even that relevant; it could be used as a reference, but the code probably has to be rewritten since #10 was merged.

[karmi]

Hi @wrigby, if you wanna fix it, just amend the commit with the different e-mail and force push:

git commit --amend --author=William Rigby <XXXXXXXX@gmail.com>
git push --force

Or, rather, make sure you update your Git config with the e-mail you have access to :)

I cant vouch for this particular PR, but this can come handy in future.

[wrigby]

@karmi fixed, mostly just for the exercise of fixing it. Thanks!

[jorritfolmer]

I'll leave this PR open, even though it's old, just in case someone has an MPLS setup and can provide pcaps.

[jorritfolmer]

Closing due to lack of tests, or pcap to create them from.
We do have some MPLS support now, but unfortunately not the flavour used in this PR.