netflow/tests/test_ipfix.py

#!/usr/bin/env python3

"""
This file belongs to https://github.com/bitkeks/python-netflow-v9-softflowd.

Copyright 2016-2020 Dominik Pataky <software+pynetflow@dpataky.eu>
Licensed under MIT License. See LICENSE.
"""
# TODO: tests with 500 packets fail with delay=0. Probably a problem with UDP sockets buffer
# TODO: add test for template withdrawal

import ipaddress
import unittest

from tests.lib import send_recv_packets, PACKET_IPFIX_TEMPLATE, PACKET_IPFIX, PACKET_IPFIX_ETHER, \
    PACKET_IPFIX_TEMPLATE_ETHER


class TestFlowExportIPFIX(unittest.TestCase):
    def test_recv_ipfix_packet(self):
        """
        Test general sending of raw and receiving and parsing of these packets.
        If this test runs successfully, the sender thread has sent a raw bytes packet towards a locally
        listening collector thread, and the collector has successfully received and parsed the packets.
        :return:
        """
        # send packet without any template, must fail to parse (packets are queued)
        pkts, _, _ = send_recv_packets([PACKET_IPFIX])
        self.assertEqual(len(pkts), 0)  # no export is parsed due to missing template

        # send packet with 5 templates and 20 flows, should parse correctly since the templates are known
        pkts, _, _ = send_recv_packets([PACKET_IPFIX_TEMPLATE])
        self.assertEqual(len(pkts), 1)

        p = pkts[0]
        self.assertEqual(p.client[0], "127.0.0.1")
        self.assertEqual(len(p.export.flows), 1 + 2 + 2 + 9 + 1 + 2 + 1 + 2)  # count flows
        self.assertEqual(len(p.export.templates), 4 + 1)  # count new templates

        # send template and multiple export packets
        pkts, _, _ = send_recv_packets([PACKET_IPFIX, PACKET_IPFIX_TEMPLATE, PACKET_IPFIX])
        self.assertEqual(len(pkts), 3)
        self.assertEqual(pkts[0].export.header.version, 10)

        # check amount of flows across all packets
        total_flows = 0
        for packet in pkts:
            total_flows += len(packet.export.flows)
        self.assertEqual(total_flows, 2 + 1 + (1 + 2 + 2 + 9 + 1 + 2 + 1 + 2) + 2 + 1)

    def test_ipfix_contents(self):
        """
        Inspect content of exported flows, eg. test the value of an option flow and the correct
        parsing of IPv4 and IPv6 addresses.
        :return:
        """
        p = send_recv_packets([PACKET_IPFIX_TEMPLATE])[0][0]

        flow = p.export.flows[0]
        self.assertEqual(flow.meteringProcessId, 2649)
        self.assertEqual(flow.selectorAlgorithm, 1)
        self.assertEqual(flow.systemInitTimeMilliseconds, 1585735165729)

        flow = p.export.flows[1]  # HTTPS flow from web server to client
        self.assertEqual(flow.destinationIPv4Address, 2886795266)
        self.assertEqual(ipaddress.ip_address(flow.destinationIPv4Address),
                         ipaddress.ip_address("172.17.0.2"))
        self.assertEqual(flow.protocolIdentifier, 6)  # TCP
        self.assertEqual(flow.sourceTransportPort, 443)
        self.assertEqual(flow.destinationTransportPort, 57766)
        self.assertEqual(flow.tcpControlBits, 0x1b)

        flow = p.export.flows[17]  # IPv6 flow
        self.assertEqual(flow.protocolIdentifier, 17)  # UDP
        self.assertEqual(flow.sourceIPv6Address, 0xfde66f14e0f196090000affeaffeaffe)
        self.assertEqual(ipaddress.ip_address(flow.sourceIPv6Address),  # Docker ULA
                         ipaddress.ip_address("fde6:6f14:e0f1:9609:0:affe:affe:affe"))

    def test_ipfix_contents_ether(self):
        """
        IPFIX content tests based on exports with the softflowd "-T ether" flag, meaning that layer 2
        is included in the export, like MAC addresses.
        :return:
        """
        pkts, _, _ = send_recv_packets([PACKET_IPFIX_TEMPLATE_ETHER, PACKET_IPFIX_ETHER])
        self.assertEqual(len(pkts), 2)
        p = pkts[0]

        # Inspect contents of specific flows
        flow = p.export.flows[0]
        self.assertEqual(flow.meteringProcessId, 9)
        self.assertEqual(flow.selectorAlgorithm, 1)
        self.assertEqual(flow.systemInitTimeMilliseconds, 759538800000)

        flow = p.export.flows[1]
        self.assertEqual(flow.destinationIPv4Address, 2886795266)
        self.assertTrue(hasattr(flow, "sourceMacAddress"))
        self.assertTrue(hasattr(flow, "postDestinationMacAddress"))
        self.assertEqual(flow.sourceMacAddress, 0x123456affefe)
        self.assertEqual(flow.postDestinationMacAddress, 0xaffeaffeaffe)
Refactor tests, moved into tests/ The tests are now located in tests/. They are also split into multiple files, beginning with test_netflow and test_analyzer. The tests for IPFIX will be added to test_ipfix. 2020-04-01 11:55:45 +02:00			`#!/usr/bin/env python3`

			`"""`
			`This file belongs to https://github.com/bitkeks/python-netflow-v9-softflowd.`

Ensure compatibility with Python 3.5.3 This commit replaces multiple occurences of new features which were not yet implemented with Python 3.5.3, which is the reference backwards compatibility version for this package. The version is based on the current Python version in Debian Stretch (oldstable). According to pkgs.org, all other distros use 3.6+, so 3.5.3 is the lower boundary. Changes: * Add maxsize argument to functools.lru_cache decorator * Replace f"" with .format() * Replace variable type hints "var: type = val" with "# type:" comments * Replace pstats.SortKey enum with strings in performance tests Additionally, various styling fixes were applied. The version compatibility was tested with tox, pyenv and Python 3.5.3, but there is no tox.ini yet which automates this test. Bump patch version number to 0.10.3 Update author's email address. Resolves #27 2020-04-24 16:34:37 +02:00			`Copyright 2016-2020 Dominik Pataky <software+pynetflow@dpataky.eu>`
Refactor tests, moved into tests/ The tests are now located in tests/. They are also split into multiple files, beginning with test_netflow and test_analyzer. The tests for IPFIX will be added to test_ipfix. 2020-04-01 11:55:45 +02:00			`Licensed under MIT License. See LICENSE.`
			`"""`
			`# TODO: tests with 500 packets fail with delay=0. Probably a problem with UDP sockets buffer`
IPFIX: add template withdrawal handling; bump version to v0.10.2 Templates may be withdrawn as per RFC7011. Receiving a template with an existing template_id and a field_count of 0 now triggers deletion of this template. 2020-04-06 17:27:26 +02:00			`# TODO: add test for template withdrawal`
Refactor tests, moved into tests/ The tests are now located in tests/. They are also split into multiple files, beginning with test_netflow and test_analyzer. The tests for IPFIX will be added to test_ipfix. 2020-04-01 11:55:45 +02:00
			`import ipaddress`
			`import unittest`

IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00			`from tests.lib import send_recv_packets, PACKET_IPFIX_TEMPLATE, PACKET_IPFIX, PACKET_IPFIX_ETHER, \`
			`PACKET_IPFIX_TEMPLATE_ETHER`
Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00

Refactor tests, moved into tests/ The tests are now located in tests/. They are also split into multiple files, beginning with test_netflow and test_analyzer. The tests for IPFIX will be added to test_ipfix. 2020-04-01 11:55:45 +02:00			`class TestFlowExportIPFIX(unittest.TestCase):`
Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00			`def test_recv_ipfix_packet(self):`
IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00			`"""`
			`Test general sending of raw and receiving and parsing of these packets.`
			`If this test runs successfully, the sender thread has sent a raw bytes packet towards a locally`
			`listening collector thread, and the collector has successfully received and parsed the packets.`
			`:return:`
			`"""`
Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00			`# send packet without any template, must fail to parse (packets are queued)`
			`pkts, _, _ = send_recv_packets([PACKET_IPFIX])`
			`self.assertEqual(len(pkts), 0) # no export is parsed due to missing template`

			`# send packet with 5 templates and 20 flows, should parse correctly since the templates are known`
			`pkts, _, _ = send_recv_packets([PACKET_IPFIX_TEMPLATE])`
			`self.assertEqual(len(pkts), 1)`
IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00
Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00			`p = pkts[0]`
			`self.assertEqual(p.client[0], "127.0.0.1")`
			`self.assertEqual(len(p.export.flows), 1 + 2 + 2 + 9 + 1 + 2 + 1 + 2) # count flows`
			`self.assertEqual(len(p.export.templates), 4 + 1) # count new templates`

IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00			`# send template and multiple export packets`
			`pkts, _, _ = send_recv_packets([PACKET_IPFIX, PACKET_IPFIX_TEMPLATE, PACKET_IPFIX])`
			`self.assertEqual(len(pkts), 3)`
			`self.assertEqual(pkts[0].export.header.version, 10)`

			`# check amount of flows across all packets`
			`total_flows = 0`
			`for packet in pkts:`
			`total_flows += len(packet.export.flows)`
			`self.assertEqual(total_flows, 2 + 1 + (1 + 2 + 2 + 9 + 1 + 2 + 1 + 2) + 2 + 1)`

			`def test_ipfix_contents(self):`
			`"""`
			`Inspect content of exported flows, eg. test the value of an option flow and the correct`
			`parsing of IPv4 and IPv6 addresses.`
			`:return:`
			`"""`
			`p = send_recv_packets([PACKET_IPFIX_TEMPLATE])[0][0]`

Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00			`flow = p.export.flows[0]`
			`self.assertEqual(flow.meteringProcessId, 2649)`
			`self.assertEqual(flow.selectorAlgorithm, 1)`
			`self.assertEqual(flow.systemInitTimeMilliseconds, 1585735165729)`

			`flow = p.export.flows[1] # HTTPS flow from web server to client`
			`self.assertEqual(flow.destinationIPv4Address, 2886795266)`
			`self.assertEqual(ipaddress.ip_address(flow.destinationIPv4Address),`
			`ipaddress.ip_address("172.17.0.2"))`
			`self.assertEqual(flow.protocolIdentifier, 6) # TCP`
			`self.assertEqual(flow.sourceTransportPort, 443)`
			`self.assertEqual(flow.destinationTransportPort, 57766)`
IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00			`self.assertEqual(flow.tcpControlBits, 0x1b)`
Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00
			`flow = p.export.flows[17] # IPv6 flow`
			`self.assertEqual(flow.protocolIdentifier, 17) # UDP`
IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00			`self.assertEqual(flow.sourceIPv6Address, 0xfde66f14e0f196090000affeaffeaffe)`
Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00			`self.assertEqual(ipaddress.ip_address(flow.sourceIPv6Address), # Docker ULA`
IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00			`ipaddress.ip_address("fde6:6f14:e0f1:9609:0:affe:affe:affe"))`
Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00
IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00			`def test_ipfix_contents_ether(self):`
			`"""`
			`IPFIX content tests based on exports with the softflowd "-T ether" flag, meaning that layer 2`
			`is included in the export, like MAC addresses.`
			`:return:`
			`"""`
			`pkts, _, _ = send_recv_packets([PACKET_IPFIX_TEMPLATE_ETHER, PACKET_IPFIX_ETHER])`
			`self.assertEqual(len(pkts), 2)`
			`p = pkts[0]`
Tests: move packets into each version test file; add tests for IPFIX The previously introduced tests/lib.py contained the NetFlow v9 packets and then the IPFIX packets, those were split and put into their respective test files again. The lib now contains shared objects only. For IPFIX tests were added. Two new packets were added, one with templates and one without (again, real exports from softflowd). Different cases are checked: no template, template and later template. Fields of flows are also checked, especially IPv6 addresses. Note: exports made with softflowd were created by softflowd 1.0.0, compiled from https://github.com/irino/softflowd 2020-04-01 14:15:53 +02:00
IPFIX: enhance (data\|field) types and parsing; extend tests Parts of the IPFIXFieldTypes class were extracted into the new IPFIXDataTypes class, to increase readability and stability. The IPFIXDataRecord class and its field parser is now more in tune with the specifications, handling signed and unsigned, as well as float, boolean and UTF8 strings etc. Corresponding tests were extended with softflowd packets (level "ethernet") and value checks (e.g. MAC address). Resolves #25 2020-04-06 17:02:52 +02:00			`# Inspect contents of specific flows`
			`flow = p.export.flows[0]`
			`self.assertEqual(flow.meteringProcessId, 9)`
			`self.assertEqual(flow.selectorAlgorithm, 1)`
			`self.assertEqual(flow.systemInitTimeMilliseconds, 759538800000)`

			`flow = p.export.flows[1]`
			`self.assertEqual(flow.destinationIPv4Address, 2886795266)`
			`self.assertTrue(hasattr(flow, "sourceMacAddress"))`
			`self.assertTrue(hasattr(flow, "postDestinationMacAddress"))`
			`self.assertEqual(flow.sourceMacAddress, 0x123456affefe)`
			`self.assertEqual(flow.postDestinationMacAddress, 0xaffeaffeaffe)`