Add additional field types (ASA, PANOS) and set fallback type to 0

refs #4 @ Github

src/netflow/collector_v9.py

@@ -17,6 +17,11 @@ import sys
 
 
 field_types = {
+    0: 'UNKNOWN_FIELD_TYPE',  # fallback for unknown field types
+
+    # Cisco specs for NetFlow v9
+    # https://tools.ietf.org/html/rfc3954
+    # https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html
     1: 'IN_BYTES',
     2: 'IN_PKTS',
     3: 'FLOWS',
@@ -101,7 +106,50 @@ field_types = {
     86: 'IN_PERMANENT_PKTS',
     # 87 vendor property
     88: 'FRAGMENT_OFFSET',
-    89: 'FORWARDING STATUS',
+    89: 'FORWARDING_STATUS',
+    90: 'MPLS_PAL_RD',
+    91: 'MPLS_PREFIX_LEN',  # Number of consecutive bits in the MPLS prefix length.
+    92: 'SRC_TRAFFIC_INDEX',  # BGP Policy Accounting Source Traffic Index
+    93: 'DST_TRAFFIC_INDEX',  # BGP Policy Accounting Destination Traffic Index
+    94: 'APPLICATION_DESCRIPTION',  # Application description
+    95: 'APPLICATION_TAG',  # 8 bits of engine ID, followed by n bits of classification
+    96: 'APPLICATION_NAME',  # Name associated with a classification
+    98: 'postipDiffServCodePoint',  # The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services Field, after modification
+    99: 'replication_factor',  # Multicast replication factor
+    100: 'DEPRECATED',  # DEPRECATED
+    102: 'layer2packetSectionOffset',  # Layer 2 packet section offset. Potentially a generic offset
+    103: 'layer2packetSectionSize',  # Layer 2 packet section size. Potentially a generic size
+    104: 'layer2packetSectionData',  # Layer 2 packet section data
+    # 105-127 reserved for future use by Cisco
+
+    # ASA extensions
+    # https://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html
+    148: 'NF_F_CONN_ID',  # An identifier of a unique flow for the device
+    176: 'NF_F_ICMP_TYPE',  # ICMP type value
+    177: 'NF_F_ICMP_CODE',  # ICMP code value
+    178: 'NF_F_ICMP_TYPE_IPV6',  # ICMP IPv6 type value
+    179: 'NF_F_ICMP_CODE_IPV6',  # ICMP IPv6 code value
+    225: 'NF_F_XLATE_SRC_ADDR_IPV4',  # Post NAT Source IPv4 Address
+    226: 'NF_F_XLATE_DST_ADDR_IPV4',  # Post NAT Destination IPv4 Address
+    227: 'NF_F_XLATE_SRC_PORT',  # Post NATT Source Transport Port
+    228: 'NF_F_XLATE_DST_PORT',  # Post NATT Destination Transport Port
+    281: 'NF_F_XLATE_SRC_ADDR_IPV6',  # Post NAT Source IPv6 Address
+    282: 'NF_F_XLATE_DST_ADDR_IPV6',  # Post NAT Destination IPv6 Address
+    233: 'NF_F_FW_EVENT',  # High-level event code
+    33002: 'NF_F_FW_EXT_EVENT',  # Extended event code
+    323: 'NF_F_EVENT_TIME_MSEC',  # The time that the event occurred, which comes from IPFIX
+    152: 'NF_F_FLOW_CREATE_TIME_MSEC',
+    231: 'NF_F_FWD_FLOW_DELTA_BYTES',  # The delta number of bytes from source to destination
+    232: 'NF_F_REV_FLOW_DELTA_BYTES',  # The delta number of bytes from destination to source
+    33000: 'NF_F_INGRESS_ACL_ID',  # The input ACL that permitted or denied the flow
+    33001: 'NF_F_EGRESS_ACL_ID',  #  The output ACL that permitted or denied a flow
+    40000: 'NF_F_USERNAME',  # AAA username
+
+    # PaloAlto PAN-OS 8.0
+    # https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/netflow-monitoring/netflow-templates
+    346: 'PANOS_privateEnterpriseNumber',
+    56701: 'PANOS_APPID',
+    56702: 'PANOS_USERID'
 }
 
 
@@ -216,6 +264,8 @@ class TemplateFlowSet:
                 # Get all fields of this template
                 offset += 4
                 field_type, field_length = struct.unpack('!HH', data[offset:offset+4])
+                if field_type not in field_types:
+                    field_type = 0  # Set field_type to UNKNOWN_FIELD_TYPE as fallback
                 field = TemplateField(field_type, field_length)
                 fields.append(field)