goflow2 icon indicating copy to clipboard operation
goflow2 copied to clipboard
verified publisher icon netsampler

Enricher re-writes fields it should not be

Open ackstorm23 opened this issue 8 months ago • 2 comments

Describe the bug When piping goflow data through enricher, fields containing IP or MAC addresses are no longer usable. Only happens with the enricher. Running only goflow2 shows correct IP and MAC addresses in output.

To Reproduce Steps to reproduce the behavior:

  1. Run GoFlow2 with arguments 'goflow2-2.2.2-7-gfb53b55-linux-aarch64 -transport.file.sep= -format=bin -addr=0.0.0.0:8880 | enricher -db.asn ./config/GeoLite2-ASN.mmdb -db.country ./config/GeoLite2-Country.mmdb'
  2. Wait for flows to come in
  3. Observe that the JSON output has invalid data in src_addr, dst_addr, src_mac, dst_mac, next_hop, and any other field that contains an IP or MAC address.

Expected behavior Fields with IP or MAC address are not modified by the enricher Captures If applicable, add output (JSON, protobuf), packet captures and device configuration.

{"type":4,"sequence_num":6874,"sampler_address":"CgEAAQ==","bytes":17367,"packets":15,"src_addr":"z/Hj4Q==","dst_addr":"S0hP6w==","etype":2048,"proto":6,"src_port":80,"dst_port":36552,"in_if":1,"out_if":11,"src_mac":251206042811623,"dst_mac":237876075896724,"tcp_flags":16,"src_as":7941,"dst_as":7922,"next_hop":"AAAAAA==","src_country":"US","dst_country":"US"}

GoFlow2:

  • Version: [GoFlow2 v2.2.2-7-gfb53b55 (2025-05-28T23:53:14-0500)]
  • Environment: [Compiled from source]
  • OS: [Arch Linux]

Additional context

running enricher with -loglevel=debug does not produce any logs (beyond the initial starting message from info loglevel)

ackstorm23 avatar May 29 '25 05:05 ackstorm23

i have same issue When piping goflow data through enricher

Environment = Compiled From Source OS = FreeBSD

command debug:

/usr/local/bin/goflow2 -loglevel=info -listen netflow://:2055 -addr ":8181" -transport.file.sep= -format=bin -mapping /usr/local/etc/goflow2/mapping.yaml | /usr/local/bin/enricher -loglevel=info -db.asn /usr/local/etc/goflow2/GeoLite2-ASN.mmdb -db.country /usr/local/etc/goflow2/GeoLite2-Country.mmdb -format json

output:

time=2025-06-13T17:23:01.300+07:00 level=ERROR msg="error unmarshalling message" error="string field contains invalid UTF-8"
time=2025-06-13T17:23:01.300+07:00 level=ERROR msg="error unmarshalling message" error="string field contains invalid UTF-8"
time=2025-06-13T17:23:01.300+07:00 level=ERROR msg="error unmarshalling message" error="string field contains invalid UTF-8"
{"type":4,"sequence_num":781253024,"sampler_address":"yorhQg==","bytes":5760,"packets":4,"src_addr":"LXnbiA==","dst_addr":"yor6Hw==","etype":2048,"proto":6,"src_port":443,"dst_port":55521,"in_if":16,"out_if":15729848,"src_mac":83898788312513,"dst_mac":277468414149108,"tcp_flags":24,"src_as":131702,"dst_as":9657,"src_country":"ID","dst_country":"ID"}
time=2025-06-13T17:23:01.300+07:00 level=ERROR msg="error unmarshalling message" error="string field contains invalid UTF-8"
time=2025-06-13T17:23:01.301+07:00 level=ERROR msg="error unmarshalling message" error="string field contains invalid UTF-8"

alifgufron avatar Jun 13 '25 10:06 alifgufron

I'm observing the same issue. Any updates?

eoksum avatar Sep 30 '25 10:09 eoksum