Problem with odd flows packets

Graylog Central (peer support)
1

Hello,

We have noticed that we are having errors with some ipfix packets:

    2020-11-16T09:48:05.819+01:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=71afe1a0-27e8-11eb-8069-0050568b9832, journalOffset=3424360, codec=ipfix, payloadSize=144, timestamp=2020-11-16T08:48:05.818Z, remoteAddress=/XXX.XXX.XXX.XXX:1026} on input <5f73028496c3000b50cb395e>.
    2020-11-16T09:48:05.819+01:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=71afe1a0-27e8-11eb-8069-0050568b9832, journalOffset=3424360, codec=ipfix, payloadSize=144, timestamp=2020-11-16T08:48:05.818Z, remoteAddress=/XXX.XXX.XXX.XXX:1026}
    java.lang.IndexOutOfBoundsException: readerIndex(50) + length(4) exceeds writerIndex(52): UnpooledHeapByteBuf(ridx: 50, widx: 52, cap: 52/52)
            at io.netty.buffer.AbstractByteBuf.checkReadableBytes0(AbstractByteBuf.java:1477) ~[graylog.jar:?]
            at io.netty.buffer.AbstractByteBuf.checkReadableBytes(AbstractByteBuf.java:1463) ~[graylog.jar:?]
            at io.netty.buffer.AbstractByteBuf.readBytes(AbstractByteBuf.java:896) ~[graylog.jar:?]
            at io.netty.buffer.AbstractByteBuf.readBytes(AbstractByteBuf.java:904) ~[graylog.jar:?]
            at org.graylog.integrations.ipfix.IpfixParser.parseDataSet(IpfixParser.java:430) ~[?:?]
            at org.graylog.integrations.ipfix.codecs.IpfixCodec.lambda$decodeMessages$3(IpfixCodec.java:206) ~[?:?]
            at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_272]
            at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384) ~[?:1.8.0_272]
            at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_272]
            at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_272]
            at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_272]
            at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_272]
            at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[?:1.8.0_272]
            at org.graylog.integrations.ipfix.codecs.IpfixCodec.decodeMessages(IpfixCodec.java:212) ~[?:?]
            at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:148) ~[graylog.jar:?]
            at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
            at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:90) [graylog.jar:?]
            at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:47) [graylog.jar:?]
            at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
            at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
            at java.lang.Thread.run(Thread.java:748) [?:1.8.0_272]

After analyze the traffic with wireshark and comparing the received in the graylog with all the sended packets, we saw that the packets that throw errors are the packets that have an odd number of flows (1, 3, 5, etc). The packets that have a even number of flows are received and collected in graylog.

Can anyone help us with this issue?

Graylog version: 3.3.8

Thanks

2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.