Add option to ignore/automatically map unknown IPFIX fields
edmocosta opened this issue · 0 comments
This codec currently requires all received enterprise/flow set ID to be mapped in the ipfix.yaml file. When it receives an unknown flow set ID, it fails to decode the whole event, even if that flow set ID definition is present on the exchanged template.
Citrix ADC, for example, have several custom flow set IDs (>200), which makes the mapping process complicated. The documentation of those IDs is normally incomplete, nonexistent, and hard to find.
Considering the plugins already process the template and has access to their field length, it would be nice, if possible, to add an option to "allow unknown fields", so users wouldn't need to map all of them, even if they are not interested in such data.
The unknown field name could be mapped using a similar ipfix.yaml pattern:
<PEN>Unknown<flow set id>
Example:
netscalerUnknown285
netscalerUnknown285
5992Unknown285 // use id as fallback when PEN name is unknown