Store IP addresses (v4 + v6) as strings rather than ints

bitkeks · bitkeks · commit 1646a52f17c5 · 2019-11-03T13:35:32.000+01:00
As mentioned by @pR0Ps in https://github.com/bitkeks/python-netflow-v9-softflowd/blame/6b9d20c8a6e2145aa2bd3c094b1f18fe31794555/analyze_json.py#L83 IP addresses, especially in IPv6, should better be stored as parsed strings instead of their raw integer values. Implemented.
diff --git a/analyze_json.py b/analyze_json.py
@@ -80,14 +80,9 @@ def __repr__(self):
 
     @staticmethod
     def get_ips(flow):
-        # TODO: These values should be parsed into strings in the collection phase.
-        #       The floating point representation of an IPv6 address in JSON
-        #       could lose precision.
-
         # IPv4
-        if flow.get('IP_PROTOCOL_VERSION') == 4 \
-                or 'IPV4_SRC_ADDR' in flow \
-                or 'IPV4_DST_ADDR' in flow:
+        if flow.get('IP_PROTOCOL_VERSION') == 4 or \
+                'IPV4_SRC_ADDR' in flow or 'IPV4_DST_ADDR' in flow:
             return Pair(
                 ipaddress.ip_address(flow['IPV4_SRC_ADDR']),
                 ipaddress.ip_address(flow['IPV4_DST_ADDR'])
diff --git a/netflow/v9.py b/netflow/v9.py
@@ -13,6 +13,7 @@
 Licensed under MIT License. See LICENSE.
 """
 
+import ipaddress
 import struct
 
 
@@ -200,7 +201,6 @@ def __init__(self, data, templates):
             for field in template.fields:
                 flen = field.field_length
                 fkey = FIELD_TYPES[field.field_type]
-                fdata = None
 
                 # The length of the value byte slice is defined in the template
                 dataslice = data[offset:offset+flen]
@@ -210,7 +210,16 @@ def __init__(self, data, templates):
                 for idx, byte in enumerate(reversed(bytearray(dataslice))):
                     fdata += byte << (idx * 8)
 
-                new_record.data[fkey] = fdata
+                # Special handling of IP addresses to convert integers to strings to not lose precision in dump
+                if fkey in ["IPV4_SRC_ADDR", "IPV4_DST_ADDR", "IPV6_SRC_ADDR", "IPV6_DST_ADDR"]:
+                    try:
+                        ip = ipaddress.ip_address(fdata)
+                    except ValueError:
+                        print("IP address could not be parsed: {}".format(fdata))
+                        continue
+                    new_record.data[fkey] = ip.compressed
+                else:
+                    new_record.data[fkey] = fdata
 
                 offset += flen
 
