Andreas Brillisauer -- Hetzner Online AG
2006-Jan-25 15:56 UTC
[netflow-tools] Does softflowd open a new flow for same IPs but different ports?
Hello, I''m not quite sure about the following. Assuming that softflowd captures two IP packets. Both packets have the same source and destination IP but different ports. Does softflowd open two flows or only one? If it opens two flows, is there a possibility to say softflowd to ignore the ports? Greetings, Andreas -- Hetzner Online AG Industriestr. 6 D-91710 Gunzenhausen Tel: +49 9831 610061 Fax: +49 9831 610062 E-Mail: info at hetzner.de http://www.hetzner.de
Damien Miller
2006-Jan-26 00:01 UTC
[netflow-tools] Does softflowd open a new flow for same IPs but different ports?
Andreas Brillisauer -- Hetzner Online AG wrote:> Hello, > > I''m not quite sure about the following. Assuming that softflowd captures > two IP packets. Both packets have the same source and destination IP but > different ports. Does softflowd open two flows or only one? If it opens > two flows, is there a possibility to say softflowd to ignore the ports?Not at present, but it could be added pretty easily. Please try the attached patch. It may not apply cleanly against a released version of softflowd - if this is the case, please try a snapshot from http://www2.mindrot.org/softflowd_snap/ -d -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: softflowd-track.diff Url: http://lists.mindrot.org/pipermail/netflow-tools/attachments/20060126/1a09f7c2/attachment.ksh
Andreas Brillisauer -- Hetzner Online AG
2006-Feb-01 10:00 UTC
[netflow-tools] Does softflowd open a new flow for same IPs but different ports?
Damien Miller wrote:> Not at present, but it could be added pretty easily. > > Please try the attached patch. It may not apply cleanly against a > released version of softflowd - if this is the case, please try a > snapshot from http://www2.mindrot.org/softflowd_snap/I tried to patch the following snapshots softflowd-SNAP-20060201.tar.gz softflowd-SNAP-20060131.tar.gz softflowd-SNAP-20060130.tar.gz But I get the same error with all three snapshots regarding softflowd.c ---8<------------------------------------------------------------------ debian:~/softflowd/softflowd-SNAP-20060130# patch softflowd.c softflowd.c.patch patching file softflowd.c Hunk #1 FAILED at 538. Hunk #2 FAILED at 1376. Hunk #3 FAILED at 1422. Hunk #4 FAILED at 1677. 4 out of 4 hunks FAILED -- saving rejects to file softflowd.c.rej ---8<------------------------------------------------------------------ Greetings, Andreas These are your attached patches:> Index: softflowd.8 > ==================================================================> RCS file: /var/cvs/softflowd/softflowd.8,v > retrieving revision 1.16 > diff -u -p -r1.16 softflowd.8 > --- softflowd.8 10 Jan 2005 01:50:07 -0000 1.16 > +++ softflowd.8 25 Jan 2006 23:59:34 -0000 > @@ -40,6 +40,7 @@ > .Op Fl p Ar pidfile > .Op Fl c Ar ctl_sock > .Op Fl L Ar hoplimit > +.Op Fl T Ar track_level > .Op bpf_program > .Sh DESCRIPTION > .Nm > @@ -196,6 +197,24 @@ Sets the IPv4 TTL or the IPv6 hop limit > will use the default system TTL when exporting flows to a unicast host. > When exporting to a multicast group, the default TTL will be 1 > (i.e. link-local). > +.It Fl T Ar track_level > +Specifies what flow elements > +.Nm > +should be used to define a flow. > +.Ar track_level > +may be one of: > +.Dq full > +(track everything in the flow, the default), > +.Dq proto > +(track source and destination addresses and protocol), or > +.Dq ip > +(only track source and destination addresses). > +Selecting either of the latter options will produce flows with less information > +in them (e.g. TCP/UDP ports will not be recorded). > +This will cause flows to be consolidated, reducing the quantity of output > +and CPU load that > +.Nm > +will place on the system at the cost of some detail. > .El > .Pp > Any further commandline arguments will be concatenated together and > Index: softflowd.c > ==================================================================> RCS file: /var/cvs/softflowd/softflowd.c,v > retrieving revision 1.87 > diff -u -p -r1.87 softflowd.c > --- softflowd.c 25 Jan 2006 23:25:04 -0000 1.87 > +++ softflowd.c 25 Jan 2006 23:50:06 -0000 > @@ -538,6 +538,19 @@ process_packet(struct FLOWTRACK *ft, con > if (frag) > ft->frag_packets++; > > + /* Zero out bits of the flow that aren''t relevant to tracking level */ > + switch (ft->track_level) { > + case TRACK_IP_ONLY: > + tmp.protocol = 0; > + /* FALLTHROUGH */ > + case TRACK_IP_PROTO: > + tmp.port[0] = tmp.port[1] = 0; > + tmp.tcp_flags[0] = tmp.tcp_flags[1] = 0; > + /* FALLTHROUGH */ > + case TRACK_FULL: > + break; > + } > + > /* If a matching flow does not exist, create and insert one */ > if ((flow = FLOW_FIND(FLOWS, &ft->flows, &tmp)) == NULL) { > /* Allocate and fill in the flow */ > @@ -1363,6 +1376,8 @@ init_flowtrack(struct FLOWTRACK *ft) > FLOW_INIT(&ft->flows); > EXPIRY_INIT(&ft->expiries); > > + ft->track_level = TRACK_FULL; > + > ft->tcp_timeout = DEFAULT_TCP_TIMEOUT; > ft->tcp_rst_timeout = DEFAULT_TCP_RST_TIMEOUT; > ft->tcp_fin_timeout = DEFAULT_TCP_FIN_TIMEOUT; > @@ -1407,20 +1422,21 @@ usage(void) > { > fprintf(stderr, "Usage: %s [options] [bpf_program]\n", PROGNAME); > fprintf(stderr, "This is %s version %s. Valid commandline options:\n", PROGNAME, PROGVER); > - fprintf(stderr, " -i interface Specify interface to listen on\n"); > - fprintf(stderr, " -r pcap_file Specify packet capture file to read\n"); > - fprintf(stderr, " -t timeout=time Specify named timeout\n"); > - fprintf(stderr, " -m max_flows Specify maximum number of flows to track (default %d)\n", DEFAULT_MAX_FLOWS); > - fprintf(stderr, " -n host:port Send Cisco NetFlow(tm)-compatible packets to host:port\n"); > - fprintf(stderr, " -p pidfile Record pid in specified file (default: %s)\n", DEFAULT_PIDFILE); > - fprintf(stderr, " -c pidfile Location of control socket (default: %s)\n", DEFAULT_CTLSOCK); > - fprintf(stderr, " -v 1|5|9 NetFlow export packet version\n"); > - fprintf(stderr, " -L hoplimit Set TTL/hoplimit for export datagrams\n"); > - fprintf(stderr, " -6 Track IPv6 flows, regardless of whether selected \n" > - " NetFlow export protocol supports it\n"); > - fprintf(stderr, " -d Don''t daemonise\n"); > - fprintf(stderr, " -D Debug mode: don''t daemonise + verbosity + track v6 flows\n"); > - fprintf(stderr, " -h Display this help\n"); > + fprintf(stderr, " -i interface Specify interface to listen on\n"); > + fprintf(stderr, " -r pcap_file Specify packet capture file to read\n"); > + fprintf(stderr, " -t timeout=time Specify named timeout\n"); > + fprintf(stderr, " -m max_flows Specify maximum number of flows to track (default %d)\n", DEFAULT_MAX_FLOWS); > + fprintf(stderr, " -n host:port Send Cisco NetFlow(tm)-compatible packets to host:port\n"); > + fprintf(stderr, " -p pidfile Record pid in specified file (default: %s)\n", DEFAULT_PIDFILE); > + fprintf(stderr, " -c pidfile Location of control socket (default: %s)\n", DEFAULT_CTLSOCK); > + fprintf(stderr, " -v 1|5|9 NetFlow export packet version\n"); > + fprintf(stderr, " -L hoplimit Set TTL/hoplimit for export datagrams\n"); > + fprintf(stderr, " -T full|proto|ip Set flow tracking level (default: full)\n"); > + fprintf(stderr, " -6 Track IPv6 flows, regardless of whether selected \n" > + " NetFlow export protocol supports it\n"); > + fprintf(stderr, " -d Don''t daemonise\n"); > + fprintf(stderr, " -D Debug mode: don''t daemonise + verbosity + track v6 flows\n"); > + fprintf(stderr, " -h Display this help\n"); > fprintf(stderr, "\n"); > fprintf(stderr, "Valid timeout names and default values:\n"); > fprintf(stderr, " tcp (default %6d)", DEFAULT_TCP_TIMEOUT); > @@ -1661,6 +1677,19 @@ main(int argc, char **argv) > case ''t'': > /* Will exit on failure */ > set_timeout(&flowtrack, optarg); > + break; > + case ''T'': > + if (strcasecmp(optarg, "full") == 0) > + flowtrack.track_level = TRACK_FULL; > + else if (strcasecmp(optarg, "proto") == 0) > + flowtrack.track_level = TRACK_IP_PROTO; > + else if (strcasecmp(optarg, "ip") == 0) > + flowtrack.track_level = TRACK_IP_ONLY; > + else { > + fprintf(stderr, "Unknown flow tracking level\n"); > + usage(); > + exit(1); > + } > break; > case ''L'': > hoplimit = atoi(optarg); > Index: softflowd.h > ==================================================================> RCS file: /var/cvs/softflowd/softflowd.h,v > retrieving revision 1.8 > diff -u -p -r1.8 softflowd.h > --- softflowd.h 5 May 2005 03:31:42 -0000 1.8 > +++ softflowd.h 25 Jan 2006 23:39:53 -0000 > @@ -66,6 +66,11 @@ struct STATISTIC { > double min, mean, max; > }; > > +/* Flow tracking levels */ > +#define TRACK_FULL 1 /* src/dst/addr/port/proto 5-tuple */ > +#define TRACK_IP_PROTO 2 /* src/dst/proto 3-tuple */ > +#define TRACK_IP_ONLY 3 /* src/dst tuple */ > + > /* > * This structure is the root of the flow tracking system. > * It holds the root of the tree of active flows and the head of the > @@ -81,7 +86,8 @@ struct FLOWTRACK { > > /* Stuff related to flow export */ > struct timeval system_boot_time; /* SysUptime */ > - > + int track_level; /* See TRACK_* above */ > + > /* Flow timeouts */ > int tcp_timeout; /* Open TCP connections */ > int tcp_rst_timeout; /* TCP flows after RST */
Damien Miller
2006-Feb-11 11:28 UTC
[netflow-tools] Does softflowd open a new flow for same IPs but different ports?
On Wed, 1 Feb 2006, Andreas Brillisauer -- Hetzner Online AG wrote:> Damien Miller wrote: > > Not at present, but it could be added pretty easily. > > > > Please try the attached patch. It may not apply cleanly against a > > released version of softflowd - if this is the case, please try a > > snapshot from http://www2.mindrot.org/softflowd_snap/ > > I tried to patch the following snapshots > > softflowd-SNAP-20060201.tar.gz > softflowd-SNAP-20060131.tar.gz > softflowd-SNAP-20060130.tar.gz > > But I get the same error with all three snapshots regarding softflowd.cTry tonight''s snapshot, I just committed the change. -d
Andreas Brillisauer -- Hetzner Online AG
2006-Feb-13 16:15 UTC
[netflow-tools] Does softflowd open a new flow for same IPs but different ports?
Damien Miller wrote:> Try tonight''s snapshot, I just committed the change.I just tried snapshot softflowd-SNAP-20060214.tar.gz but the -T option doesn''t work. Here is what I did: ---8<------------------------------------------------------------------ # /usr/local/sbin/softflowd -i eth2 -t maxlife=300 -m 8388608 -T ip -n 127.0.0.1:9000 /usr/local/sbin/softflowd: invalid option -- T Invalid commandline option. [...] ---8<------------------------------------------------------------------ Greetings, Andreas -- Hetzner Online AG Industriestr. 6 D-91710 Gunzenhausen Tel: +49 9831 610061 Fax: +49 9831 610062 E-Mail: info at hetzner.de http://www.hetzner.de
Damien Miller
2006-Feb-13 20:47 UTC
[netflow-tools] Does softflowd open a new flow for same IPs but different ports?
On Mon, 13 Feb 2006, Andreas Brillisauer -- Hetzner Online AG wrote:> Damien Miller wrote: > > Try tonight''s snapshot, I just committed the change. > > I just tried snapshot softflowd-SNAP-20060214.tar.gz but the -T option > doesn''t work.oops, please apply this patch: Index: softflowd.c ==================================================================RCS file: /var/cvs/softflowd/softflowd.c,v retrieving revision 1.88 diff -u -p -r1.88 softflowd.c --- softflowd.c 11 Feb 2006 11:27:38 -0000 1.88 +++ softflowd.c 13 Feb 2006 20:46:42 -0000 @@ -1641,7 +1641,7 @@ main(int argc, char **argv) ctlsock_path = DEFAULT_CTLSOCK; dontfork_flag = 0; always_v6 = 0; - while ((ch = getopt(argc, argv, "6hdDL:i:r:f:t:n:m:p:c:v:")) != -1) { + while ((ch = getopt(argc, argv, "6hdDL:T:i:r:f:t:n:m:p:c:v:")) != -1) { switch (ch) { case ''6'': always_v6 = 1;