Christoph Biedl
2011-Feb-07 21:20 UTC
[netflow-tools] [PATCH] softflowd: Fix broken v9 flow creation for IPv6
Hello,
Full story: To create flow information for IPv6 connections, too, I
had to switch to v9 flow creation. And soon saw error messages in
nfcapd which captures the flow datagrams like in:
nfcapd[31773]: Process_v9: Corrupt data flowset? Pad bytes: 6
Reading the files created by nfcapd using nfdump resulted in a lot of
garbage; and wireshark didn''t show sound information, either.
Explanation (after a longer search):
In netflowd9.c:82 the number of records in the flow template is
defined as 11. The actual number of records is 13 (l.148-151 for
v4_template, l.180-183 for v6_template). So it''s basically good luck
no exception is triggered when filling the template with these two
extra records (just two octects) as this either just affects padding
or the following variables without doing real harm.
A second reason for garbled data was caused by a copy''n''waste
error in
lines 169-172.
Both were introduced in
changeset: 198:13176bb927c3
user: djm
date: Thu Oct 01 07:06:08 2009 +0000
summary: - (djm) Support manual specification of an interface index to be
used
Fix: See patch below. Works for me.
Cheers,
Christoph
PS: On a side note, certain v9 flow datagrams seem to drive a squeezy
wireshark into a segmentation fault, I''m too tired to dig into this
right now.
--- a/netflow9.c
+++ b/netflow9.c
@@ -79,7 +79,7 @@ struct NF9_DATA_FLOWSET_HEADER {
#define NF9_IP_PROTOCOL_VERSION 60
/* Stuff pertaining to the templates that softflowd uses */
-#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS 11
+#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS 13
struct NF9_SOFTFLOWD_TEMPLATE {
struct NF9_TEMPLATE_FLOWSET_HEADER h;
struct NF9_TEMPLATE_FLOWSET_RECORD r[NF9_SOFTFLOWD_TEMPLATE_NRECORDS];
@@ -167,10 +167,10 @@ nf9_init_template(void)
v6_template.r[4].length = htons(4);
v6_template.r[5].type = htons(NF9_IN_PACKETS);
v6_template.r[5].length = htons(4);
- v4_template.r[6].type = htons(NF9_IF_INDEX_IN);
- v4_template.r[6].length = htons(4);
- v4_template.r[7].type = htons(NF9_IF_INDEX_OUT);
- v4_template.r[7].length = htons(4);
+ v6_template.r[6].type = htons(NF9_IF_INDEX_IN);
+ v6_template.r[6].length = htons(4);
+ v6_template.r[7].type = htons(NF9_IF_INDEX_OUT);
+ v6_template.r[7].length = htons(4);
v6_template.r[8].type = htons(NF9_L4_SRC_PORT);
v6_template.r[8].length = htons(2);
v6_template.r[9].type = htons(NF9_L4_DST_PORT);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL:
<http://lists.mindrot.org/pipermail/netflow-tools/attachments/20110207/fc6dcc85/attachment.bin>
Hitoshi Irino
2011-Oct-10 08:41 UTC
[netflow-tools] [PATCH] softflowd: Fix broken v9 flow creation for IPv6
Hello Christoph, I committed (hg commit & push) this patch to google code on September 21th. thanks, Hitoshi Irino (2011?02?08? 06:20), Christoph Biedl wrote:> Hello, > > Full story: To create flow information for IPv6 connections, too, I > had to switch to v9 flow creation. And soon saw error messages in > nfcapd which captures the flow datagrams like in: > > nfcapd[31773]: Process_v9: Corrupt data flowset? Pad bytes: 6 > > Reading the files created by nfcapd using nfdump resulted in a lot of > garbage; and wireshark didn''t show sound information, either. > > Explanation (after a longer search): > > In netflowd9.c:82 the number of records in the flow template is > defined as 11. The actual number of records is 13 (l.148-151 for > v4_template, l.180-183 for v6_template). So it''s basically good luck > no exception is triggered when filling the template with these two > extra records (just two octects) as this either just affects padding > or the following variables without doing real harm. > > A second reason for garbled data was caused by a copy''n''waste error in > lines 169-172. > > Both were introduced in > > changeset: 198:13176bb927c3 > user: djm > date: Thu Oct 01 07:06:08 2009 +0000 > summary: - (djm) Support manual specification of an interface index to be used > > Fix: See patch below. Works for me. > > Cheers, > > Christoph > > PS: On a side note, certain v9 flow datagrams seem to drive a squeezy > wireshark into a segmentation fault, I''m too tired to dig into this > right now. > > > --- a/netflow9.c > +++ b/netflow9.c > @@ -79,7 +79,7 @@ struct NF9_DATA_FLOWSET_HEADER { > #define NF9_IP_PROTOCOL_VERSION 60 > > /* Stuff pertaining to the templates that softflowd uses */ > -#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS 11 > +#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS 13 > struct NF9_SOFTFLOWD_TEMPLATE { > struct NF9_TEMPLATE_FLOWSET_HEADER h; > struct NF9_TEMPLATE_FLOWSET_RECORD r[NF9_SOFTFLOWD_TEMPLATE_NRECORDS]; > @@ -167,10 +167,10 @@ nf9_init_template(void) > v6_template.r[4].length = htons(4); > v6_template.r[5].type = htons(NF9_IN_PACKETS); > v6_template.r[5].length = htons(4); > - v4_template.r[6].type = htons(NF9_IF_INDEX_IN); > - v4_template.r[6].length = htons(4); > - v4_template.r[7].type = htons(NF9_IF_INDEX_OUT); > - v4_template.r[7].length = htons(4); > + v6_template.r[6].type = htons(NF9_IF_INDEX_IN); > + v6_template.r[6].length = htons(4); > + v6_template.r[7].type = htons(NF9_IF_INDEX_OUT); > + v6_template.r[7].length = htons(4); > v6_template.r[8].type = htons(NF9_L4_SRC_PORT); > v6_template.r[8].length = htons(2); > v6_template.r[9].type = htons(NF9_L4_DST_PORT); > > > > > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools