[netflow-tools] [PATCH] softflowd: Fix broken v9 flow creation for IPv6

Christoph Biedl netflow-tools.aguu at manchmal.in-ulm.de
Tue Feb 8 08:20:29 EST 2011 

Hello,

Full story: To create flow information for IPv6 connections, too, I
had to switch to v9 flow creation. And soon saw error messages in
nfcapd which captures the flow datagrams like in:

nfcapd[31773]: Process_v9: Corrupt data flowset? Pad bytes: 6

Reading the files created by nfcapd using nfdump resulted in a lot of
garbage; and wireshark didn't show sound information, either.

Explanation (after a longer search):

In netflowd9.c:82 the number of records in the flow template is
defined as 11. The actual number of records is 13 (l.148-151 for
v4_template, l.180-183 for v6_template). So it's basically good luck
no exception is triggered when filling the template with these two
extra records (just two octects) as this either just affects padding
or the following variables without doing real harm.

A second reason for garbled data was caused by a copy'n'waste error in
lines 169-172.

Both were introduced in

changeset:   198:13176bb927c3
user:        djm
date:        Thu Oct 01 07:06:08 2009 +0000
summary:     - (djm) Support manual specification of an interface index to be used

Fix: See patch below. Works for me.

Cheers,

    Christoph

PS: On a side note, certain v9 flow datagrams seem to drive a squeezy
wireshark into a segmentation fault, I'm too tired to dig into this
right now.


--- a/netflow9.c
+++ b/netflow9.c
@@ -79,7 +79,7 @@ struct NF9_DATA_FLOWSET_HEADER {
 #define NF9_IP_PROTOCOL_VERSION		60

 /* Stuff pertaining to the templates that softflowd uses */
-#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS	11
+#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS	13
 struct NF9_SOFTFLOWD_TEMPLATE {
 	struct NF9_TEMPLATE_FLOWSET_HEADER h;
 	struct NF9_TEMPLATE_FLOWSET_RECORD r[NF9_SOFTFLOWD_TEMPLATE_NRECORDS];
@@ -167,10 +167,10 @@ nf9_init_template(void)
 	v6_template.r[4].length = htons(4);
 	v6_template.r[5].type = htons(NF9_IN_PACKETS);
 	v6_template.r[5].length = htons(4);
-	v4_template.r[6].type = htons(NF9_IF_INDEX_IN);
-	v4_template.r[6].length = htons(4);
-	v4_template.r[7].type = htons(NF9_IF_INDEX_OUT);
-	v4_template.r[7].length = htons(4);
+	v6_template.r[6].type = htons(NF9_IF_INDEX_IN);
+	v6_template.r[6].length = htons(4);
+	v6_template.r[7].type = htons(NF9_IF_INDEX_OUT);
+	v6_template.r[7].length = htons(4);
 	v6_template.r[8].type = htons(NF9_L4_SRC_PORT);
 	v6_template.r[8].length = htons(2);
 	v6_template.r[9].type = htons(NF9_L4_DST_PORT);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20110207/fc6dcc85/attachment.bin>

More information about the netflow-tools mailing list