Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

missing ip ttl/ip frag #580

Open
thezoggy opened this issue Nov 11, 2024 · 3 comments
Open

missing ip ttl/ip frag #580

thezoggy opened this issue Nov 11, 2024 · 3 comments

Comments

@thezoggy
Copy link
Contributor

thezoggy commented Nov 11, 2024
edited
Loading

running latest from git

nfdump -V
nfdump: Version: 1.7.5-ad15f25 Options: ZSTD BZIP2 Date: 2024-11-10 15:01:17 +0100

Saw alert about fragments to a host in one system and was curious to see what nfsen/nfdump saw.
I do not see any ip fragment or ip ttl info.. tried using fmt output or raw output

nfdump -r nfcapd.202411111915 -o "fmt:%ts %td %pr %sap -> %dap %pkt %byt %fl %frag %ttl"

nfdump -r nfcapd.202411111915 -o raw"

Per nfdump source I see that it should the info... but is there some sort of requirement before that it is exposed?

BTW, trying to nfanon file in place fails but works if giving it a new name:

hexdump -vn16 -e'4/4 "%08X" 1 "\n"' /dev/urandom
02DF10C55CC176868C6824050FDB83B2

nfanon -r nfcapd.202411111915 -K 02DF10C55CC176868C6824050FDB83B2
/rename() error in nfanon.c line 249: Bad address

~ hangs until break out with ^C
~ removed nfcapd.202411111915-tmp

nfanon -r nfcapd.202411111915 -K 02DF10C55CC176868C6824050FDB83B2 -w nfcapd.202411111915-anon
/1 Processing nfcapd.202411111915
Done
Processed 1 files

providing sample output data:

nfdump -r nfcapd.202411111915-anon -c5 -o "fmt:%ts %td %pr %sap -> %dap %pkt %byt %fl %frag %ttl"
Date first seen         Duration         Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows Frag TTL
2024-11-11 19:18:46.784     00:00:00.000 UDP       223.40.61.53:11200 ->      60.9.66.250:57352    10000    1.1 M     1 ----   0
2024-11-11 19:18:49.088     00:00:00.000 UDP       37.119.82.45:53    ->     41.88.116.13:34850    10000   700000     1 ----   0
2024-11-11 19:18:50.368     00:00:00.000 UDP         68.0.221.1:53    ->  200.132.100.254:11487    10000    4.9 M     1 ----   0
2024-11-11 19:18:24.512     00:00:23.040 TCP     167.230.97.233:80    ->    52.243.243.29:22908    30000   44.4 M     1 ----   0
2024-11-11 19:18:49.856     00:00:00.000 TCP        29.11.80.37:443   ->      29.11.79.61:23811    10000   13.7 M     1 ----   0
Summary: total flows: 5, total bytes: 64.8 M, total packets: 70000, avg bps: 20.0 M, avg pps: 2707, avg bpp: 925
Time window: 2024-11-07 22:05:49 - 2024-11-11 19:19:58, Duration: 3d 21:14:09.000
Total records processed: 5, passed: 22886, Blocks skipped: 0, Bytes read: 4194008
Sys: 0.4662s User: 0.7534s Wall: 0.0117s flows/second: 425.8 Runtime: 0.0118s

 nfdump -r nfcapd.202411111915-anon -c5 -o raw

Flow Record: 
  RecordCount  =                 75
  Flags        =               0x06 NETFLOW v10 Anonymized, Sampled
  Elements     =                  9: 1 2 4 6 7 8 10 12 38 
  size         =                180
  engine type  =                  0
  engine ID    =                  0
  export sysid =                 22
  first        =      1731352726784 [2024-11-11 19:18:46.784]
  last         =      1731352726784 [2024-11-11 19:18:46.784]
  received at  =      1731352745974 [2024-11-11 19:19:05.974]
  proto        =                 17 UDP
  tcp flags    =               0x00 ........
  src port     =              11200
  dst port     =              57352
  src tos      =                  0
  fwd status   =                  0
  in packets   =              10000
  in bytes     =            1130000
  src addr     =       223.40.61.53: AS/KR/Seoul long/lat: 37.5794/126.9754
  dst addr     =        60.9.66.250: AS/CN/China long/lat: 34.7732/113.7220
  input        =               1035
  output       =               1525
  src mask     =                 23 223.40.60.0/23
  dst mask     =                 16 60.9.0.0/16
  dst tos      =                  0
  direction    =                255
  biFlow Dir   =               0x00 
  end reason   =               0x01 idle timeout
  src vlan     =                  0
  dst vlan     =                  0
  src as       =               9644
  dst as       =               4837
  bgp next hop =      254.231.61.89
  ip next hop  =      0.122.205.243
  ip exporter  =       0.122.207.90
  vlanID       =                  0
  post vlanID  =                  0
  custID       =                  0
  post custID  =                  0
  ingress IfID =                  0
  egress IfID  =                  0
  ethertype    =             0x0000
  IP version   =                  4

Flow Record: 
  RecordCount  =                 76
  Flags        =               0x06 NETFLOW v10 Anonymized, Sampled
  Elements     =                  9: 1 2 4 6 7 8 10 12 38 
  size         =                180
  engine type  =                  0
  engine ID    =                  0
  export sysid =                 22
  first        =      1731352729088 [2024-11-11 19:18:49.088]
  last         =      1731352729088 [2024-11-11 19:18:49.088]
  received at  =      1731352745979 [2024-11-11 19:19:05.979]
  proto        =                 17 UDP
  tcp flags    =               0x00 ........
  src port     =                 53
  dst port     =              34850
  src tos      =                  0
  fwd status   =                  0
  in packets   =              10000
  in bytes     =             700000
  src addr     =       37.119.82.45: EU/IT/Rome long/lat: 41.8904/12.5126
  dst addr     =       41.88.116.13
  input        =               1297
  output       =               1525
  src mask     =                 24 37.119.82.0/24
  dst mask     =                 22 41.88.116.0/22
  dst tos      =                  0
  direction    =                255
  biFlow Dir   =               0x00 
  end reason   =               0x01 idle timeout
  src vlan     =               1326
  dst vlan     =                  0
  src as       =              30722
  dst as       =                  0
  bgp next hop =     175.16.145.177
  ip next hop  =      0.122.205.243
  ip exporter  =       0.122.207.90
  vlanID       =                  0
  post vlanID  =                  0
  custID       =                  0
  post custID  =                  0
  ingress IfID =                  0
  egress IfID  =                  0
  ethertype    =             0x0000
  IP version   =                  4

Flow Record: 
  RecordCount  =                 77
  Flags        =               0x06 NETFLOW v10 Anonymized, Sampled
  Elements     =                  9: 1 2 4 6 7 8 10 12 38 
  size         =                180
  engine type  =                  0
  engine ID    =                  0
  export sysid =                 22
  first        =      1731352730368 [2024-11-11 19:18:50.368]
  last         =      1731352730368 [2024-11-11 19:18:50.368]
  received at  =      1731352745980 [2024-11-11 19:19:05.980]
  proto        =                 17 UDP
  tcp flags    =               0x00 ........
  src port     =                 53
  dst port     =              11487
  src tos      =                  0
  fwd status   =                  0
  in packets   =              10000
  in bytes     =            4900000
  src addr     =         68.0.221.1: NA/US/"Broad Brook" long/lat: 41.9039/-72.5468
  dst addr     =    200.132.100.254: SA/BR/Pelotas long/lat: -31.7700/-52.3410
  input        =               1297
  output       =                664
  src mask     =                 22 68.0.220.0/22
  dst mask     =                 12 200.128.0.0/12
  dst tos      =                  0
  direction    =                255
  biFlow Dir   =               0x00 
  end reason   =               0x01 idle timeout
  src vlan     =               1326
  dst vlan     =                  0
  src as       =              22773
  dst as       =               2716
  bgp next hop =      29.248.71.143
  ip next hop  =       0.122.205.76
  ip exporter  =       0.122.207.90
  vlanID       =                  0
  post vlanID  =                  0
  custID       =                  0
  post custID  =                  0
  ingress IfID =                  0
  egress IfID  =                  0
  ethertype    =             0x0000
  IP version   =                  4

Flow Record: 
  RecordCount  =                 78
  Flags        =               0x06 NETFLOW v10 Anonymized, Sampled
  Elements     =                  9: 1 2 4 6 7 8 10 12 38 
  size         =                180
  engine type  =                  0
  engine ID    =                  0
  export sysid =                 23
  first        =      1731352704512 [2024-11-11 19:18:24.512]
  last         =      1731352727552 [2024-11-11 19:18:47.552]
  received at  =      1731352745981 [2024-11-11 19:19:05.981]
  proto        =                  6 TCP
  tcp flags    =               0x10 ...A....
  src port     =                 80
  dst port     =              22908
  src tos      =                  0
  fwd status   =                  0
  in packets   =              30000
  in bytes     =           44400000
  src addr     =     167.230.97.233: NA/US/'United States' long/lat: 37.7510/-97.8220
  dst addr     =      52.243.243.29: NA/US/"San Antonio" long/lat: 29.4227/-98.4927
  input        =                664
  output       =               1065
  src mask     =                 23 167.230.96.0/23
  dst mask     =                 23 52.243.242.0/23
  dst tos      =                  0
  direction    =                255
  biFlow Dir   =               0x00 
  end reason   =               0x01 idle timeout
  src vlan     =                  0
  dst vlan     =                  0
  src as       =                  0
  dst as       =               8075
  bgp next hop =         68.15.7.32
  ip next hop  =         68.15.7.32
  ip exporter  =       0.122.207.90
  vlanID       =                  0
  post vlanID  =                  0
  custID       =                  0
  post custID  =                  0
  ingress IfID =                  0
  egress IfID  =                  0
  ethertype    =             0x0000
  IP version   =                  4

Flow Record: 
  RecordCount  =                 79
  Flags        =               0x06 NETFLOW v10 Anonymized, Sampled
  Elements     =                  9: 1 2 4 6 7 8 10 12 38 
  size         =                180
  engine type  =                  0
  engine ID    =                  0
  export sysid =                 23
  first        =      1731352729856 [2024-11-11 19:18:49.856]
  last         =      1731352729856 [2024-11-11 19:18:49.856]
  received at  =      1731352745981 [2024-11-11 19:19:05.981]
  proto        =                  6 TCP
  tcp flags    =               0x18 ...AP...
  src port     =                443
  dst port     =              23811
  src tos      =                  0
  fwd status   =                  0
  in packets   =              10000
  in bytes     =           13670000
  src addr     =        29.11.80.37: NA/US/'United States' long/lat: 37.7510/-97.8220
  dst addr     =        29.11.79.61: NA/US/'United States' long/lat: 37.7510/-97.8220
  input        =                664
  output       =               1519
  src mask     =                 24 29.11.80.0/24
  dst mask     =                 24 29.11.79.0/24
  dst tos      =                  0
  direction    =                255
  biFlow Dir   =               0x00 
  end reason   =               0x01 idle timeout
  src vlan     =                  0
  dst vlan     =                  0
  src as       =                749
  dst as       =                749
  bgp next hop =         68.15.9.13
  ip next hop  =         68.15.9.13
  ip exporter  =       0.122.207.90
  vlanID       =                  0
  post vlanID  =                  0
  custID       =                  0
  post custID  =                  0
  ingress IfID =                  0
  egress IfID  =                  0
  ethertype    =             0x0000
  IP version   =                  4

this was from a juniper 23.x box, but also see the lack of ttl/frag from cisco iox 7.x and others.
@thezoggy
Copy link
Contributor Author

looking at pcap, i see MinTTL/MaxTTL showing up in wireshark which looks like field 52/53 per:
https://www.juniper.net/documentation/us/en/software/junos/flow-monitoring/topics/concept/flowmonitoring-output-formats-version9-solutions.html

@phaag
Copy link
Owner

phaag commented Nov 12, 2024

As of nfanon - it looks like the system call rename failed for some reason. I can certainly fix the hanging, but not the reason for the failed rename() call, which looks like system dependent. What system/OS and filesystem are you using?

As of ttl/fragments - Please send me a pcap to check for proper decoding. So far these fields are not yet decoded in v9/ipfix and are used only by nfpcapd

@thezoggy
Copy link
Contributor Author

As of nfanon - it looks like the system call rename failed for some reason. I can certainly fix the hanging, but not the reason for the failed rename() call, which looks like system dependent. What system/OS and filesystem are you using?

As of ttl/fragments - Please send me a pcap to check for proper decoding. So far these fields are not yet decoded in v9/ipfix and are used only by nfpcapd

Box is ubuntu 20.04, just emailed you some pcaps of flows coming into the box for a few different platforms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thezoggy @phaag