Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Netflow packets built by Scapy fail to decode when they contain timestamps #4198

Open
CameronNemo opened this issue Dec 1, 2023 · 2 comments
Open

Netflow packets built by Scapy fail to decode when they contain timestamps #4198

CameronNemo opened this issue Dec 1, 2023 · 2 comments

Comments

@CameronNemo
Copy link

Brief description

I've tried generating some netflow packets and sending them to various collectors (goflow2, telegraf)

It was going alright until I tried to add flow start and end timestamps... I tried with both seconds and milliseconds. On goflow2, it just ignored the encoded timestamp and telegraf crashed.

I included the full scapy program / output / reproduction in the telegraf ticket:

influxdata/telegraf#14370

Seems like more of a scapy issue, though, considering that neither goflow2 nor telegraf could successfully decode the field.

Scapy version

2.5.0

Python version

3.9

Operating system

Rocky8

Additional environment information

No response

How to reproduce

Create packet with flowStartSeconds and send it to popular open source netflow collectors

Actual result

start seconds not decoded by collector correctly

Expected result

start seconds decoded successfully

Related resources

No response
@guedou
Copy link
Member

guedou commented Dec 1, 2023

Thanks for your interest in the project. Could you share a single Scapy packet that reproduces this behavior, along with the expected correct packet?

@evverx
Copy link
Contributor

evverx commented Dec 5, 2023

Looking at influxdata/telegraf@8b97b42 it seems the length got lost somewhere. The packet produced by the script contains

            Field (12/15): flowStartSeconds
                0... .... .... .... = Pen provided: No
                .000 0000 1001 0110 = Type: flowStartSeconds (150)
                Length: 0
            Field (13/15): flowEndSeconds
                0... .... .... .... = Pen provided: No
                .000 0000 1001 0111 = Type: flowEndSeconds (151)
                Length: 0

According to https://datatracker.ietf.org/doc/html/rfc5102#section-5.9.1

Abstract Data Type: dateTimeSeconds

and according to https://www.rfc-editor.org/rfc/rfc7011.html#section-6.1.7 it should be

an unsigned 32-bit integer in
network byte order containing the number of seconds since the UNIX
epoch

My guess would be that something like

    netflow.NetflowTemplateFieldV9(fieldType="flowStartSeconds", fieldLength=4),
    netflow.NetflowTemplateFieldV9(fieldType="flowEndSeconds", fieldLength=4),

should probably make it work without crashing telegraf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@CameronNemo @evverx @guedou