Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Softlflowd pfSense package don't send ICMP flows #42

Open
H0neyBeer opened this issue May 11, 2022 · 1 comment
Open

Softlflowd pfSense package don't send ICMP flows #42

H0neyBeer opened this issue May 11, 2022 · 1 comment

Comments

@H0neyBeer
Copy link

Hello, I implemented a monitoring solution with nprobe + ntopng and the softflowd package exporting flows from my pfSense.
The export of logs is indeed done but I cannot see the ICMP requests.

Do you know this issue?

Thank you in advance.
@mn7474
Copy link

mn7474 commented Jun 26, 2022

Hello, I implemented a monitoring solution with nprobe + ntopng and the softflowd package exporting flows from my pfSense. The export of logs is indeed done but I cannot see the ICMP requests.

Do you know this issue?

Thank you in advance.

I have seen this issue as well with tag softflowd-1.0.0 which is what the pfSense package appears to be using, and also with the latest Ubuntu packages on 22.04. The diagnosis I found was that in netflow v9 and IPFIX export template was not including the ip protocol number so your colelctor would have been storing the flows with ip protocl 0 instead of ipv4 protool 1 which is for ICMP and ipv6 next header 58.

I compiled commit 52eab7b on Ubuntu to confirm this was the case, and then compiled the binary on FreeBSD and installed it manually on pfSense. This is now working as expected for IPFOX and netflow version 9 flow exports.

The diff between commit 52eab7b and the commit 9cf249e which is tagged softflowd-1.0.0 shows the issue in ipfix.c:

 const struct IPFIX_FIELD_SPECIFIER field_icmp4[] = {
   {IPFIX_icmpTypeCodeIPv4, 2},
+  {IPFIX_protocolIdentifier, 1},
   {IPFIX_ipVersion, 1},
   {IPFIX_ipClassOfService, 1}
 };
 
 const struct IPFIX_FIELD_SPECIFIER field_icmp6[] = {
   {IPFIX_icmpTypeCodeIPv6, 2},
+  {IPFIX_protocolIdentifier, 1},
   {IPFIX_ipVersion, 1},
   {IPFIX_ipClassOfService, 1}
 };

and

     if (flow->protocol != IPPROTO_ICMP && flow->protocol != IPPROTO_ICMPV6) {
@@ -686,14 +721,15 @@ ipfix_flow_to_flowset (const struct FLOW *flow, u_char * packet,
     } else {
       di[i] = (struct IPFIX_SOFTFLOWD_DATA_ICMP *) &packet[offset];
       di[i]->icmpTypeCode = flow->port[i ^ 1];
+      di[i]->protocolIdentifier = flow->protocol;
       di[i]->ipClassOfService = flow->tos[i];
       di[i]->ipVersion = (flow->af == AF_INET) ? 4 : 6;
       offset += sizeof (struct IPFIX_SOFTFLOWD_DATA_ICMP);
     }

I've ony found this today and haven't really taken a closer look at what the code changes between the two releases that address the issue. It was easier just to use the latest commit.

It might be helpful to tag 52eab7b as softflowd-1.0.1 or something similar so these packages will see new version released and the distributions might have a chance of rebuilding with the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mn7474 @H0neyBeer