search

CESNET / ipfixcol

IPFIXcol is an implementation of an IPFIX (RFC 7011) collector
Other
64 stars 37 forks source link

fbitdump filtering on link-local fe80:: IPv6 adresses #147

Closed DRiKE closed 8 years ago

DRiKE commented 8 years ago

Filtering on link-local IPv6 addresses does not work, e.g.:

fbitdump -R ic20151108023000 '%sa6 == fe80::22f4:21ff:fea3:1a00'

yields more than just records having that source address, although all of the results have link-local addresses for their source address. Using prefixes results in no records, e.g.:

fbitdump -R ic20151108023000 '%sa6 fe80::/64'

This is happening with the latest version of fbitdump, so it includes the fixes for IPv6 issues reported earlier. Filtering on global v6 addresses (and prefixes) behaves like expected.

thorgrin commented 8 years ago

Filtering on IPv6 prefixes is a known issue since the FastBit library does not support range queries for 64b numbers.

As for the equality query, I've been trying to reproduce the issue on my own traffic samples, but with no luck:

> fbitdump -R . -o"fmt:%sa6" | grep "fe80::230:48ff:fed6:ad4b"
               fe80::230:48ff:fed6:ad4b
               fe80::230:48ff:fed6:ad4b
               fe80::230:48ff:fed6:ad4b
> fbitdump -R . -o"fmt:%sa6" "%sa6 == fe80::230:48ff:fed6:ad4b" -q
               fe80::230:48ff:fed6:ad4b
               fe80::230:48ff:fed6:ad4b
               fe80::230:48ff:fed6:ad4b

Could you send me a sample of the traffic so that I can trace this issue?

DRiKE commented 8 years ago

Of course I'm not able to reproduce it myself at this time. I'll keep trying for some time, and if it really doesn't occur anymore, I'll close the ticket I guess. In that case, apologies for the (possibly false) alarm.

With regards to the prefixes: I was in the understanding that filtering on prefixes could give small inaccuracies, thus that it 'worked' in a somewhat rough fashion. However in the case of fe80::/64, nothing is returned at all, where it looks like other prefixes return more records (outside of the prefix) instead of less. Is the fe80-case the same issue, but with radically different results in the end?

thorgrin commented 8 years ago

I believe that it might be the same issue. I've filed several queries to FastBit mailing list, however they do no longer seem to care about this.

I'll close the ticket for now and ask you to raise the question again if you can reproduce it.