search

VUTBR / nf-tools

NetFlow processing tools
6 stars 3 forks source link

IPv4 src address 0.0.0.0 being interpreted as IPv6 #9

Closed dylanhall closed 8 years ago

dylanhall commented 8 years ago

Hi, I'm trying to process nfdump records using nf-tools 1.19 and I've got an issue where a small number of flows are being printed with a src address of "::" but a dst address that is IPv4.

My code is:

my $flow = new Net::NfDump(
    InputFiles => [ $ARGV[0] ], 
    Fields => 'srcip,dstip,proto,srcport,dstport,pkts,bytes,inif,outif,srcas,dstas,router,received' ); 

$flow->query();

while (my ($srcipbin, $dstipbin, $proto, $srcport, $dstport, $pkts, $bytes, $inif, $outif, $srcas, $dstas, $routerbin, $received) = $flow->fetchrow_array() )  {

    my $srcip = ip2txt($srcipbin);
    my $dstip = ip2txt($dstipbin);
    my $router = ip2txt($routerbin);

    $received /= 1000;

    printf "%s %s %u %u %u %llu %llu %u %u %u %u %s %llu\n", $srcip, $dstip, $proto, $srcport, $dstport, $pkts, $bytes, $inif, $outif, $srcas, $dstas, $router, $received;

    }

}

$flow->finish();

In my output I'm getting a couple lines like:

:: 255.255.255.255 17 68 67 11 3608 1814 0 4294967295 4294967295 172.24.33.1 1459742428

It looks like the flow is a dhcp request, hence the rather odd src and dst.

Doing a "length($srcipbin)" returns 16 where it should return 4 so this appears to be confusing ip2txt into thinking the src address is IPv6.

Any help appreciated :)

tpoder1 commented 8 years ago

Hi. The solution for the problem is not easy. Libnf internally stores IPv4 address as IPv6 (rfc4291 IPv4-Compatible IPv6 Address). In this case is not possible to distinguish between :: and 0.0.0.0/0 address because both of them have same internal representation.

I'am just thinking how to deal with that problem. I just have two options I my mind:

  1. Using "IPv4-Mapped IPv6 Address" instead of "IPv4-Compatible IPv6 Address". In this case the address 0.0.0.0 will be returned as ::ffff:0.0.0.0, so the conversion functions (ntop) would be able to distinguish between IPv4 and IPv6 address.
  2. Adding additional field (for example addr_family) which will contain address family information. This information might be used by conversion functions and return address in proper format.

At the first sight the second option seems more reasonable, specially for compatibility reason. I will plan that feature for next release.

dylanhall commented 8 years ago

Thanks for looking into this issue. I'm also keen on option 2. If you create an internal field for the type of a flow (e.g. v4, v6, other?) can you expose that field along with the other fields?

tpoder1 commented 8 years ago

Sure. The field will be available in the same way as any other field. I hope that feature might be available in git this/next week.

tpoder1 commented 8 years ago

Hi. The support for address type is now available via inetfamily field. In perl there is additional function (family2txt, txt2family) to converts value into ipv4 or ipv6 string. The version is available in the repository. The new version of package 1.20 was released today.