search

aabc / ipt-netflow

Netflow iptables module for Linux kernel (official)
https://github.com/aabc/ipt-netflow
498 stars 127 forks source link

Seeing single-packet IPv6 flows #122

Open bruceg opened 4 years ago

bruceg commented 4 years ago

I'm testing ipt-netflow 2.4 on Debian Jessie, with the 3.16.0-10-586 kernel. It seems to be working, but examining the exported records shows some inefficiencies. When dumping the records with nfdump, there seem to be a lot of single packet flows, even when the traffic obviously should not have been expired. For example:

Date first seen          Duration Proto                             Src IP Addr:Port                                 Dst IP Addr:Port   Packets    Bytes Flows
2019-09-05 19:00:09.376     0.000 TCP           2a03:2880:f027:13:face:b00c:0:2.443   ->    2001:470:1f2f:13e:757b:8274:774c:fc9.54676        1      104     1
2019-09-05 19:00:09.376     0.000 TCP           2a03:2880:f027:13:face:b00c:0:2.443   ->    2001:470:1f2f:13e:757b:8274:774c:fc9.54676        1      357     1
2019-09-05 19:00:09.344     0.000 TCP           2a03:2880:f027:13:face:b00c:0:2.443   ->    2001:470:1f2f:13e:757b:8274:774c:fc9.54676        1      107     1

2019-09-05 19:00:12.220     0.000 TCP                     2607:c300:11:2::6:152.2200  ->   2001:470:1f2f:13e:5302:3589:e3a8:6228.54586        1      108     1
2019-09-05 19:00:12.312     0.000 TCP                     2607:c300:11:2::6:152.2200  ->   2001:470:1f2f:13e:5302:3589:e3a8:6228.54586        1       72     1
2019-09-05 19:00:12.348     0.000 TCP                     2607:c300:11:2::6:152.2200  ->   2001:470:1f2f:13e:5302:3589:e3a8:6228.54586        1      132     1

This is not happening for all IPv6 flows, so I am confused what might be causing it. The above records show up sequentially in the data.

The configuration is mostly the defaults:

# sysctl net.netflow                    
net.netflow.active_timeout = 1800
net.netflow.debug = 0
net.netflow.destination = [REDACTED]:12345
net.netflow.flush = 0
net.netflow.hashsize = 63117
net.netflow.inactive_timeout = 60
net.netflow.maxflows = 2000000
net.netflow.natevents = 0
net.netflow.protocol = 10
net.netflow.refresh-rate = 20
net.netflow.scan-min = 1
net.netflow.sndbuf = 163840
net.netflow.timeout-rate = 30

Is this a bug or expected behavior I am not understanding?

aabc commented 4 years ago

There is flowEndReason option you can examine for single packet flows. If its value is 1 it's mean flow is terminated by FIN or RST, if it's 3 it's terminated by inactive timeout, 2 inactive timeout. Also, you may look at tcp_flags to see if there is FIN or RST flags.