search

aabc / ipt-netflow

Netflow iptables module for Linux kernel (official)
https://github.com/aabc/ipt-netflow
508 stars 129 forks source link

"bad length" UDP packets #95

Open ednagrom opened 6 years ago

ednagrom commented 6 years ago

Hi,

When watching the packets sent to my netflow collector, most packets seems too big. The packets are sent from a device using a PPP connection with an MTU set to 1460. It seems that the netflow packets try to be bigger:

15:28:51.999390 IP 192.168.0.2.38406 > 192.168.1.2.9999: UDP, bad length 1464 > 1432 15:29:04.375378 IP 192.168.0.2.38406 > 192.168.1.2.9999: UDP, bad length 1464 > 1432

When arriving on the netflow collector, the packet size is 1460, so i imagine the original packet is truncated. Can the MTU be set on the netflow module ? Is this a bug ?

Regards,

aabc commented 6 years ago

MTU, by its nature, is set per network device. ipt-netflow does not change packet lengths and account packets as they arrive via iptables. If reported packet size is 1460, then such packet delivered to iptables target.

ednagrom commented 6 years ago

the problem is not with the packet arriving to iptables or routed by the equipment, but with the netflow packets created by ipt-netflow itself. On my packet capture, the port 9999 is used on the netflow collector side to receive the flows sent by ipt-netflow.

aabc commented 6 years ago

ipt-netflow sending its data usign starndard sockets, you may try to bind exporting interface using this option: https://github.com/aabc/ipt-netflow/commit/1cf028c1bc714b2637a0440f41b0f179edd05876