search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.3k stars 276 forks source link

pfacct doesn't seems to handle NetFlow traffic #5716

Closed nqb closed 4 years ago

nqb commented 4 years ago

Describe the bug If I send NetFlow traffic on management IP of my PacketFence server, I didn't see anything created in bandwidth_accounting table in DB.

To Reproduce Steps to reproduce the behavior:

  1. Start fingerbank-collector (to have a process that listen on udp/2055 (NetFlow port) on all interfaces)
  2. Send NetFlow v5 traffic from a IP that match a switch on management IP of PF server using udp/2055 
    pip3 install --pre scapy[basic]
sudo scapy # mandatory to run with sudo
netflow = NetflowHeader()/NetflowHeaderV5(count=1)/NetflowRecordV5(src="10.10.10.10",dst="8.8.8.8")
pkt3 = Ether()/IP(src="192.168.1.1",dst="172.17.17.10")/UDP()/netflow
pkt3.show2()
sendp(pkt3, iface="virbr2")

    with:

    • 192.168.1.1 default switch defined in switches.conf
    • 172.17.17.10 management IP on my PF server
    • virbr2 interface to reach PF server from my laptop where scapy is installed

=> I didn't see anything in logs or in DB.

Expected behavior Have a log or a row created in DB.

Additional context Maybe nothing is handled because packet sent using scapy is not created with correct values in headers, see full packet header below:

###[ Ethernet ]### 
  dst= 52:54:00:66:8b:46
  src= 52:54:00:49:29:b4
  type= IPv4
###[ IP ]### 
     version= 4
     ihl= 5
     tos= 0x0
     len= 100
     id= 1
     flags= 
     frag= 0
     ttl= 64
     proto= udp
     chksum= 0xfbc3
     src= 192.168.1.1
     dst= 172.17.17.10
     \options\
###[ UDP ]### 
        sport= 2055
        dport= 2055
        len= 80
        chksum= 0x4612
###[ Netflow Header ]### 
           version= 5
###[ Netflow Header v5 ]### 
              count= 1
              sysUptime= 0
              unixSecs= Thu, 01 Jan 1970 00:00:00 +0000 (0)
              unixNanoSeconds= Thu, 01 Jan 1970 00:00:00 +0000 (0)
              flowSequence= 0
              engineType= 0
              engineID= 0
              samplingInterval= 0
###[ Netflow Record v5 ]### 
                 src= 10.10.10.10
                 dst= 8.8.8.8
                 nexthop= 0.0.0.0
                 input= 0
                 output= 0
                 dpkts= 1
                 dOctets= 60
                 first= 0
                 last= 0
                 srcport= 0
                 dstport= 0
                 pad1= 0
                 tcpFlags= S
                 prot= tcp
                 tos= 0
                 src_as= 0
                 dst_as= 0
                 src_mask= 0
                 dst_mask= 0
                 pad2= 0
jrouzierinverse commented 4 years ago

Netflow is used internally for inline bandwidth accounting. The NetFlow traffic for pfacct is from the NetFlow kernel module that is configured to send the traffic to localhost:2056 https://github.com/inverse-inc/packetfence/blob/devel/packetfence.modprobe . In order not to conflict with the fingerbank-collector, we listen internally to localhost:2056. This does not seem to be a bug.

nqb commented 4 years ago

Thanks for you clarification.