search

irino / softflowd

softflowd: A flow-based network traffic analyser capable of Cisco NetFlow data export software.
https://github.com/irino/softflowd
Other
155 stars 29 forks source link

Softlflowd pfSense package don't send ICMP flows #42

Open H0neyBeer opened 2 years ago

H0neyBeer commented 2 years ago

Hello, I implemented a monitoring solution with nprobe + ntopng and the softflowd package exporting flows from my pfSense. The export of logs is indeed done but I cannot see the ICMP requests.

Do you know this issue?

Thank you in advance.

mn7474 commented 2 years ago

Hello, I implemented a monitoring solution with nprobe + ntopng and the softflowd package exporting flows from my pfSense. The export of logs is indeed done but I cannot see the ICMP requests.

Do you know this issue?

Thank you in advance.

I have seen this issue as well with tag softflowd-1.0.0 which is what the pfSense package appears to be using, and also with the latest Ubuntu packages on 22.04. The diagnosis I found was that in netflow v9 and IPFIX export template was not including the ip protocol number so your colelctor would have been storing the flows with ip protocl 0 instead of ipv4 protool 1 which is for ICMP and ipv6 next header 58.

I compiled commit 52eab7b on Ubuntu to confirm this was the case, and then compiled the binary on FreeBSD and installed it manually on pfSense. This is now working as expected for IPFOX and netflow version 9 flow exports.

The diff between commit 52eab7b and the commit 9cf249eb which is tagged softflowd-1.0.0 shows the issue in ipfix.c:

 const struct IPFIX_FIELD_SPECIFIER field_icmp4[] = {
   {IPFIX_icmpTypeCodeIPv4, 2},
+  {IPFIX_protocolIdentifier, 1},
   {IPFIX_ipVersion, 1},
   {IPFIX_ipClassOfService, 1}
 };

 const struct IPFIX_FIELD_SPECIFIER field_icmp6[] = {
   {IPFIX_icmpTypeCodeIPv6, 2},
+  {IPFIX_protocolIdentifier, 1},
   {IPFIX_ipVersion, 1},
   {IPFIX_ipClassOfService, 1}
 };

and

     if (flow->protocol != IPPROTO_ICMP && flow->protocol != IPPROTO_ICMPV6) {
@@ -686,14 +721,15 @@ ipfix_flow_to_flowset (const struct FLOW *flow, u_char * packet,
     } else {
       di[i] = (struct IPFIX_SOFTFLOWD_DATA_ICMP *) &packet[offset];
       di[i]->icmpTypeCode = flow->port[i ^ 1];
+      di[i]->protocolIdentifier = flow->protocol;
       di[i]->ipClassOfService = flow->tos[i];
       di[i]->ipVersion = (flow->af == AF_INET) ? 4 : 6;
       offset += sizeof (struct IPFIX_SOFTFLOWD_DATA_ICMP);
     }

I've ony found this today and haven't really taken a closer look at what the code changes between the two releases that address the issue. It was easier just to use the latest commit.

It might be helpful to tag 52eab7b as softflowd-1.0.1 or something similar so these packages will see new version released and the distributions might have a chance of rebuilding with the fix.