search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.44k stars 568 forks source link

unpack_gre flag in sflow_plugin not working for IPv6 #1010

Open Nuyek opened 4 months ago

Nuyek commented 4 months ago

IPv6 is not unpacked correctly with the unpack_gre flag with the sflow_plugin.

Fastnetmon Version: 1.2.7 OS: Debian 12

PCAP data: https://files.nuyek.com/u/8xv86u.pcap

pavel-odintsov commented 4 months ago

Hello!

Thank you!

I can replicate error:

2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
pavel-odintsov commented 4 months ago

It's slightly tricky to investigate this case as it's nested deeply in sFlow packet.

Can you capture pcap of GRE with IPv6 inside? Few packets should be enough.

Thank you!

Nuyek commented 4 months ago

Here's the PCAP data with some GRE IPv6.

https://files.nuyek.com/u/0P6IJ8.pcap

pavel-odintsov commented 3 weeks ago

0P6IJ8(1).zip