search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.4k stars 561 forks source link

unpack_gre flag in sflow_plugin not working for IPv6 #1010

Open Nuyek opened 1 month ago

Nuyek commented 1 month ago

IPv6 is not unpacked correctly with the unpack_gre flag with the sflow_plugin.

Fastnetmon Version: 1.2.7 OS: Debian 12

PCAP data: https://files.nuyek.com/u/8xv86u.pcap

pavel-odintsov commented 1 month ago

Hello!

Thank you!

I can replicate error:

2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
2024-07-15 18:08:37,684 [DEBUG] sflow: Cannot parse nested packet using ng parser: broken_gre
pavel-odintsov commented 1 month ago

It's slightly tricky to investigate this case as it's nested deeply in sFlow packet.

Can you capture pcap of GRE with IPv6 inside? Few packets should be enough.

Thank you!

Nuyek commented 1 month ago

Here's the PCAP data with some GRE IPv6.

https://files.nuyek.com/u/0P6IJ8.pcap