search

phaag / nfdump

Netflow processing tools
Other
765 stars 201 forks source link

nfdump -B not swapping consistently #215

Closed pstimmons closed 4 years ago

pstimmons commented 4 years ago

While analyzing tcp/22 inbound traffic I noticed that the -B option doesn't always swap those flows. Here is an example:

`

[root@nuc ~]# nfdump -R /var/log/netflow/2020/03/31 -a -O tstart "proto tcp and host 96.20.87.66" | egrep ':(22|1194) ' | head -20
2020-03-31 17:43:41.326 INVALID  Ignore TCP        96.20.87.66:22 ->    222.186.30.35:29995          0.0.0.0:0     -> 0.0.0.0:0         2173        0
2020-03-31 17:43:41.326 INVALID  Ignore TCP      222.186.30.35:29995 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1911        0
2020-03-31 17:46:16.956 INVALID  Ignore TCP        96.20.87.66:22 ->   222.186.30.218:22150          0.0.0.0:0     -> 0.0.0.0:0         2173        0
2020-03-31 17:46:16.956 INVALID  Ignore TCP     222.186.30.218:22150 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1911        0
2020-03-31 17:48:58.647 INVALID  Ignore TCP        96.20.87.66:22 ->   222.186.30.218:40613          0.0.0.0:0     -> 0.0.0.0:0         2173        0
2020-03-31 17:48:58.647 INVALID  Ignore TCP     222.186.30.218:40613 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1911        0
2020-03-31 17:51:36.309 INVALID  Ignore TCP        96.20.87.66:22 ->    222.186.30.35:10579          0.0.0.0:0     -> 0.0.0.0:0         2173        0
2020-03-31 17:51:36.309 INVALID  Ignore TCP      222.186.30.35:10579 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1911        0
2020-03-31 17:54:11.585 INVALID  Ignore TCP        96.20.87.66:22 ->   222.186.30.218:31101          0.0.0.0:0     -> 0.0.0.0:0         2173        0
2020-03-31 17:54:11.585 INVALID  Ignore TCP     222.186.30.218:31101 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1963        0
2020-03-31 17:56:48.015 INVALID  Ignore TCP     222.186.42.137:44916 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1911        0
2020-03-31 17:56:48.015 INVALID  Ignore TCP        96.20.87.66:22 ->   222.186.42.137:44916          0.0.0.0:0     -> 0.0.0.0:0         2173        0
2020-03-31 17:59:11.861 INVALID  Ignore TCP        96.20.87.66:22 ->    222.186.52.39:49117          0.0.0.0:0     -> 0.0.0.0:0         2173        0
2020-03-31 17:59:11.861 INVALID  Ignore TCP      222.186.52.39:49117 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1911        0
2020-03-31 18:01:40.728 INVALID  Ignore TCP        96.20.87.66:22 ->   198.108.66.104:56392          0.0.0.0:0     -> 0.0.0.0:0           44        0
2020-03-31 18:01:40.728 INVALID  Ignore TCP     198.108.66.104:56392 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0           80        0
2020-03-31 18:01:41.244 INVALID  Ignore TCP      198.108.66.96:34624 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1304        0
2020-03-31 18:01:41.244 INVALID  Ignore TCP        96.20.87.66:22 ->    198.108.66.96:34624          0.0.0.0:0     -> 0.0.0.0:0         1773        0
2020-03-31 18:01:45.110 INVALID  Ignore TCP        96.20.87.66:22 ->    222.186.42.75:45674          0.0.0.0:0     -> 0.0.0.0:0         2173        0
2020-03-31 18:01:45.110 INVALID  Ignore TCP      222.186.42.75:45674 ->      96.20.87.66:22             0.0.0.0:0     -> 0.0.0.0:0         1911        0


[root@nuc ~]# nfdump -R /var/log/netflow/2020/03/31 -B -O tstart "proto tcp and host 96.20.87.66" | egrep ':(22|1194) ' | head -10
2020-03-31 17:43:41.326     2.210 TCP        96.20.87.66:22 <->    222.186.30.35:29995       14       12     1911 2173     2
2020-03-31 17:46:16.956     1.937 TCP        96.20.87.66:22 <->   222.186.30.218:22150       14       12     1911 2173     2
2020-03-31 17:48:58.647     1.924 TCP        96.20.87.66:22 <->   222.186.30.218:40613       14       12     1911 2173     2
2020-03-31 17:51:36.309     2.084 TCP        96.20.87.66:22 <->    222.186.30.35:10579       14       12     1911 2173     2
2020-03-31 17:54:11.585     1.930 TCP        96.20.87.66:22 <->   222.186.30.218:31101       15       12     1963 2173     2
2020-03-31 17:56:48.015     2.092 TCP        96.20.87.66:22 <->   222.186.42.137:44916       14       12     1911 2173     2
2020-03-31 17:59:11.861     1.839 TCP        96.20.87.66:22 <->    222.186.52.39:49117       14       12     1911 2173     2
2020-03-31 18:01:40.728     0.039 TCP     198.108.66.104:56392 <->      96.20.87.66:22           1        2       44 80     2
2020-03-31 18:01:41.244     5.080 TCP      198.108.66.96:34624 <->      96.20.87.66:22           8        9     1773 1304     2
2020-03-31 18:01:45.110     2.062 TCP        96.20.87.66:22 <->    222.186.42.75:45674       14       12     1911 2173     2
[root@nuc ~]#
`

I think the following code is responsible for not swapping some of the flows:

`

In nfstat.c, function PrintFlowTable there is :


                            if ( GuessDir && 
                               ( flow_record->prot == IPPROTO_TCP || flow_record->prot == IPPROTO_UDP) &&
                               ( flow_record->srcport < 1024 ) && ( flow_record->dstport >= 1024 ) &&
                               ( flow_record->srcport < 32768 ) && ( flow_record->dstport >= 32768 ) &&
                               ( flow_record->srcport < 49152 ) && ( flow_record->dstport >= 49152 ))
                                    SwapFlow(flow_record);


Shouldn't it be ? :


                            if ( GuessDir && 
                               ( flow_record->prot == IPPROTO_TCP || flow_record->prot == IPPROTO_UDP) &&
                               ((flow_record->srcport < 1024 ) && ( flow_record->dstport >= 1024 ) ||
                               ( flow_record->srcport < 32768 ) && ( flow_record->dstport >= 32768 ) ||
                               ( flow_record->srcport < 49152 ) && ( flow_record->dstport >= 49152 )))
                                    SwapFlow(flow_record);
`

Unless there is some significance with port 32768 (2^15) and 49152 that I'm not aware of ?

pstimmons commented 4 years ago

[root@nuc ~]# cat /etc/centos-release CentOS Linux release 8.1.1911 (Core) [root@nuc ~]# rpm -qi nfdump Name : nfdump Version : 1.6.19 Release : 1.el8 Architecture: x86_64 Install Date: Wed 18 Mar 2020 05:02:53 AM EDT Group : Unspecified Size : 813446 License : BSD and GPLv2+ Signature : RSA/SHA256, Fri 28 Feb 2020 07:25:02 PM EST, Key ID 21ea45ab2f86d6a1 Source RPM : nfdump-1.6.19-1.el8.src.rpm Build Date : Fri 28 Feb 2020 07:14:36 PM EST Build Host : buildvm-19.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : https://github.com/phaag/nfdump Bug URL : https://bugz.fedoraproject.org/nfdump Summary : NetFlow collecting and processing tools Description : Nfdump is a set of tools to collect and process NetFlow data. It's fast and has a powerful filter pcap like syntax. It supports NetFlow versions v1, v5, v7, v9 and IPFIX as well as a limited set of sflow. It includes support for CISCO ASA (NSEL) and CISCO NAT (NEL) devices which export event logging records as v9 flows. Nfdump is fully IPv6 compatible. [root@nuc ~]#

phaag commented 4 years ago

Thanks! - you are right!

phaag commented 4 years ago

Fixed in current master

pstimmons commented 4 years ago

I reviewed the code today and there seems to be the same defective code in PrintSortedFlowcache() in nfstat.c

    if ( GuessFlowDirection && 
       ( flow_record->prot == IPPROTO_TCP || flow_record->prot == IPPROTO_UDP) &&
       ( flow_record->srcport < 1024 ) && ( flow_record->dstport >= 1024 ) &&
       ( flow_record->srcport < 32768 ) && ( flow_record->dstport >= 32768 ) &&
       ( flow_record->srcport < 49152 ) && ( flow_record->dstport >= 49152 ))
        SwapFlow(flow_record);

I guess it should be modified too.

phaag commented 4 years ago

Sure! you are right!

phaag commented 4 years ago

Fixed in 994cc18