kern/96296: netgraph netflow module sends random data header fields.
daved at tamu.edu
Tue Apr 25 02:40:19 UTC 2006
>Synopsis: netgraph netflow module sends random data header fields.
>Arrival-Date: Tue Apr 25 02:40:15 GMT 2006
>Originator: David Duchscher
>Release: FreeBSD 6.1-RC
Texas A&M University
FreeBSD dns1.net.tamu.edu 6.1-RC FreeBSD 6.1-RC #1: Mon Apr 24 20:52:10 CDT 2006 root at dns1.net.tamu.edu:/data/usr/obj/data/usr/src/sys/CUSTOM i386
The netgraph netflow module does not fill in the engine type, engine id, or pad fields in the netflow version 5 packet header. This means that random data is sent in these fields. It also seems that that padding has meaning now to some netflow clients. Ethereal shows it as Sampling Mode and Sampling Rate. This random data may cause some tools to report numbers that wrong. In my case, flow-tools showed flows being loss when none really were.
Set up netgraph netflow to localhost and capture the flow with flow-tools. Use flow-header to see that lost flows are reported.
Doesn't seem to be a good to send random data in packet fields so here is a patch that zeroes the engine type, engine id, and padding.
--- /sys/netgraph/netflow/netflow.c.orig Sat Jan 21 04:09:18 2006
+++ /sys/netgraph/netflow/netflow.c Mon Apr 24 21:29:53 2006
@@ -621,6 +621,9 @@
header->unix_secs = htonl(ts.tv_sec);
header->unix_nsecs = htonl(ts.tv_nsec);
+ header->engine_type = 0;
+ header->engine_id = 0;
+ header->pad = 0;
header->flow_seq = htonl(atomic_fetchadd_32(&priv->flow_seq,
header->count = htons(header->count);
More information about the freebsd-bugs