[ovs-discuss] Bug in NetFlow Flags
Ring, Markus
markus.ring at hs-coburg.de
Fri Sep 2 14:03:00 UTC 2016
Dear openvswitch team,
my name is Markus and I am working on research project regarding network security.
We use an OpenStack-based testing environment to record Netflow-data of virtual machines.
The environment delivers the netflow-data via ovs-vsctl 2.0.2.
Our problem is the following:
If we establish e.g. ssh or ftp-connections between two hosts within the
virtual network, we only get SYN-Flags in about 1 of a thousand records.
However, other TCP-Flags like ACK, RST or FIN are available.
Simultaneous capturing with wireshark on the hosts show that the tcp-connections get established as expected and TCP-SYN-Flags can be seen.
Is it possible that there is a bug in the class "ovs/ofproto/netflow.c"?
The TCP-flags are stored in the structure "netflow_flow". The datatype of the variable tcp_flags is uint16_t.
If I read the source code correctly, new NetFlows are generated in the function "static void gen_netflow_rec(...)".
The flags for the first packet are saved in line 162: nf_rec->tcp_flags = (uint8_t) nf_flow->tcp_flags;
Here, the TCP Flags are interpreted as uint8_t instead of uint16_t. However, the flags SYN, RST, etc. use the lower flag values.
When new packets arrive, they are merged in the function "void netflow_flow_update(...)". Here the TCP-Flags are merged with the bit-operator OR.
Consequently, I think all TCP-Flags from the first packet get lost. Is this possible?
Thanks a lot
Regards
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160902/047087cc/attachment-0002.html>
More information about the discuss
mailing list