Skip Menu |

This queue is for tickets about the Net-Flow CPAN distribution.

Report information
The Basics
Id: 84381
Status: resolved
Priority: 0/
Queue: Net-Flow
People
Owner: ACFEREN [...] cpan.org
Requestors: james_r-bug-net-flow [...] jump.org.uk
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Apr 02 12:52:21 2013 james_r-bug-net-flow [...] jump.org.uk - Ticket created
Subject: Net::Flow - version 9 templates need to be per observation domain
Date: Tue, 2 Apr 2013 17:52:09 +0100 (BST)
To: bug-Net-Flow [...] rt.cpan.org
From: "James A. T. Rice" <james_r-bug-net-flow [...] jump.org.uk>
Hiya, With Net-Flow-1.001 I've hit a problem where decoding flows caused errors: 'x' outside of string in unpack at /usr/local/share/perl/5.14.2/Net/Flow.pm line 1175. Investigation found that the two netflow exporters on the same Cisco device (one exports hardware switched flows, one cpu switched flows), were using the same template ID (257), but with different template contents: One source template - template 257 has 22 fields: 0009 ver 0019 sets 2fe5f058 ms 515a5bd3 time_t 02fa5cbb seq 00000201 sourceid 0000 00b8 0101 0016 template 257 22 fields 00150004001600040001000400020004000a0002000e000200080004000c0004000400010005000100070002000b00020030000100330001000f0004000d00010009000100060001003d0001001100020012000400100002 Other source template - template 257 has 24 fields: 0009 ver 0011 sets 2fe5ff4c ms 515a5bd7 time_t 00041934 seq 00000000 sourceid 0000 0068 0101 0018 template 257 24 fields 00150004001600040001000400020004000a0002000e000200080004000c0004000400010005000100070002000b00020030000100330001000f0004000d00010009000100060001003d00010020000200580002001100020012000400100002 When the longer template was the most recently received, Net::Flow would try to read beyond the end of subsequent flow records for flows with that template ID as it was expecting longer records. I belive this is a bug, the following is from RFC 3954: "A NetFlow Collector that receives Export Packets from several Observation Domains from the same Exporter MUST be aware that the uniqueness of the Template ID is not guaranteed across Observation Domains." "Note that the Observation Domain is identified by the Source ID field from the Export Packet." "Template IDs are unique per Exporter and per Observation Domain." Net::Flow does not appear to currently take any components of the Observartion Domain, such as the Source ID, into account. Many Thanks James Rice
  Tue Apr 02 14:45:49 2013 ACFEREN [...] cpan.org - Taken
  Tue Apr 02 14:50:55 2013 ACFEREN [...] cpan.org - Correspondence added
Hi James, Any chance of getting a script and/or packet capture that shows the problem? Thanks, -Andrew
  Tue Apr 02 14:50:56 2013 The RT System itself - Status changed from 'new' to 'open'
  Thu May 09 16:56:33 2013 ACFEREN [...] cpan.org - Correspondence added
I'm afraid my long delayed resolution is going to be unsatisfying. For the current version of Net::Flow managing templates per flow stream is left to the user. I just don't see any way to fix it in the module that doesn't involve API changes. As a consolation prize I've pushed a new version of the module. The examples now include the user code needed to fix this problem. (example script attached) I've also added a new Constants package which includes details for all known standard information elements. Generated from http://www.iana.org/assignments/ipfix/ipfix.xml
  Thu May 09 16:56:34 2013 ACFEREN [...] cpan.org - Status changed from 'open' to 'resolved'