Comments (8)
Submitted by guy_harris
Logged In: YES
user_id=541179
What happens with V6 traces if you remove that field? If
that field is in V6, wouldn't that cause every record after
the first, in a V6 trace, not to print correctly?
If so (as I suspect is the case), the solution is NOT to
remove that field, it's to have the loop variable be a
"const u_char *", advance it by the appropriate size based
on the NetFlow version, and cast it to "const nfrec *" and
use that pointer.
from tcpdump.
Submitted by danuvius
Logged In: YES
user_id=631506
Originator: NO
This would indeed break the code for v6. Also this part is currently only working for netflow v6 traces. I added the following line to the end of the line:
if (ver == 5) nr = (struct nfrec *) ((struct in_addr *)nr - 1);
With this "fix" now traces of netvlow v5 and v6 can be analyzed. (Only tested on netflow v6 data, I assume that it did work allready for version 6). Furthermore, it can't beused to analyze netflow v1/v8 an v9 (they have completely different headers).
from tcpdump.
Well, looks okay to me. I can test it if anyone can get me few v5/v6 PCAPs.
I have a bunch of private v9 PCAPs, but like Guy mentioned their headers are nowhere close to that of v5/v6.
from tcpdump.
Requested on tcpdump-workers.
from tcpdump.
@hdnivara I have got a capture here, but it's not really intended to become public, although it's fine if you use it for some tests. Could I send it to you over some private channel?
from tcpdump.
@qnet-herwin sent his private PCAP to me and tcpdump fails to decode anything after the 1st record, as expected.
Also, there is another bug in the existing code: it doesn't go over all the records.
It fails in the for loop condition at https://github.com/the-tcpdump-group/tcpdump/blob/master/print-cnfp.c#L121 when nr is checked for end of packet.
I couldn't understand why we have (nr + 1) <= ndo->ndo_snapend
, which seems to be redundant as we are checking for nrecs-- anyway.
So, I applied the following changes and now it decodes all the v5 records in each packet properly. I'll send in the patch shortly.
$ git diff
diff --git a/print-cnfp.c b/print-cnfp.c
index 07c940c..21d39be 100644
--- a/print-cnfp.c
+++ b/print-cnfp.c
@@ -118,7 +118,7 @@ cnfp_print(netdissect_options *ndo,
ND_PRINT((ndo, "%2u recs", nrecs));
- for (; nrecs-- && (const u_char *)(nr + 1) <= ndo->ndo_snapend; nr++) {
+ for (; nrecs--; nr++) {
char buf[20];
char asbuf[20];
@@ -183,5 +183,10 @@ cnfp_print(netdissect_options *ndo,
EXTRACT_32BITS(&nr->proto_tos) & 0xff,
EXTRACT_32BITS(&nr->packets),
EXTRACT_32BITS(&nr->octets), buf));
+
+ /* Exclude nh peer data for v5 as it doesn't apply for v5. */
+ if (5 == ver)
+ nr = (struct nfrec *) ((struct in_addr *) nr - 1);
+
}
}
from tcpdump.
Redone according to
with separate structures and separate dissection routines for v1, v5, and v6. Those routines all use ND_TCHECK() to do bounds checking, so they'll report "[|cnfp]" if they go past the snaplen.
Try using the current top-of-trunk code (from bpf.tcpdump.org; I think the fix will get propagated to the github repository within a day or so).
from tcpdump.
For history: these were commits 9ed7ddb and 7af5959. The issue looks fully resolved, closing.
from tcpdump.
Related Issues (20)
- print-ascii.c and '-DMAIN' HOT 3
- When I tried to cross compile tcpdump for riscv64, the tcpdump configure script didn't find libpcap HOT 4
- The -B option of tcpdump on my machine doesn't seem to have any effect HOT 9
- CMake 3.27 emits a deprecation warning HOT 7
- Potential memory leak in tcpdump.c HOT 2
- tcpdump with -i any shown invalid ip and bogus ipv4 in wireshark HOT 21
- How can grep the result in tcpdump with --version or -L(data-link-types) HOT 1
- tcpdump -r pcap file error HOT 4
- segmentation fault when using "-Z root" and "-w" HOT 2
- Missing support for L2TPv3 HOT 3
- tcpdump exits before completing the merge HOT 6
- tcpdump -n becomes very slow after some time if large number of IP addresses is present
- tcpdump apparmor denied open operation to /etc/pam_ldap.conf Ubuntu 22.04.3 LTS HOT 2
- [Bug] Infinite Loop Vulnerability in tcpdump leading to Potential DDoS Conditions HOT 9
- Issues building to Win x64 and errors in README.Win32.md HOT 20
- Update Sun RPC code to BSD-3-Clause copy
- Using an Android phone to grab the app, tcpdump has not shown any response. TCpdump is the latest version, with Android 8.1 system and Nexus5x phone HOT 4
- -G drops packets if not enough traffic is recorded HOT 7
- OpenBSD 7.5 build fails because EVP_add_cipher_alias() no longer exists in OpenBSD libcrypto HOT 1
- mkdep does not detect compiler failures HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tcpdump.