ipt-netflow icon indicating copy to clipboard operation
ipt-netflow copied to clipboard

Published 20 hours ago verified publisher icon aabc

Seeing single-packet IPv6 flows

Open bruceg opened this issue 5 years ago • 1 comments

I'm testing ipt-netflow 2.4 on Debian Jessie, with the 3.16.0-10-586 kernel. It seems to be working, but examining the exported records shows some inefficiencies. When dumping the records with nfdump, there seem to be a lot of single packet flows, even when the traffic obviously should not have been expired. For example:

Date first seen          Duration Proto                             Src IP Addr:Port                                 Dst IP Addr:Port   Packets    Bytes Flows
2019-09-05 19:00:09.376     0.000 TCP           2a03:2880:f027:13:face:b00c:0:2.443   ->    2001:470:1f2f:13e:757b:8274:774c:fc9.54676        1      104     1
2019-09-05 19:00:09.376     0.000 TCP           2a03:2880:f027:13:face:b00c:0:2.443   ->    2001:470:1f2f:13e:757b:8274:774c:fc9.54676        1      357     1
2019-09-05 19:00:09.344     0.000 TCP           2a03:2880:f027:13:face:b00c:0:2.443   ->    2001:470:1f2f:13e:757b:8274:774c:fc9.54676        1      107     1

2019-09-05 19:00:12.220     0.000 TCP                     2607:c300:11:2::6:152.2200  ->   2001:470:1f2f:13e:5302:3589:e3a8:6228.54586        1      108     1
2019-09-05 19:00:12.312     0.000 TCP                     2607:c300:11:2::6:152.2200  ->   2001:470:1f2f:13e:5302:3589:e3a8:6228.54586        1       72     1
2019-09-05 19:00:12.348     0.000 TCP                     2607:c300:11:2::6:152.2200  ->   2001:470:1f2f:13e:5302:3589:e3a8:6228.54586        1      132     1

This is not happening for all IPv6 flows, so I am confused what might be causing it. The above records show up sequentially in the data.

The configuration is mostly the defaults:

# sysctl net.netflow                    
net.netflow.active_timeout = 1800
net.netflow.debug = 0
net.netflow.destination = [REDACTED]:12345
net.netflow.flush = 0
net.netflow.hashsize = 63117
net.netflow.inactive_timeout = 60
net.netflow.maxflows = 2000000
net.netflow.natevents = 0
net.netflow.protocol = 10
net.netflow.refresh-rate = 20
net.netflow.scan-min = 1
net.netflow.sndbuf = 163840
net.netflow.timeout-rate = 30

Is this a bug or expected behavior I am not understanding?

bruceg avatar Sep 06 '19 16:09 bruceg

There is flowEndReason option you can examine for single packet flows. If its value is 1 it's mean flow is terminated by FIN or RST, if it's 3 it's terminated by inactive timeout, 2 inactive timeout. Also, you may look at tcp_flags to see if there is FIN or RST flags.

aabc avatar Sep 06 '19 19:09 aabc