goflow2 icon indicating copy to clipboard operation
goflow2 copied to clipboard
verified publisher icon netsampler

fix: get pod ips from TCP protocol in ip-ip encapsulation

Open Ishmeet opened this issue 2 years ago • 3 comments

Added a check if this IPv4 header represents IPIP protocol encapsulation. If so, then set srcIP and dstIP from next IPv4 header representing TCP protocol. So we can get pod IPs instead of host IPs.

Ishmeet avatar Nov 05 '23 07:11 Ishmeet

Hi @Ishmeet, Thank you for the contribution! Need to double check that a truncated packet does not raise a panic

Have you tried also with custom mapping? I'm not super fond of replacing with the content of the encapsulation

lspgn avatar Nov 06 '23 01:11 lspgn

Hi @Ishmeet, Thank you for the contribution! Need to double check that a truncated packet does not raise a panic

Have you tried also with custom mapping? I'm not super fond of replacing with the content of the encapsulation

Hi there @lspgn,

I tried custom mappings, (the below one). It parses src/dest ips from the inner ipv4 header. But when there is no encapsulation in sflow packet, then it parses some random values. For my use case, I want to have src/dest ips from inner ipv4 if IPIP encapsulation exists otherwise if encapsulation not exist then I require ips from the outer ipv4 header.

{
  "flow_config": {
    "sflow": {
      "mapping": [
        {
          "layer": 4,
          "offset": 96,
          "length": 32,
          "destination": "CustomInteger1"
        },
        {
          "layer": 4,
          "offset": 128,
          "length": 32,
          "destination": "CustomInteger2"
        }
      ]
    }
  },
  "name_map": {
    "CustomIPv41": "IP Foo",
    "CustomIPv42": "IP Bar"
  }
}

Ishmeet avatar Nov 06 '23 15:11 Ishmeet

Are you able to use the v2? The following PR adds the ability to decode IPIP with custom mapping https://github.com/netsampler/goflow2/pull/235 One of the change in the custom mapping is the conditional decoding where you can specify ipip for instance

For my use case, I want to have src/dest ips from inner ipv4 if IPIP encapsulation exists otherwise if encapsulation not exist then I require ips from the outer ipv4 header.

Unfortunately that would break other people's implementation. I'll see if I can update the code.

lspgn avatar Nov 07 '23 03:11 lspgn

@Ishmeet I made a refactor in #342. You should be able to decode IPIP with the following YAML mapping:

formatter:
  fields:
    # inner ipip
    - inner_src_addr
    - inner_dst_addr
  key:
    - sampler_address
  protobuf:
    # inner ipip
    - name: inner_src_addr
      index: 160
      type: string
    - name: inner_dst_addr
      index: 161
      type: string
  render:
    inner_src_addr: ip
    inner_dst_addr: ip
sflow:
  mapping:
    # src/dst addresses
    - layer: "ipv4"
      encap: true
      offset: 96
      length: 32
      destination: inner_src_addr
    - layer: "ipv4"
      encap: true
      offset: 128
      length: 32
      destination: inner_dst_addr

Feel free to re-open if you have more questions or issues.

lspgn avatar Aug 18 '24 00:08 lspgn