fastnetmon icon indicating copy to clipboard operation
fastnetmon copied to clipboard

Published 20 hours ago verified publisher icon pavel-odintsov

Netflow v9 is broken on Router OS v7.12

Open pavel-odintsov opened this issue 1 year ago • 9 comments

Hello!

We received Netflow v9 pcap dump from customer with Router OS v7.12 which clearly has significant issues with Netflow:

ros_is_buggy

We've retrieved many packets with artificially large length which just cannot exist in network:

1048559
1234160
1470213
1472913
1545919

Example flows:

xx:60422 > cc:22 protocol: tcp flags: ack frag: 0  packets: 1472913 size: 2007342028 bytes ip size: 2007342028 bytes ttl: 0 sample ratio: 1001 agent: cc  
xx:60419 > cc:22 protocol: tcp flags: ack frag: 0  packets: 1470213 size: 2003095092 bytes ip size: 2003095092 bytes ttl: 0 sample ratio: 1001 agent: cc  
xx:60420 > cc:22 protocol: tcp flags: ack frag: 0  packets: 1048559 size: 1494004676 bytes ip size: 1494004676 bytes ttl: 0 sample ratio: 1001 agent: cc  
xx:60420 > cc:22 protocol: tcp flags: ack frag: 0  packets: 1234160 size: 1681949520 bytes ip size: 1681949520 bytes ttl: 0 sample ratio: 1001 agent: cc
xx:926   > cc:2049 protocol: tcp flags: ack frag: 0  packets: 1545919 size: 2318830496 bytes ip size: 2318830496 bytes ttl: 0 sample ratio: 1001 agent: cc

We're not aware about any possible workarounds for it. Please reach [email protected] directly and report this issue to them.

pavel-odintsov avatar Jan 15 '24 11:01 pavel-odintsov

Mikrotik is one of last vendors which use 32 bit counters for both packet and byte counters in Netflow: image

Considering availability of 100G models from them it may be wise to move to 64 bit counters.

pavel-odintsov avatar Jan 15 '24 14:01 pavel-odintsov

We may suspect integer overflow but from random look on numbers I do not think that it's the case:

Screenshot from 2024-01-15 14-15-13 Screenshot from 2024-01-15 14-15-22

pavel-odintsov avatar Jan 15 '24 14:01 pavel-odintsov

Customer confirmed that issue still exists with Mikrotik 7.13.1 on CCR1072

pavel-odintsov avatar Jan 15 '24 15:01 pavel-odintsov

Another customer confirmed that Netflow v5 works fine as workaround.

pavel-odintsov avatar Jan 15 '24 15:01 pavel-odintsov

Affected device includes: CCR1072 (Telegram report), CCR2004 (Zendesk).

pavel-odintsov avatar Jan 16 '24 14:01 pavel-odintsov

In 7.14 beta 8 Mikrotik finally moved to 64 bit counters: https://forum.mikrotik.com/viewtopic.php?p=1052645#p1052645

pavel-odintsov avatar Jan 29 '24 23:01 pavel-odintsov

Nice work Pavel ! I am sure your commentary will have helped push them in the right direction.

AndrewThrift avatar Feb 01 '24 10:02 AndrewThrift

I hope so! I would be very happy to have direct contact to Mikrotik but even that way it worked fine.

pavel-odintsov avatar Feb 01 '24 11:02 pavel-odintsov

64 bit counters are here: https://mikrotik.com/download/changelogs

pavel-odintsov avatar Feb 29 '24 15:02 pavel-odintsov