nfdump icon indicating copy to clipboard operation
nfdump copied to clipboard

Published 20 hours ago verified publisher icon phaag

Unsupported data link type 239 (NFLOG)

Open maltere opened this issue 2 years ago • 3 comments

Hello all :-)

I have already a collection of network captures on a NFLOG Interface. I was planning to convert these pcaps into NetFlows using nfdump and store it into the csv format. However, it seems nfdump is not supporting NFLOG Data-Link-Types at the moment.

cmd: nfpcapd -r nflog-100.pcap -l output

output:

Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
Add extension: dst tos, direction, src/dst mask
Add extension: IPv4 next hop
Add extension: IPv6 next hop
Add extension: IPv4 BGP next IP
Add extension: IPv6 BGP next IP
Add extension: src/dst vlan id
Add extension: 4 byte output packets
Add extension: 8 byte output packets
Add extension: 4 byte output bytes
Add extension: 8 byte output bytes
Add extension: 4 byte aggregated flows
Add extension: 8 byte aggregated flows
Add extension: in src/out dst mac address
Add extension: in dst/out src mac address
Add extension: MPLS Labels
Add extension: IPv4 router IP addr
Add extension: IPv6 router IP addr
Add extension: router ID
Add extension: BGP adjacent prev/next AS
Add extension: time packet received
Add extension: NSEL Common block
Add extension: NSEL xlate ports
Add extension: NSEL xlate IPv4 addr
Add extension: NSEL xlate IPv6 addr
Add extension: NSEL ACL ingress/egress acl ID
Add extension: NSEL username
Add extension: NSEL max username
Add extension: nprobe/nfpcapd latency
Add extension: NEL Common block
Add extension: Compat NEL IPv4
Add extension: NAT Port Block Allocation
Unsupported data link type 239

During my research I stumbled upon this related Issue fixing the problem for another data-link-type: https://github.com/phaag/nfdump/issues/169

Is this issue related and how could this issue be resolved? The Workaround from https://github.com/phaag/nfdump/issues/169#issuecomment-947808076 also seems not to work with NFLOG Interfaces.

I would appreciate any help.

System Information

Running Fedora 35 nfdump-1.6.23-2.fc35.src.rpm

maltere avatar Oct 08 '22 13:10 maltere

Further investigated and compiled the version ecb8d6bbb6ab3ce52438c0c7c28b15aabc2d8a1f (v1.7.0.1)

configured with ./configure --enable-nfpcapd

cmd nfpcapd -r nflog-100.pcap -w output

output

Unsupported data link type 239                                                          
Setup failed. Exit

Did not solve the NFLOG problem.

maltere avatar Oct 08 '22 15:10 maltere

The fix of #169 seems to be changing the offset:

https://github.com/phaag/nfdump/blob/cc8680e9772dcd3873d08f950110ed20d1e20904/src/nfpcapd/packet_pcap.c#L165-L170

With NFLOG a fix is not as easy, as the header size is variable. LINKTYPE_NFLOG

maltere avatar Oct 09 '22 11:10 maltere

Could you provide me with such a NFLOG type pcap? Please send it to the email in the AUTHORS file.

phaag avatar Oct 11 '22 05:10 phaag

@phaag I will try to send you a pcap file containing NFLOG by the end of this week.

My current workaround is preprocessing the pcap files and manually "fake" a link-type 113.

maltere avatar Oct 18 '22 09:10 maltere

Any update in providing a pcap. It would be most appreciated.

phaag avatar Nov 18 '22 19:11 phaag

Yes, sorry! Haven't forgotten about this, but I have a deadline approaching. Will try to squeeze this in this weekend.

maltere avatar Nov 18 '22 22:11 maltere

Pls check the master repo for a first implementation

phaag avatar Dec 02 '22 14:12 phaag

Any feedback, if it's working?

phaag avatar Dec 18 '22 13:12 phaag