Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Netflow v9 is broken on Router OS v7.12 #1000

Open
pavel-odintsov opened this issue Jan 15, 2024 · 9 comments
Open

Netflow v9 is broken on Router OS v7.12 #1000

pavel-odintsov opened this issue Jan 15, 2024 · 9 comments

Comments

@pavel-odintsov
Copy link
Owner

Hello!

We received Netflow v9 pcap dump from customer with Router OS v7.12 which clearly has significant issues with Netflow:

ros_is_buggy

We've retrieved many packets with artificially large length which just cannot exist in network:

1048559
1234160
1470213
1472913
1545919

Example flows:

xx:60422 > cc:22 protocol: tcp flags: ack frag: 0  packets: 1472913 size: 2007342028 bytes ip size: 2007342028 bytes ttl: 0 sample ratio: 1001 agent: cc  
xx:60419 > cc:22 protocol: tcp flags: ack frag: 0  packets: 1470213 size: 2003095092 bytes ip size: 2003095092 bytes ttl: 0 sample ratio: 1001 agent: cc  
xx:60420 > cc:22 protocol: tcp flags: ack frag: 0  packets: 1048559 size: 1494004676 bytes ip size: 1494004676 bytes ttl: 0 sample ratio: 1001 agent: cc  
xx:60420 > cc:22 protocol: tcp flags: ack frag: 0  packets: 1234160 size: 1681949520 bytes ip size: 1681949520 bytes ttl: 0 sample ratio: 1001 agent: cc
xx:926   > cc:2049 protocol: tcp flags: ack frag: 0  packets: 1545919 size: 2318830496 bytes ip size: 2318830496 bytes ttl: 0 sample ratio: 1001 agent: cc

We're not aware about any possible workarounds for it. Please reach support@mikrotik.com directly and report this issue to them.
@pavel-odintsov
Copy link
Owner Author

Mikrotik is one of last vendors which use 32 bit counters for both packet and byte counters in Netflow:
image

Considering availability of 100G models from them it may be wise to move to 64 bit counters.

@pavel-odintsov
Copy link
Owner Author

We may suspect integer overflow but from random look on numbers I do not think that it's the case:

Screenshot from 2024-01-15 14-15-13
Screenshot from 2024-01-15 14-15-22

@pavel-odintsov
Copy link
Owner Author

pavel-odintsov commented Jan 15, 2024
edited

Customer confirmed that issue still exists with Mikrotik 7.13.1 on CCR1072

@pavel-odintsov
Copy link
Owner Author

Another customer confirmed that Netflow v5 works fine as workaround.

@pavel-odintsov
Copy link
Owner Author

Affected device includes: CCR1072 (Telegram report), CCR2004 (Zendesk).

@pavel-odintsov
Copy link
Owner Author

In 7.14 beta 8 Mikrotik finally moved to 64 bit counters: https://forum.mikrotik.com/viewtopic.php?p=1052645#p1052645

@AndrewThrift
Copy link

AndrewThrift commented Feb 1, 2024
edited

Nice work Pavel ! I am sure your commentary will have helped push them in the right direction.

@pavel-odintsov
Copy link
Owner Author

I hope so! I would be very happy to have direct contact to Mikrotik but even that way it worked fine.

@pavel-odintsov
Copy link
Owner Author

64 bit counters are here: https://mikrotik.com/download/changelogs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pavel-odintsov @AndrewThrift