Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NXOS v8.0.1 data flowset padding > 3bytes #56

Closed
oreggin opened this issue Mar 1, 2017 · 1 comment
Closed

NXOS v8.0.1 data flowset padding > 3bytes #56

oreggin opened this issue Mar 1, 2017 · 1 comment

Comments

@oreggin
Copy link

oreggin commented Mar 1, 2017

Hi,

We have some Nexus7700 boxes and after upgraded to NXOS v8.0.1, nfcapd began to flooding syslog and soon log partition gets full.
Logs:
Jan 27 10:24:39 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:39 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:39 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:39 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 36
Jan 27 10:24:39 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:39 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24
Jan 27 10:24:40 hotdog nfcapd[2711]: Process_v9: Corrupt data flowset? Pad bytes: 24

In RFC3954 there is no explicit padding size limit:

5.3. Data FlowSet Format
Padding
The Exporter SHOULD insert some padding bytes so that the
subsequent FlowSet starts at a 4-byte aligned boundary. It is
important to note that the Length field includes the padding
bytes. Padding SHOULD be using zeros.
strange-netflow-with-template.cap.zip

Does it breaks the RFC?
nfcapd interpret data flowset incorrectly?

Thanks in advice.
Tibor

@phaag
Copy link
Owner

phaag commented Nov 5, 2017

Actually it breaks the specs, CISCO issued:

Padding   | Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention  
                  that the Length field will include those padding bits.

If there is a newer NetFlow Version 9 Flow-Record Format definition, let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants