Hello,
softflowd 1.1.0 on OpenWRT 24.10. Sending IPFIX to pmacct receiver. softflowd is recording traffic from a bridged interface.
The ingress/egress direction bit doesn't up with the actual traffic, making it difficult to determine originator & responder addresses, especially on TCP flows.
Studying the flows ... it is sorting by address. The lower mathematical source address of the flow is considered the 'ingress' side and the higher the 'egress' side. It applies for both IPv4 and IPv6.
softflowd should be recording the actual source & destination and providing it for IPFIX.
EDIT: Found the sorter for IPv6. It's using memcmp to set the index of the array of two addresses that it's going to put the address into. The index becomes the direction bit later.
|
memcmp (&ip6->ip6_src, &ip6->ip6_dst, sizeof (ip6->ip6_src)) > 0 ? 1 : 0; |
The IPv4 one is here:
|
*ndx = memcmp (&ip->ip_src, &ip->ip_dst, sizeof (ip->ip_src)) > 0 ? 1 : 0; |
It should trust the pcap source/destinations. But I think there is impact to the flow tree layout if these move around (lots of mentions of "canonical format" in that area).
Hello,
softflowd 1.1.0 on OpenWRT 24.10. Sending IPFIX to pmacct receiver. softflowd is recording traffic from a bridged interface.
The ingress/egress direction bit doesn't up with the actual traffic, making it difficult to determine originator & responder addresses, especially on TCP flows.
Studying the flows ... it is sorting by address. The lower mathematical source address of the flow is considered the 'ingress' side and the higher the 'egress' side. It applies for both IPv4 and IPv6.
softflowd should be recording the actual source & destination and providing it for IPFIX.
EDIT: Found the sorter for IPv6. It's using memcmp to set the index of the array of two addresses that it's going to put the address into. The index becomes the direction bit later.
softflowd/softflowd.c
Line 441 in 0260261
The IPv4 one is here:
softflowd/softflowd.c
Line 414 in 0260261
It should trust the pcap source/destinations. But I think there is impact to the flow tree layout if these move around (lots of mentions of "canonical format" in that area).