Dear openvswitch team, my name is Markus and I am working on research project regarding network security. We use an OpenStack-based testing environment to record Netflow-data of virtual machines. The environment delivers the netflow-data via ovs-vsctl 2.0.2.
Our problem is the following: If we establish e.g. ssh or ftp-connections between two hosts within the virtual network, we only get SYN-Flags in about 1 of a thousand records. However, other TCP-Flags like ACK, RST or FIN are available. Simultaneous capturing with wireshark on the hosts show that the tcp-connections get established as expected and TCP-SYN-Flags can be seen. Is it possible that there is a bug in the class "ovs/ofproto/netflow.c"? The TCP-flags are stored in the structure "netflow_flow". The datatype of the variable tcp_flags is uint16_t. If I read the source code correctly, new NetFlows are generated in the function "static void gen_netflow_rec(...)". The flags for the first packet are saved in line 162: nf_rec->tcp_flags = (uint8_t) nf_flow->tcp_flags; Here, the TCP Flags are interpreted as uint8_t instead of uint16_t. However, the flags SYN, RST, etc. use the lower flag values. When new packets arrive, they are merged in the function "void netflow_flow_update(...)". Here the TCP-Flags are merged with the bit-operator OR. Consequently, I think all TCP-Flags from the first packet get lost. Is this possible? Thanks a lot Regards Markus
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
