[netsa-tools-discuss] SiLK rwflowpack IPv6 listening trouble

Mark Thomas mthomas at cert.org
Wed Nov 1 11:00:13 EDT 2017 

Jay-

Thanks for your question.

Perl is not used by rwflowpack, and I do not understand why
reverting Perl solves the rwflowpack issue.

The address:port resolution uses the getaddrinfo library function,
and I can assure you it is being called the correctly.  The lack of
square brackets around the IPv6 address in the error message is only
an artifact of how the error message is generated.

Cheers,

-Mark


-----Original Message-----
From: Jay Ford <jnford at uiowa.net>
Date: Wed, 25 Oct 2017 10:18:30 -0500
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] SiLK rwflowpack IPv6 listening trouble

I'm running SiLK 3.16.0 on a Debian "stretch" Linux system with an IPFIX
probe defined to listen via IPv6 configured in sensor.conf like this:

    probe rtr-ipfix ipfix
      listen-as-host 2001:db8:ff::7
      listen-on-port 2001
      protocol udp
      accept-from-host 2001:db8:ff::7 2001:db8::7
    end probe

That was working fine before a recent system upgrade, after which rwflowpack
fails to start, logging this:

   rwflowpack[902]: Creating IPFIX Reader for probe 'rtr-ipfix' on [2001:db8:ff::7]:2001
   rwflowpack[902]: 'rtr-ipfix': error looking up address 2001:db8:ff::7:2001: Address family for hostname not supported
   rwflowpack[902]: Could not create IPFIX Reader for 'rtr-ipfix' on [2001:db8:ff::7]:2001
   rwflowpack[902]: Unable to start flow processor #1 for IPFIX/NetFlowV9 Reader

The crux of the problem is the concatenation of the address & port (without
square brackets required in such literal syntax) resulting in the bogus:
    2001:db8:ff::7:2001

Rolling back some Perl packages:

    package           broken version   working version
    ________________  _______________  _______________
    libperl5.24       5.24.1-3+deb9u1  5.24.1-3+deb9u2
    perl              5.24.1-3+deb9u1  5.24.1-3+deb9u2
    perl-base         5.24.1-3+deb9u1  5.24.1-3+deb9u2
    perl-modules-5.24 5.24.1-3+deb9u1  5.24.1-3+deb9u2

lets it work again, but given the log messages I suspect a SiLK problem more
than a Perl problem, but that's just a guess.

Does anybody have an idea where the problem might be & how to fix it?

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jnford at uiowa.net, phone: 319-335-5555

More information about the netsa-tools-discuss mailing list