[netsa-tools-discuss] SiLK rwflowpack IPv6 listening trouble

Jay Ford jnford at uiowa.net
Wed Nov 1 13:56:00 EDT 2017 

Yeah, I didn't see the cause & effect between rolling back Perl stuff & 
getting rwflowpack to work, but it seemed to be the case.

Just as strange, rwflowpack started working the morning after I broke it, 
successfully started after a cron-driven clean-up job.

I'm filing it under "beats the hell out of me" & moving on.  Sorry for the 
noise.

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555

On Wed, 1 Nov 2017, Mark Thomas wrote:
> Thanks for your question.
>
> Perl is not used by rwflowpack, and I do not understand why
> reverting Perl solves the rwflowpack issue.
>
> The address:port resolution uses the getaddrinfo library function,
> and I can assure you it is being called the correctly.  The lack of
> square brackets around the IPv6 address in the error message is only
> an artifact of how the error message is generated.
>
> Cheers,
>
> -Mark
>
>
> -----Original Message-----
> From: Jay Ford <jnford at uiowa.net>
> Date: Wed, 25 Oct 2017 10:18:30 -0500
> To: <netsa-tools-discuss at cert.org>
> Subject: [netsa-tools-discuss] SiLK rwflowpack IPv6 listening trouble
>
> I'm running SiLK 3.16.0 on a Debian "stretch" Linux system with an IPFIX
> probe defined to listen via IPv6 configured in sensor.conf like this:
>
>    probe rtr-ipfix ipfix
>      listen-as-host 2001:db8:ff::7
>      listen-on-port 2001
>      protocol udp
>      accept-from-host 2001:db8:ff::7 2001:db8::7
>    end probe
>
> That was working fine before a recent system upgrade, after which rwflowpack
> fails to start, logging this:
>
>   rwflowpack[902]: Creating IPFIX Reader for probe 'rtr-ipfix' on [2001:db8:ff::7]:2001
>   rwflowpack[902]: 'rtr-ipfix': error looking up address 2001:db8:ff::7:2001: Address family for hostname not supported
>   rwflowpack[902]: Could not create IPFIX Reader for 'rtr-ipfix' on [2001:db8:ff::7]:2001
>   rwflowpack[902]: Unable to start flow processor #1 for IPFIX/NetFlowV9 Reader
>
> The crux of the problem is the concatenation of the address & port (without
> square brackets required in such literal syntax) resulting in the bogus:
>    2001:db8:ff::7:2001
>
> Rolling back some Perl packages:
>
>    package           broken version   working version
>    ________________  _______________  _______________
>    libperl5.24       5.24.1-3+deb9u1  5.24.1-3+deb9u2
>    perl              5.24.1-3+deb9u1  5.24.1-3+deb9u2
>    perl-base         5.24.1-3+deb9u1  5.24.1-3+deb9u2
>    perl-modules-5.24 5.24.1-3+deb9u1  5.24.1-3+deb9u2
>
> lets it work again, but given the log messages I suspect a SiLK problem more
> than a Perl problem, but that's just a guess.
>
> Does anybody have an idea where the problem might be & how to fix it?
>
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jnford at uiowa.net, phone: 319-335-5555

More information about the netsa-tools-discuss mailing list