Potentially incorrect handling of packet_type / direction detection

Question

Potentially incorrect handling of packet_type / direction detection

fako1024 opened this issue 5 months ago · 1 comments

There has been at least one occurrence where the direction detection for some multicast packets shows probably incorrect behavior (productive host at OSAG, sanitized the used public IP address):

[XXX:~]# goquery -i eth2 -f -24h -n 20 sip,dip,proto,dport

                                                       packets   packets             bytes      bytes
              sip              dip      proto  dport        in       out      %         in        out      %
  123.123.123.123  239.255.255.250        UDP   1900    1.05 k    0.00    13.75  366.74 kB    0.00  B  33.20

Since 123.123.123.123 is an IP of the host we'd expect that to be outbound traffic for UDP/1900.

Answer 1 · 2024-04-12T12:35:25.000Z

Meh, my mistake - I misread the source IP of the interface in question, it's not the sip in the goquery output. Instead, it's the network address, which is used as source for the multicast packets to 239.255.255.250 (which of course arrive on the interface, so packet direction is inbound). Not sure this is compliant with the RFC (because afaik the source address for multicast packets should be the unicast address of the sender, which cannot be the network base address), but that's beside the point here.