Description

In many monitoring environments, especially when using high-performance capture interfaces or certain operating systems, the packet capture interface may deliver packets with the DLT_RAW data link type. In these cases, the capture does not include an Ethernet header, and the packet data consists solely of the IP header (and its payload). This is a common and valid scenario for network monitoring and flow analysis.

The Issue

When processing DLT_RAW packets, NFStream previously did not set the packet “type” (i.e. the EtherType) based on the actual IP version present in the raw data. As a result:

1. Fragment Misprocessing:
   Because the *type variable was never set, the fragment-checking code (which requires *type to be ETH_P_IP for IPv4) was not executed. Consequently, non-first fragments—lacking complete transport headers—were processed as if they were full packets. Their incomplete header data was misinterpreted as valid transport-layer information (e.g. UDP source/destination ports), leading to erroneous flow creation.

2. Bogus Flow Generation:
   In my test PCAP, although only two actual flows existed, over 51 flows appeared in the CSV output. Each additional flow represented a later fragment that was misprocessed. The port numbers for these bogus flows were derived by interpreting fragment payload data at the offset where a UDP header is expected. This clearly skews the monitoring results.

The Fix

The fix modifies the DLT_RAW case in packet_datalink_checker() (located in lib_engine.c) to inspect the first byte of the packet to determine its IP version, and then set *type accordingly. This ensures that subsequent processing—such as fragment checking—works correctly.

Type of change

• [x ] Breaking change (fix or feature that would cause existing functionality to not work as expected)

How Has This Been Tested?

The test was performed using the attached PCAP file.