Skip to content

pcap host_spec is effectively widened by interface netmask, causing DNS xact direction misclassification #758

New issue
New issue
Open
Open
pcap host_spec is effectively widened by interface netmask, causing DNS xact direction misclassification#758
@zanyoo

Description

@zanyoo
zanyoo
opened on Jan 4, 2026

Summary
When using pcap input with a specific host_spec (e.g., VIP /32), pktvisord still adds the capture interface’s full subnet as host IPs. This causes packet direction to be misclassified (toHost/fromHost), which in turn flips DNS xact_in/xact_out metrics. In my case, server-mode DNS traffic is reported as client-mode (xact_in=0, xact_out>0).

Objective
I want DNS server traffic (VIP 192.168.50.2/32) to be classified correctly as “server/in” when the host is the DNS server. host_spec should not be broadened by the interface netmask unless explicitly configured.

Environment

  • pktvisord: 4.5.0
  • OS: Linux (gateway host)
  • Interface: ens3
  • VIP: 192.168.50.2/32 (keepalived), host IP: 192.168.50.23/24

Config (minimal)

version: "1.0"
visor:
  taps:
    default_pcap:
      input_type: pcap
      config:
        iface: ens3
        host_spec: 192.168.50.2/32
  policies:
    dns_policy:
      kind: collection
      input:
        tap: default_pcap
        input_type: pcap
        config:
          bpf: "udp and ((dst host 192.168.50.2 and dst port 53) or (src host 192.168.50.2 and src port 53))"
      handlers:
        modules:
          dns:
            type: dns
            metric_groups:
              enable: [dns_transaction, histograms, quantiles, counters, cardinality, top_ports, top_qnames]

Observed Behavior

dns_xact_in_total stays 0
dns_xact_out_quantiles_us has data
Captured packets show requests to 192.168.50.2 and responses from 192.168.50.2

Expected Behavior

With host_spec limited to 192.168.50.2/32, the traffic should be classified as server-side, so dns_xact_in_total should increase.
Analysis
In PcapInputStream, parse_host_spec() is called, but for libpcap the code also calls _get_hosts_from_libpcap_iface(), which adds the interface IP + netmask (e.g., 192.168.50.0/24). As a result, any LAN destination like 192.168.50.22 matches toHost, and DNS xacts get counted as client-side.

Relevant code:

PcapInputStream.cpp:
direction check: ~401-412
_get_hosts_from_libpcap_iface() invoked in libpcap path ~176-190
Workaround
Setting pcap_source: af_packet avoids adding interface host ranges, and the metrics classify correctly.

Suggestion
If host_spec is explicitly provided, consider skipping _get_hosts_from_libpcap_iface() (or provide a config flag to disable auto host detection).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions