panic: interface conversion: gopacket.Layer is nil with fragmented packets

[top-secrett]

Describe the bug
Today we faced DDoS attack and collector constantly failed. Error in attached sreenshot
Version 0.43.0

[dmachard]

Crash reproduced in my side! Could you share your config file ?

Thank you for the report.

[top-secrett]

@dmachard

global:
  # If turned on, log some applications messages
  trace:
    # debug informations
    verbose: true

  server-identity: "ns4.***"


  text-format: "localtime id qr rcode queryip responseip family protocol qtype qname answer answercount length-unit aa df tr edns-csubnet tc malformed"
  text-format-delimiter: " | "
  text-format-boundary: "\""

# create your dns collector, please refer bellow to see the list
# of supported collectors, loggers and transformers
multiplexer:
  collectors:
    - name: ns4-col-ipv4
      afpacket-sniffer:
        port: 53
        device: ens192
        chan-buffer-size: 65535
      transforms:
        normalize:
          qname-lowercase: false
          quiet-text: true

    - name: ns4-col-ipv6
      afpacket-sniffer:
        port: 53
        device: ens224
        chan-buffer-size: 65535
      transforms:
        normalize:
          qname-lowercase: false
          quiet-text: true

  loggers:
    - name: ns4-log
      logfile:
        file-path: /var/log/dns/queries.log
        mode: text
        flush-interval: 1
        max-size: 100000000
        max-files: 0

  routes:
    - from: [ ns4-col-ipv4 ]
      to: [ ns4-log ]
    - from: [ ns4-col-ipv6 ]
      to: [ ns4-log ]

[dmachard]

Thanks for the config.

The root cause has been identified , the BPF filter of the sniffer is incorrect with fragmented packets.
I need time to do more tests and push a full fix to support properly fragmented packets.

In the meantime, I can push a quick fix to ignore fragmented packet and avoid the crash, if necessary ?

[top-secrett]

@dmachard It would be great because DDoS is still going on

[dmachard]

Quickfix pushed in release v0.44.0-beta1.