https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi fleet team, may i know where does fleet fetch t...
# fleet
w
Hi fleet team, may i know where does fleet fetch the private ip? i found we have a lot of hosts with same private ip, i doubt fleet does take loopback ip as private ip, could u confirm?
r
hi! this is the code we use to fetch/parse network information about the host. As a summary, we send this query:
Copy code
select ia.address, id.mac, id.interface
                        from interface_details id join interface_addresses ia
                               on ia.interface = id.interface where length(mac) > 0
                               order by (ibytes + obytes) desc
and then we do some programmatic filtering to discard link-local and loopback interfaces are you able to provide more details about the format that the problematic IPs have? Are the hosts VMs or containers by any chance?
w
we have a lot hosts whose private ip is 172.18.0.1 which means it pick ip of carma_br0 as private ip, this is not right.
apparently, it supposed to pick eth0 as source of truth to present private ip.
@roberto
r
@wennan.he thanks for the details! Coincidentally, I have just learned that we have a pull request that refactors this exact same code and I think it will solve your issue, let me get confirmation on that.
hi again @wennan.he, so to confirm if the current refactor of the query will fix your problem, could you run this query in any of your hosts with problems?
Copy code
select
    ia.address,
    id.mac
from
    interface_addresses ia
    join interface_details id on id.interface = ia.interface
    join routes r on r.interface = ia.interface
where
    r.destination = '0.0.0.0'
    and r.type = 'gateway'
order by
    instr(ia.address, '.') desc
w
let me try it
r
👋 hey @wennan.he just following up on this, were you able to run the query?
w
Hi roberto, i am struggling with sth else, but i will let you know after i confirm it. thx.
Open in Slack
PreviousNext
Powered by