Current NetFlow V9/IPFIX dissector treats IN_BYTES (IE=1) and
IN_PERMANENT_BYTES (IE=85) exactly in the same way. The same applies to IN_PKTS
(IE=2) and IN_PERMANENT_PKTS (IE=86). However, IN_BYTES/IN_PKTS and
IN_PERMANENT_BYTES/IN_PERMANENT_PKTS have different semantics so they should be
distinguishable when they are displayed or specified in a filter. Please find
attached the patch
which does that.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5807
svn path=/trunk/; revision=36661
From me: Use lower-case v9template_max_fields instead of upper-case to avoid
any confusion with that variable being a define. Use STRINGIFY() so we always
keep the default and the displayed default the same. Fix bug introduced by
Andrew's patch where option_scope_field_count was inadvertently changed to
option_field_count. Append "Maximum value can be adjusted ..." message to all
relevant expert infos.
svn path=/trunk/; revision=36643
In RFC 5102 (for IPFIX), id=128 is defined as "bgpNextAdjacentAsNumber" which
is DST_AS_PEER and id=129 as "bgpPrevAdjacentAsNumber" which is SRC_AS_PEER.
svn path=/trunk/; revision=36028
so that if the start_ptr is NULL the bytes are extracted from the given TVB
using the given offset and length.
Replace a bunch of:
proto_tree_add_bytes_format*(tree, hf, tvb, offset, length, tvb_get_ptr(tvb, offset, length), [...])
with:
proto_tree_add_bytes_format*(tree, hf, tvb, offset, length, NULL, [...])
svn path=/trunk/; revision=35896
keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
Add a bunch of NetFlow/IPFIX extensions from Plixer and ntop.
A little cleanup as well.
From me: remove duplicate blurbs.
svn path=/trunk/; revision=35142
Comment in the code asked....
/*XXX: 2 bytes skipped ?? */
Here is what I have found.
The high byte (1) indicates the Classification Engine ID
The low bytes (3) indicate the application ID
Engine ID of 5 is NBAR Standard.
Engine ID of 6 is NBAR Custom.
Attached patch displays all 4 bytes (type and ID) in a readable way. Also
allows better filtering.
svn path=/trunk/; revision=35116
Bugs fixed:
- Invalid time display for various time fields;
Millisecs for types 152, 153 are actually stored as 64 bit integers;
Microsecs, nanosecs are actually stored in "NTP format";
Times for fields 158, 159 are relative to "export time";
SystemInitTime displayed incorrectly;
...
- Options template not cached when only scope fields in template.
- Templates not processed on first pass thru capture file:
(In some cases data flows might not be handled until options template later displayed).
- V9: number of options template entries limited to about 8 instead of intended 42;
- Multiple options temlate flows in an Options Template flowset not handled;
- "NotSentOctets" dislayed as "NotSentPackets";
...
Cleanups:
- Options and data template processing code more or less rewritten;
- options template displayed with format similar to that used for data templates;
- Handling and display of PEN field (including use to indicate REVERSE) improved;
- Don't use same filter name for two similar fields which only differ in size;
- Handling & dislay of "variable length" fields improved;
- sminmec lookup (PEN) done only during template processing & cached for later use;
...
- Whitespace/Formatting
svn path=/trunk/; revision=34140
1. fix the bug in dissect_v9_pdu.
(The bug is introduced in r32627, It's my fault, I'm sorry.)
When option data record is decoded, unpatched dissect_v9_pdu decode only scope
fields, it does not decode following data fields. And it runs in endless loop
when length of a scope filed is 0. This patch solve these problem.
2. defines some value_strings for some fields.
3. updates URLs in comment.
svn path=/trunk/; revision=33348
The function "dissect_v9_pdu" of "epan/dissectors/packet-netflow.c" decodes
NetFlow v9 packets and IPFIX packets with same logic. But, the "scope field" is
different between NetFlow v9 and IPFIX. NetFlow v9 has only 5 kind of scopes.
On the other hand, many Information Elements can be used as scope fields in
IPFIX packets.
svn path=/trunk/; revision=32627
Don't use add_item() to add FT_ABSOLUTE_TIMEs. Instead either:
- fetch the seconds (and maybe milliseconds) and use add_time()
- (or) change the field to FT_BYTES and give the raw data to
ntp_fmt_ts() for presentation
Also change BASE_NONE to ABSOLUTE_TIME_LOCAL for the remaining time fields.
svn path=/trunk/; revision=31725
Cisco has recently released (in 15.0.1) support for integration between NBAR
and Flexible Netflow (FNF). This allows NBAR-recognized applications to be
identified in the Netflow output. To do so, 3 new template fields were added:
94: APPLICATION_DESC
95: APPLICATION_ID
96: APPLICATION_NAME
svn path=/trunk/; revision=31357
ABSOLUTE_TIME_LOCAL or ABSOLUTE_TIME_UTC, indicating whether to display
the date/time in local time or UTC. (int)ABSOLUTE_TIME_LOCAL ==
(int)BASE_NONE, so there's no source or binary compatiblity issue,
although we might want to eliminate BASE_NONE at some point and have the
BASE_ values used with integral types start at 0, so that you can't
specify BASE_NONE for an integral field.
svn path=/trunk/; revision=31319
The netflow implementation has a bug where the code exists to extract four
fields from a packet, however, the decoder for these fields has not been
registered in proto_register_netflow in the hf_register_info array.
The fix is to include decoders for the fields in the proto_register_netflow.
svn path=/trunk/; revision=30809
