The function "dissect_v9_pdu" of "epan/dissectors/packet-netflow.c" decodes
NetFlow v9 packets and IPFIX packets with same logic. But, the "scope field" is
different between NetFlow v9 and IPFIX. NetFlow v9 has only 5 kind of scopes.
On the other hand, many Information Elements can be used as scope fields in
IPFIX packets.
svn path=/trunk/; revision=32627
Don't use add_item() to add FT_ABSOLUTE_TIMEs. Instead either:
- fetch the seconds (and maybe milliseconds) and use add_time()
- (or) change the field to FT_BYTES and give the raw data to
ntp_fmt_ts() for presentation
Also change BASE_NONE to ABSOLUTE_TIME_LOCAL for the remaining time fields.
svn path=/trunk/; revision=31725
Cisco has recently released (in 15.0.1) support for integration between NBAR
and Flexible Netflow (FNF). This allows NBAR-recognized applications to be
identified in the Netflow output. To do so, 3 new template fields were added:
94: APPLICATION_DESC
95: APPLICATION_ID
96: APPLICATION_NAME
svn path=/trunk/; revision=31357
ABSOLUTE_TIME_LOCAL or ABSOLUTE_TIME_UTC, indicating whether to display
the date/time in local time or UTC. (int)ABSOLUTE_TIME_LOCAL ==
(int)BASE_NONE, so there's no source or binary compatiblity issue,
although we might want to eliminate BASE_NONE at some point and have the
BASE_ values used with integral types start at 0, so that you can't
specify BASE_NONE for an integral field.
svn path=/trunk/; revision=31319
The netflow implementation has a bug where the code exists to extract four
fields from a packet, however, the decoder for these fields has not been
registered in proto_register_netflow in the hf_register_info array.
The fix is to include decoders for the fields in the proto_register_netflow.
svn path=/trunk/; revision=30809
"EVER!") Expand the entry/scope struct to include private enterprise
numbers instead of casting guint32s to arbritrary chunks of memory.
Limit the number of entries and scopes we allocate. Don't allocate
memory every time we see a new template. Don't use a C++ keyword for
variable names.
svn path=/trunk/; revision=29061
The template cache contains pointers that are session-scope (only freed in
netflow_reinit()) but still we use g_malloc(). This patch changes that so we
now use se_alloc(). With this patch I'm able to reproduce the crash
("Per-session memory corrupted").
svn path=/trunk/; revision=28927
template, differentiate between Netflow v9 and IPFIX, which require
different interpretations. Add other minor fixes and comments.
svn path=/trunk/; revision=28911
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
- Make some fcns & vars static
- hf[] blurbs: "" and repeated text --> NULL
- Move proto_register & proto_reg_handoff to end of source
- packet-catapult-dct2000: simplify proto_reg_handoff
- Use consistent indentation
svn path=/trunk/; revision=28488
support for vendor-specific IEs. Fix variable-length record handling. Add
conversation tracking to the UDP dissector and add process flow
information to TCP and UDP conversations.
This lets us run process flow collectors on one or more machines and
have the process username, PID, command name, etc. show up in the TCP
and UDP protocol trees.
svn path=/trunk/; revision=28366
When dissecting an IPFIX PDU containing start and end times for both directions
of a biflow, no distinction is made between forward and reverse directions.
This can lead to bizarre (or worse, subtly incorrect) output for the flow
durations computed from start and end times.
This patch fixes the specific problem of duration display in wireshark for
IPFIX biflow PDUs. It does not address the general issue of tracking different
types of start/end timestamps separately - it is unlikely that the general case
will occur in practice, although it is certainly possible.
svn path=/trunk/; revision=26663
This patch
(1) fixes to decode IPFIX packets.
The revision 25601 warns and be not able to decodes IPFIX packets fully,
because the array "hf_register_info" does not have an entry
"hf_cflow_datarecord_length", and a length check for IPFIX packets is incorrect
in "dissect_netflow" function.
(2) is able to decode all Information Elements standardized by RFC 5102
(3) is able to decode IPFIX templates and data that contains PEN (Private
Enterprise Number) fields standardized by RFC 5101, and is able to decode
bi-directional flow standardized by RFC 5103.
svn path=/trunk/; revision=25905
epan/dissectors/packet-ncp2222.inc is a bit hard to fix, so we're not
ready to enable that warning by default yet.
Throw in some casts to handle GLib routines that take arbitrary
non-const pointers (they can later return the pointers, and some
callers might want to modify or free up those pointers in cases where
they're known to be writable or allocated).
Use ep_tvb_memdup() rather than a combination of ep_alloc() and
tvb_memcpy().
Clean up some indentation.
svn path=/trunk/; revision=25601
While borrowing code from an other dissector I have worked on I realized I
previously "borrowed" a comment and typo. Here's a fix.
svn path=/trunk/; revision=24928
Fix the bug related to Option template:
- System scope (check that options scope size is == 4, not <= 4)
- Interface scope (same)
Same fix for fields BytesExported PacketsExported FlowsExported.
Also fix some tabulations in a previous patch related to IPv6 Addresses.
svn path=/trunk/; revision=24138
1) IPFIX port (4739) should be configurable without recompiling
2) It should be possible to specify more than one port to be dissected as
Netflow and/or IPFIX
3) Netflow should recognize UDP ports 2055 and 9996 (Both are common)
Also (from me):
- make Netflow a "new style" dissector: return 0 if it doesn't appear to be a
valid netflow packet
- register the old preference (cflow.udp.port) as obsolete so users don't see
warnings about it not being valid
svn path=/trunk/; revision=23075
packet-netflow.c is lack of the capability to decode ipv6 address related fields in netflow v9.
This patch enables dissecting the following fields:
Type 27 IPV6_SRC_ADDR,
Type 28 IPV6_DST_ADDR,
Type 29 IPV6_SRC_MASK,
Type 30 IPV6_DST_MASK and
Type 62 IPV6_NEXT_HOP.
svn path=/trunk/; revision=22793