keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
Add a bunch of NetFlow/IPFIX extensions from Plixer and ntop.
A little cleanup as well.
From me: remove duplicate blurbs.
svn path=/trunk/; revision=35142
Comment in the code asked....
/*XXX: 2 bytes skipped ?? */
Here is what I have found.
The high byte (1) indicates the Classification Engine ID
The low bytes (3) indicate the application ID
Engine ID of 5 is NBAR Standard.
Engine ID of 6 is NBAR Custom.
Attached patch displays all 4 bytes (type and ID) in a readable way. Also
allows better filtering.
svn path=/trunk/; revision=35116
Bugs fixed:
- Invalid time display for various time fields;
Millisecs for types 152, 153 are actually stored as 64 bit integers;
Microsecs, nanosecs are actually stored in "NTP format";
Times for fields 158, 159 are relative to "export time";
SystemInitTime displayed incorrectly;
...
- Options template not cached when only scope fields in template.
- Templates not processed on first pass thru capture file:
(In some cases data flows might not be handled until options template later displayed).
- V9: number of options template entries limited to about 8 instead of intended 42;
- Multiple options temlate flows in an Options Template flowset not handled;
- "NotSentOctets" dislayed as "NotSentPackets";
...
Cleanups:
- Options and data template processing code more or less rewritten;
- options template displayed with format similar to that used for data templates;
- Handling and display of PEN field (including use to indicate REVERSE) improved;
- Don't use same filter name for two similar fields which only differ in size;
- Handling & dislay of "variable length" fields improved;
- sminmec lookup (PEN) done only during template processing & cached for later use;
...
- Whitespace/Formatting
svn path=/trunk/; revision=34140
1. fix the bug in dissect_v9_pdu.
(The bug is introduced in r32627, It's my fault, I'm sorry.)
When option data record is decoded, unpatched dissect_v9_pdu decode only scope
fields, it does not decode following data fields. And it runs in endless loop
when length of a scope filed is 0. This patch solve these problem.
2. defines some value_strings for some fields.
3. updates URLs in comment.
svn path=/trunk/; revision=33348
The function "dissect_v9_pdu" of "epan/dissectors/packet-netflow.c" decodes
NetFlow v9 packets and IPFIX packets with same logic. But, the "scope field" is
different between NetFlow v9 and IPFIX. NetFlow v9 has only 5 kind of scopes.
On the other hand, many Information Elements can be used as scope fields in
IPFIX packets.
svn path=/trunk/; revision=32627
Don't use add_item() to add FT_ABSOLUTE_TIMEs. Instead either:
- fetch the seconds (and maybe milliseconds) and use add_time()
- (or) change the field to FT_BYTES and give the raw data to
ntp_fmt_ts() for presentation
Also change BASE_NONE to ABSOLUTE_TIME_LOCAL for the remaining time fields.
svn path=/trunk/; revision=31725
Cisco has recently released (in 15.0.1) support for integration between NBAR
and Flexible Netflow (FNF). This allows NBAR-recognized applications to be
identified in the Netflow output. To do so, 3 new template fields were added:
94: APPLICATION_DESC
95: APPLICATION_ID
96: APPLICATION_NAME
svn path=/trunk/; revision=31357
ABSOLUTE_TIME_LOCAL or ABSOLUTE_TIME_UTC, indicating whether to display
the date/time in local time or UTC. (int)ABSOLUTE_TIME_LOCAL ==
(int)BASE_NONE, so there's no source or binary compatiblity issue,
although we might want to eliminate BASE_NONE at some point and have the
BASE_ values used with integral types start at 0, so that you can't
specify BASE_NONE for an integral field.
svn path=/trunk/; revision=31319
The netflow implementation has a bug where the code exists to extract four
fields from a packet, however, the decoder for these fields has not been
registered in proto_register_netflow in the hf_register_info array.
The fix is to include decoders for the fields in the proto_register_netflow.
svn path=/trunk/; revision=30809
"EVER!") Expand the entry/scope struct to include private enterprise
numbers instead of casting guint32s to arbritrary chunks of memory.
Limit the number of entries and scopes we allocate. Don't allocate
memory every time we see a new template. Don't use a C++ keyword for
variable names.
svn path=/trunk/; revision=29061
The template cache contains pointers that are session-scope (only freed in
netflow_reinit()) but still we use g_malloc(). This patch changes that so we
now use se_alloc(). With this patch I'm able to reproduce the crash
("Per-session memory corrupted").
svn path=/trunk/; revision=28927
template, differentiate between Netflow v9 and IPFIX, which require
different interpretations. Add other minor fixes and comments.
svn path=/trunk/; revision=28911
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
- Make some fcns & vars static
- hf[] blurbs: "" and repeated text --> NULL
- Move proto_register & proto_reg_handoff to end of source
- packet-catapult-dct2000: simplify proto_reg_handoff
- Use consistent indentation
svn path=/trunk/; revision=28488
support for vendor-specific IEs. Fix variable-length record handling. Add
conversation tracking to the UDP dissector and add process flow
information to TCP and UDP conversations.
This lets us run process flow collectors on one or more machines and
have the process username, PID, command name, etc. show up in the TCP
and UDP protocol trees.
svn path=/trunk/; revision=28366
