Current NetFlow V9/IPFIX dissector treats IN_BYTES (IE=1) and
IN_PERMANENT_BYTES (IE=85) exactly in the same way. The same applies to IN_PKTS
(IE=2) and IN_PERMANENT_PKTS (IE=86). However, IN_BYTES/IN_PKTS and
IN_PERMANENT_BYTES/IN_PERMANENT_PKTS have different semantics so they should be
distinguishable when they are displayed or specified in a filter. Please find
attached the patch
which does that.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5807
svn path=/trunk/; revision=36661
From me: Use lower-case v9template_max_fields instead of upper-case to avoid
any confusion with that variable being a define. Use STRINGIFY() so we always
keep the default and the displayed default the same. Fix bug introduced by
Andrew's patch where option_scope_field_count was inadvertently changed to
option_field_count. Append "Maximum value can be adjusted ..." message to all
relevant expert infos.
svn path=/trunk/; revision=36643
In RFC 5102 (for IPFIX), id=128 is defined as "bgpNextAdjacentAsNumber" which
is DST_AS_PEER and id=129 as "bgpPrevAdjacentAsNumber" which is SRC_AS_PEER.
svn path=/trunk/; revision=36028
so that if the start_ptr is NULL the bytes are extracted from the given TVB
using the given offset and length.
Replace a bunch of:
proto_tree_add_bytes_format*(tree, hf, tvb, offset, length, tvb_get_ptr(tvb, offset, length), [...])
with:
proto_tree_add_bytes_format*(tree, hf, tvb, offset, length, NULL, [...])
svn path=/trunk/; revision=35896
keys to have _uint in their names, to match the routines that handle
dissector tables with string keys. (Using _port can confuse people into
thinking they're intended solely for use with TCP/UDP/etc. ports when,
in fact, they work better for things such as Ethernet types, where the
binding of particular values to particular protocols are a lot
stronger.)
svn path=/trunk/; revision=35224
Add a bunch of NetFlow/IPFIX extensions from Plixer and ntop.
A little cleanup as well.
From me: remove duplicate blurbs.
svn path=/trunk/; revision=35142
Comment in the code asked....
/*XXX: 2 bytes skipped ?? */
Here is what I have found.
The high byte (1) indicates the Classification Engine ID
The low bytes (3) indicate the application ID
Engine ID of 5 is NBAR Standard.
Engine ID of 6 is NBAR Custom.
Attached patch displays all 4 bytes (type and ID) in a readable way. Also
allows better filtering.
svn path=/trunk/; revision=35116
Bugs fixed:
- Invalid time display for various time fields;
Millisecs for types 152, 153 are actually stored as 64 bit integers;
Microsecs, nanosecs are actually stored in "NTP format";
Times for fields 158, 159 are relative to "export time";
SystemInitTime displayed incorrectly;
...
- Options template not cached when only scope fields in template.
- Templates not processed on first pass thru capture file:
(In some cases data flows might not be handled until options template later displayed).
- V9: number of options template entries limited to about 8 instead of intended 42;
- Multiple options temlate flows in an Options Template flowset not handled;
- "NotSentOctets" dislayed as "NotSentPackets";
...
Cleanups:
- Options and data template processing code more or less rewritten;
- options template displayed with format similar to that used for data templates;
- Handling and display of PEN field (including use to indicate REVERSE) improved;
- Don't use same filter name for two similar fields which only differ in size;
- Handling & dislay of "variable length" fields improved;
- sminmec lookup (PEN) done only during template processing & cached for later use;
...
- Whitespace/Formatting
svn path=/trunk/; revision=34140
1. fix the bug in dissect_v9_pdu.
(The bug is introduced in r32627, It's my fault, I'm sorry.)
When option data record is decoded, unpatched dissect_v9_pdu decode only scope
fields, it does not decode following data fields. And it runs in endless loop
when length of a scope filed is 0. This patch solve these problem.
2. defines some value_strings for some fields.
3. updates URLs in comment.
svn path=/trunk/; revision=33348
The function "dissect_v9_pdu" of "epan/dissectors/packet-netflow.c" decodes
NetFlow v9 packets and IPFIX packets with same logic. But, the "scope field" is
different between NetFlow v9 and IPFIX. NetFlow v9 has only 5 kind of scopes.
On the other hand, many Information Elements can be used as scope fields in
IPFIX packets.
svn path=/trunk/; revision=32627
Don't use add_item() to add FT_ABSOLUTE_TIMEs. Instead either:
- fetch the seconds (and maybe milliseconds) and use add_time()
- (or) change the field to FT_BYTES and give the raw data to
ntp_fmt_ts() for presentation
Also change BASE_NONE to ABSOLUTE_TIME_LOCAL for the remaining time fields.
svn path=/trunk/; revision=31725
Cisco has recently released (in 15.0.1) support for integration between NBAR
and Flexible Netflow (FNF). This allows NBAR-recognized applications to be
identified in the Netflow output. To do so, 3 new template fields were added:
94: APPLICATION_DESC
95: APPLICATION_ID
96: APPLICATION_NAME
svn path=/trunk/; revision=31357
ABSOLUTE_TIME_LOCAL or ABSOLUTE_TIME_UTC, indicating whether to display
the date/time in local time or UTC. (int)ABSOLUTE_TIME_LOCAL ==
(int)BASE_NONE, so there's no source or binary compatiblity issue,
although we might want to eliminate BASE_NONE at some point and have the
BASE_ values used with integral types start at 0, so that you can't
specify BASE_NONE for an integral field.
svn path=/trunk/; revision=31319
The netflow implementation has a bug where the code exists to extract four
fields from a packet, however, the decoder for these fields has not been
registered in proto_register_netflow in the hf_register_info array.
The fix is to include decoders for the fields in the proto_register_netflow.
svn path=/trunk/; revision=30809
"EVER!") Expand the entry/scope struct to include private enterprise
numbers instead of casting guint32s to arbritrary chunks of memory.
Limit the number of entries and scopes we allocate. Don't allocate
memory every time we see a new template. Don't use a C++ keyword for
variable names.
svn path=/trunk/; revision=29061
Anders Broman