When dissecting an IPFIX PDU containing start and end times for both directions
of a biflow, no distinction is made between forward and reverse directions.
This can lead to bizarre (or worse, subtly incorrect) output for the flow
durations computed from start and end times.
This patch fixes the specific problem of duration display in wireshark for
IPFIX biflow PDUs. It does not address the general issue of tracking different
types of start/end timestamps separately - it is unlikely that the general case
will occur in practice, although it is certainly possible.
svn path=/trunk/; revision=26663
This patch
(1) fixes to decode IPFIX packets.
The revision 25601 warns and be not able to decodes IPFIX packets fully,
because the array "hf_register_info" does not have an entry
"hf_cflow_datarecord_length", and a length check for IPFIX packets is incorrect
in "dissect_netflow" function.
(2) is able to decode all Information Elements standardized by RFC 5102
(3) is able to decode IPFIX templates and data that contains PEN (Private
Enterprise Number) fields standardized by RFC 5101, and is able to decode
bi-directional flow standardized by RFC 5103.
svn path=/trunk/; revision=25905
epan/dissectors/packet-ncp2222.inc is a bit hard to fix, so we're not
ready to enable that warning by default yet.
Throw in some casts to handle GLib routines that take arbitrary
non-const pointers (they can later return the pointers, and some
callers might want to modify or free up those pointers in cases where
they're known to be writable or allocated).
Use ep_tvb_memdup() rather than a combination of ep_alloc() and
tvb_memcpy().
Clean up some indentation.
svn path=/trunk/; revision=25601
While borrowing code from an other dissector I have worked on I realized I
previously "borrowed" a comment and typo. Here's a fix.
svn path=/trunk/; revision=24928
Fix the bug related to Option template:
- System scope (check that options scope size is == 4, not <= 4)
- Interface scope (same)
Same fix for fields BytesExported PacketsExported FlowsExported.
Also fix some tabulations in a previous patch related to IPv6 Addresses.
svn path=/trunk/; revision=24138
1) IPFIX port (4739) should be configurable without recompiling
2) It should be possible to specify more than one port to be dissected as
Netflow and/or IPFIX
3) Netflow should recognize UDP ports 2055 and 9996 (Both are common)
Also (from me):
- make Netflow a "new style" dissector: return 0 if it doesn't appear to be a
valid netflow packet
- register the old preference (cflow.udp.port) as obsolete so users don't see
warnings about it not being valid
svn path=/trunk/; revision=23075
packet-netflow.c is lack of the capability to decode ipv6 address related fields in netflow v9.
This patch enables dissecting the following fields:
Type 27 IPV6_SRC_ADDR,
Type 28 IPV6_DST_ADDR,
Type 29 IPV6_SRC_MASK,
Type 30 IPV6_DST_MASK and
Type 62 IPV6_NEXT_HOP.
svn path=/trunk/; revision=22793
This patch collapses start and end time for each flow to a single duration item. The duration item can, of course, be expanded to display the start and end time.
svn path=/trunk/; revision=21746
Patch tested against traces obtained from Cisco IOS 12.4 Flexible Netflow,
IOS-XR 3.3, Huawei VRP 5.30.
Features:
- Decodes Netflow v9 option templates
- Decodes quite a few additional Netflow v9 types
- Packets and octets counters can be 64-bit
- Show unknown Netflow v9 fields as hexa, useful when using tshark -V with
Netflow v9 implementations that use undocumented proprietary types.
Enabled by: "#define SHOW_UNKNOWN_TYPES 1"
svn path=/trunk/; revision=21672
As per NetFlow V9 protocol, Template ID is guaranteed to be unique per
Observation Domain (identified by Source ID) and the Exporter
(identified by the source IP address of NetFlow PDU).
The former code was ignoring these information for simplicity, but
noticing such a necessity.
svn path=/trunk/; revision=20182
> please find enclosed a patch to the CFlow dissector (packet-netflow.c)
> that enables it to decode IPFIX packet traces.
svn path=/trunk/; revision=19221
find attached the patch that reflects this interpretation of
> this field accordingly. It also fixes a few minor bugs associated with
> the handling of 'UNIX Secs' field and two field types
> (LAST_SWITCHED(21) and FIRST_SWITCHED(22)) in case of NetFlow V9.
svn path=/trunk/; revision=17698
The code assumes Template FlowSet contains only one Template Record, which is not necessarily true. Please find attached the patch to fix it.
svn path=/trunk/; revision=17630
This is a simple patch to the Netflow v9 dissector, that let it decode
Netflow v9 MPLS-Aware, a feature of Cisco 12000 IOS 12.0.24S and above
on Cisco 12000, 7500 and 7200 that is very useful for MPLS-VPN networks.
svn path=/trunk/; revision=17225
and that extract IPv6 addresses into a "struct e_in6_addr", with
tvb_get_ipv4() and tvb_get_ipv6() calls - except for some that we
remove, by using proto_tree_add_item(), rather than replacing.
Have epan/tvbuff.h include epan/ipv6-utils.h, to define "struct
e_in6_addr" (not necessary to declare the tvbuff routines, but including
it there means "struct e_in6_addr" is guaranteed to be defined before
those declarations, so we don't get compiler complaints if we define it
*after* those declarations).
svn path=/trunk/; revision=15758
Also move ncp222.py, x11-fields, process-x11-fields.pl,
make-reg-dotc, and make-reg-dotc.py.
Adjust #include lines in files that include packet-*.h
files.
svn path=/trunk/; revision=11410
Bill Meier