I have written a dissector for Cisco Systems' NetFlow Export
packets.
Unfortunately, there is no fixed UDP port number for this
traffic -- it is configured into the router and the client.
At the moment I've just hard-coded the port number we use,
as I used a dissector that used a fixed port number as the
starting point.
What is the recommended way to make this work with any port
number -- do I have to turn it into a plugin?
The NetFlow packets also contain parts of the IP and TCP headers --
such as the ToS byte and port numbers. The current IP header
dissecting code doesn't allow it's ToS byte decoder to be reused.
Should I change this rather than copying the code?
The packets also contain a number of time types, including
NTP. Given that these are heavily reusable, should I create
a new time type for this? Should I add a facility to choose
between local and UTC displayed times?
Finally what is the suggested method of submitting a software
change -- there's also a hand-built "capture" for regression
testing that checks the boundary cases for each field value
plus a live capture for each version of the NetFlow protocol.
Please cc my on any replies, as my list join request has been
bounced to the adminitsrator due to a majordomo bug (it doesn't
recognise glen.turner+ethereal@xxxxxxxxxxxxx as being the same
address as glen.turner@xxxxxxxxxxxxx).
Thanks,
Glen
PS: the type FT_IPv4 is a bit naive. There are actually four
different types of IP addresses: source addresses, destination
addresses, routing prefixes, next hop addresses. It's worthwhile
differentiating these -- a error can them be easily flagged on
a multicast source address and addresses can be textually described
(eg: 0.0.0.0 as the null source address or as the routing prefix of
the default route as appropiate).
--
Glen Turner Network Engineer
(08) 8303 3936 Australian Academic and Research Network
glen.turner@xxxxxxxxxxxxx http://www.aarnet.edu.au/
--
The revolution will not be televised, it will be digitised
