hi,
pls find attached patch that supports decoding of the
sample rate factor in cflowd5 headers;
---
another question: is there a way to tell ethereal on startup
that is should register the netflow dissector on a specific UDP
port ?
matthew already pointed out the dillemma - currently there is
no wellknown port for cflowd records and on most of my customers
networks it is an arbitrary UDP port [2000, 2032 etc.]
/hannes
On Wed, Sep 04, 2002 at 03:39:42PM -0400, Matthew Smart wrote:
| This dissector properly reads NetFlow version 5 and can be
| enhanced to handle version 1, 7, 8, and with a bit more work
| version 9. I have a lot of code that processes the different
| versions, and I'd be happy to continue to make this dissector
| better if it makes it into the tree.
|
| The patch to 0.9.6-current is trivial: just added the source file
| to Makefile.am and Makefile.nmake and two new files, packet-netflow.h
| and packet-netflow.c.
|
| I realize that there is no default port for NetFlow exports, so
| I have set default value to port 5000.
[ ... ]
Index: packet-netflow.c
===================================================================
RCS file: /cvsroot/ethereal/packet-netflow.c,v
retrieving revision 1.1
diff -u -r1.1 packet-netflow.c
--- packet-netflow.c 2002/09/04 20:23:53 1.1
+++ packet-netflow.c 2002/09/05 17:26:36
@@ -41,6 +41,7 @@
static int hf_netflow_sys_uptime = -1;
static int hf_netflow_unix_sec = -1;
static int hf_netflow_unix_nsec = -1;
+static int hf_netflow_sample_rate = -1;
static int hf_netflow_flow_sequence = -1;
static int hf_netflow_record = -1;
@@ -56,7 +57,7 @@
gint offset = 0;
struct netflow5_hdr nfh;
struct netflow5_rec nfr;
- guint16 nfh_version, nfh_count;
+ guint16 nfh_version, nfh_count, nfh_sample_rate;
guint32 nfh_sys_uptime, nfh_unix_sec, nfh_unix_nsec;
guint32 nfh_sequence;
int i;
@@ -73,18 +74,19 @@
nfh_sys_uptime = ntohl(nfh.sys_uptime);
nfh_unix_sec = ntohl(nfh.unix_sec);
nfh_unix_nsec = ntohl(nfh.unix_nsec);
+ nfh_sample_rate = ntohs(nfh.sample_rate);
nfh_sequence = ntohl(nfh.flow_sequence);
if (check_col(pinfo->cinfo, COL_INFO))
col_add_fstr(pinfo->cinfo, COL_INFO,
- "v%u, %u records, sequence number %u",
+ "Netflow v%u, %u records, sequence number %u",
nfh_version, nfh_count, nfh_sequence);
if (tree != NULL) {
/* Add NetFlow to to the tree */
ti = proto_tree_add_protocol_format(tree, proto_netflow, tvb,
offset, sizeof(nfh.version) + sizeof(nfh.count)*sizeof(nfr),
- "Cisco Netflow, v%u, %u records, sequence number %u",
+ "Netflow v%u, %u records, sequence number %u",
nfh_version, nfh_count, nfh_sequence);
netflow_tree = proto_item_add_subtree(ti, ett_netflow);
@@ -115,6 +117,11 @@
tvb, offset + 12, sizeof(nfh.unix_nsec), nfh_unix_nsec,
"Residual: %u nanoseconds", nfh_unix_nsec);
+ /* On high-speed interfaces often just statistical sample records are produced */
+ proto_tree_add_uint_format(netflow_tree, hf_netflow_sample_rate,
+ tvb, offset + 22, sizeof(nfh.sample_rate), nfh_sample_rate,
+ "Sample Rate: 1/%u", nfh_sample_rate);
+
for (i = 0; i < nfh_count; i++) {
guint rec_offset = sizeof(nfh) + i * sizeof(nfr);
@@ -202,6 +209,9 @@
BASE_DEC, NULL, 0x0, "", HFILL }},
{ &hf_netflow_unix_nsec,
{ "Unix nanonseconds", "netflow.unix_nsec", FT_UINT32,
+ BASE_DEC, NULL, 0x0, "", HFILL }},
+ { &hf_netflow_sample_rate,
+ { "Sample Rate", "netflow.sample_rate", FT_UINT16,
BASE_DEC, NULL, 0x0, "", HFILL }},
{ &hf_netflow_flow_sequence,
{ "Sequence number", "netflow.flow_sequence", FT_UINT32,
Index: packet-netflow.h
===================================================================
RCS file: /cvsroot/ethereal/packet-netflow.h,v
retrieving revision 1.1
diff -u -r1.1 packet-netflow.h
--- packet-netflow.h 2002/09/04 20:23:54 1.1
+++ packet-netflow.h 2002/09/05 17:26:36
@@ -39,7 +39,7 @@
guint32 flow_sequence; /* Sequence num of flows seen */
guint8 engine_type; /* Type of flow switching engine */
guint8 engine_id; /* Slot number of switching engine */
- guint16 reserved;
+ guint16 sample_rate; /* sample 1/sample_rate packets */
};
struct netflow5_rec {
