Ethereal-users: Re: [Ethereal-users] cflow v9 template records

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Motonori Shindo <mshindo@xxxxxxxxxxx>
Date: Thu, 23 Mar 2006 00:33:26 +0900 (JST)
Paul, et al.

From: Motonori Shindo <mshindo@xxxxxxxxxxx>
Subject: Re: [Ethereal-users] cflow v9 template records
Date: Wed, 15 Mar 2006 02:09:38 +0900 (JST)

> I also noticed that the capture file you sent me says Flowset Count is
> 4 but only 3 flowsets are actually present in the PDU. I guess it is
> an exporter's (Cisco's) bug.

I went through the RFC3954 again. I says: 

   Count
         The total number of records in the Export Packet, which is the
         sum of Options FlowSet records, Template FlowSet records, and
         Data FlowSet records.

With the generous help from Paul who gave me more NetFlow V9 captures,
I now have to admit that my initial interpretation of this field was
wrong. This field represents the total number of records in the PDU
regardless to Flowset Type it belongs, not the number of Flowset in
the PDU as the current NetFlow V9 dissector does.

Please find attached the patch that reflects this interpretation of
this field accordingly. It also fixes a few minor bugs associated with
the handling of 'UNIX Secs' field and two field types
(LAST_SWITCHED(21) and FIRST_SWITCHED(22)) in case of NetFlow V9.


Regards,

---
Motonori Shindo
Chief Technology Officer
Fivefront Corporation
http://www.fivefront.com