Wireshark-bugs: [Wireshark-bugs] [Bug 11295] New: Incorrect interpretation of IPFIX flowEndSysUp
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 22 Jun 2015 06:46:17 +0000
Bug ID 11295
Summary Incorrect interpretation of IPFIX flowEndSysUpTime, flowStartSysUpTime fields when combined with other duration fields
Product Wireshark
Version 1.12.5
Hardware x86-64
OS Windows 8.1
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter tomas.danek@solarwinds.com 

Created attachment 13676 [details]
flowEndSysUpTime and flowStartSysUpTime combined with flowStartMilliseconds and
flowEndMilliseconds

Build Information:
Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12)

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with
GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, without Python, with GnuTLS 3.2.15, with Gcrypt 1.6.2,
without Kerberos, with GeoIP, with PortAudio V19-devel (built May 12 2015),
with
AirPcap.

Running on 64-bit Windows 8.1, build 9600, with WinPcap version 4.1.3
(packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 3.2.15, Gcrypt 1.6.2, without AirPcap.
Intel(R) Core(TM) i7-4770S CPU @ 3.10GHz, with 16245MB of physical memory.

Built using Microsoft Visual C++ 10.0 build 40219

--
When flowEndSysUpTime (LastSwitched - 21), flowStartSysUpTime (FirstSwitched -
22) are combined with other flow duration fields (flowStartMilliseconds - 152,
flowEndMilliseconds - 153) in the template, an unexpected Duration node is
displayed in WireShark. This node apparently uses StartTime from
flowStartMilliseconds and EndTime from flowEndSysUpTime and thus displays
incorrect duration value. Beside this incorrect node, there are the other 2
nodes that display correct StartTime, EndTime and Duration value.

When flowEndSysUpTime and flowStartSysUpTime are the only duration fields in
the template, no problem occurs. It looks like the problem occurs only in
combination with other fields.

The capture is not from a real device, it comes from our internal NetFlow
Generator tool that allows me to export various combinations of template
fields.

You are receiving this mail because:
  • You are watching all bug changes.