Wireshark-bugs: [Wireshark-bugs] [Bug 11295] Incorrect interpretation of IPFIX flowEndSysUpTime,
Comment # 15
on bug 11295
from Tomas Danek
In fact, this is different for NetflowV9 and IPFIX.
For NetflowV9 the message header contains sys_uptime and unix_secs (export
time) fields. You can calculate the absolute timestamp of the last
(re-)initialization of the device (boottime) from these values.
The timestamp of LastSwitch and FirstSwitch can then be calculated by adding
msesc to the boottime.
4-7 | sys_uptime | Current time in milliseconds since the export device booted.
8-11 | unix_secs | Current count of seconds since 0000 UTC 1970.
However, for IPFIX the message header contains only Export time, which is
equivalent of V9's unix_secs. The boottime must be retrieved from the
systemInitTimeMilliseconds field.
21 | flowEndSysUpTime | The relative timestamp of the last packet of this Flow.
It indicates the number of milliseconds since the last (re-)initialization of
the IPFIX Device (sysUpTime). sysUpTime can be calculated from
systemInitTimeMilliseconds.
22 | flowStartSysUpTime | The relative timestamp of the first packet of this
Flow. It indicates the number of milliseconds since the last
(re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be
calculated from systemInitTimeMilliseconds.
160 | systemInitTimeMilliseconds | The absolute timestamp of the last
(re-)initialization of the IPFIX Device.
But I can see that the value for me is not worth the effort, so I think you can
leave it as it is.
You are receiving this mail because:
- You are watching all bug changes.