If you could provide me with documentation on how Juniper treats
the last, reserved field in the header, I would be grateful.
Cisco treats this as undocumented and unsupported.
Also, the field only represents the sampling rate if the top
two bits are == 10b. I have code to do the right thing in
this case.
I have removed Cisco-specific language from the dissector.
mattSMART
On Thu, Sep 05, 2002 at 07:32:47PM +0200, Hannes Gredler wrote:
> hi,
>
> pls find attached patch that supports decoding of the
> sample rate factor in cflowd5 headers;
>
> ---
> another question: is there a way to tell ethereal on startup
> that is should register the netflow dissector on a specific UDP
> port ?
>
> matthew already pointed out the dillemma - currently there is
> no wellknown port for cflowd records and on most of my customers
> networks it is an arbitrary UDP port [2000, 2032 etc.]
>
> /hannes
>
> On Wed, Sep 04, 2002 at 03:39:42PM -0400, Matthew Smart wrote:
> | This dissector properly reads NetFlow version 5 and can be
> | enhanced to handle version 1, 7, 8, and with a bit more work
> | version 9. I have a lot of code that processes the different
> | versions, and I'd be happy to continue to make this dissector
> | better if it makes it into the tree.
> |
> | The patch to 0.9.6-current is trivial: just added the source file
> | to Makefile.am and Makefile.nmake and two new files, packet-netflow.h
> | and packet-netflow.c.
> |
> | I realize that there is no default port for NetFlow exports, so
> | I have set default value to port 5000.
>
> [ ... ]
> Index: packet-netflow.c
> ===================================================================
> RCS file: /cvsroot/ethereal/packet-netflow.c,v
> retrieving revision 1.1
> diff -u -r1.1 packet-netflow.c
> --- packet-netflow.c 2002/09/04 20:23:53 1.1
> +++ packet-netflow.c 2002/09/05 17:26:36
> @@ -41,6 +41,7 @@
> static int hf_netflow_sys_uptime = -1;
> static int hf_netflow_unix_sec = -1;
> static int hf_netflow_unix_nsec = -1;
> +static int hf_netflow_sample_rate = -1;
> static int hf_netflow_flow_sequence = -1;
> static int hf_netflow_record = -1;
>
> @@ -56,7 +57,7 @@
> gint offset = 0;
> struct netflow5_hdr nfh;
> struct netflow5_rec nfr;
> - guint16 nfh_version, nfh_count;
> + guint16 nfh_version, nfh_count, nfh_sample_rate;
> guint32 nfh_sys_uptime, nfh_unix_sec, nfh_unix_nsec;
> guint32 nfh_sequence;
> int i;
> @@ -73,18 +74,19 @@
> nfh_sys_uptime = ntohl(nfh.sys_uptime);
> nfh_unix_sec = ntohl(nfh.unix_sec);
> nfh_unix_nsec = ntohl(nfh.unix_nsec);
> + nfh_sample_rate = ntohs(nfh.sample_rate);
> nfh_sequence = ntohl(nfh.flow_sequence);
>
> if (check_col(pinfo->cinfo, COL_INFO))
> col_add_fstr(pinfo->cinfo, COL_INFO,
> - "v%u, %u records, sequence number %u",
> + "Netflow v%u, %u records, sequence number %u",
> nfh_version, nfh_count, nfh_sequence);
>
> if (tree != NULL) {
> /* Add NetFlow to to the tree */
> ti = proto_tree_add_protocol_format(tree, proto_netflow, tvb,
> offset, sizeof(nfh.version) + sizeof(nfh.count)*sizeof(nfr),
> - "Cisco Netflow, v%u, %u records, sequence number %u",
> + "Netflow v%u, %u records, sequence number %u",
> nfh_version, nfh_count, nfh_sequence);
> netflow_tree = proto_item_add_subtree(ti, ett_netflow);
>
> @@ -115,6 +117,11 @@
> tvb, offset + 12, sizeof(nfh.unix_nsec), nfh_unix_nsec,
> "Residual: %u nanoseconds", nfh_unix_nsec);
>
> + /* On high-speed interfaces often just statistical sample records are produced */
> + proto_tree_add_uint_format(netflow_tree, hf_netflow_sample_rate,
> + tvb, offset + 22, sizeof(nfh.sample_rate), nfh_sample_rate,
> + "Sample Rate: 1/%u", nfh_sample_rate);
> +
> for (i = 0; i < nfh_count; i++) {
> guint rec_offset = sizeof(nfh) + i * sizeof(nfr);
>
> @@ -202,6 +209,9 @@
> BASE_DEC, NULL, 0x0, "", HFILL }},
> { &hf_netflow_unix_nsec,
> { "Unix nanonseconds", "netflow.unix_nsec", FT_UINT32,
> + BASE_DEC, NULL, 0x0, "", HFILL }},
> + { &hf_netflow_sample_rate,
> + { "Sample Rate", "netflow.sample_rate", FT_UINT16,
> BASE_DEC, NULL, 0x0, "", HFILL }},
> { &hf_netflow_flow_sequence,
> { "Sequence number", "netflow.flow_sequence", FT_UINT32,
> Index: packet-netflow.h
> ===================================================================
> RCS file: /cvsroot/ethereal/packet-netflow.h,v
> retrieving revision 1.1
> diff -u -r1.1 packet-netflow.h
> --- packet-netflow.h 2002/09/04 20:23:54 1.1
> +++ packet-netflow.h 2002/09/05 17:26:36
> @@ -39,7 +39,7 @@
> guint32 flow_sequence; /* Sequence num of flows seen */
> guint8 engine_type; /* Type of flow switching engine */
> guint8 engine_id; /* Slot number of switching engine */
> - guint16 reserved;
> + guint16 sample_rate; /* sample 1/sample_rate packets */
> };
>
> struct netflow5_rec {
