Wireshark-bugs: [Wireshark-bugs] [Bug 5380] New: Better decode for NetFlow NBAR applicationId
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 10 Nov 2010 10:54:02 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5380

           Summary: Better decode for NetFlow NBAR applicationId
           Product: Wireshark
           Version: SVN
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: acferen@xxxxxxxxx


Build Information:
wireshark 1.5.0 (SVN Rev 34829 from /trunk)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.20.1, with GLib 2.24.1, with libpcap 1.0.0, with
libz 1.2.3.3, without POSIX capabilities, without libpcre, without SMI, without
c-ares, without ADNS, without Lua, without Python, without GnuTLS, without
Gcrypt, with MIT Kerberos, without GeoIP, without PortAudio, without AirPcap.

Running on Linux 2.6.32-25-generic, with libpcap version 1.0.0, with libz
1.2.3.3.

Built using gcc 4.4.3.

--
Comment in the code asked....

 /*XXX: 2 bytes skipped ?? */

Here is what I have found.

The high byte (1) indicates the Classification Engine ID
The low bytes (3) indicate the application ID

Engine ID of 5 is NBAR Standard.
Engine ID of 6 is NBAR Custom.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.