Bill Meier wrote:
> On 11/7/2010 10:46 AM, Hadriel Kaplan wrote:
>> Howdy, The current packet-netflow.c dissector has a big "switch
>> (pen_type) {...}" block in dissect_v9_v10_pdu_data(), which looks up
>> specific known netflow/ipfix fields as it walks netflow v9/10 PDUs.
>>
>> Unfortunately, it's a bit of a hack as pen_type is a guint64 and a
>> switch statement will silently cast it to an int. I say
>> "unfortunately", because I discovered to my chagrin that it's a
>> *signed* int, so any case statement can't use a constant greater than
>> 0x7fffffff, which given how the current code works, means one can't
>> have a Private Enterprise Number greater than 0x7fff and use it to
>> define a known field in this code. As it turns out, my Enterprise
>> number is higher than that. (Cace Technology's is just under it,
>> which is why the current code works for Cace's netflow fields)
>>
>
> Looking at the code a bit I see that currently "pen"
> seems to be effectively limited to 16 bits even though 32 bits are
> fetched from the tvbuff:
>
> dissect_v9_v10_template_fields(...) {
> ...
> guint16 pen;
> ...
> if ((ver == 10) && (type & 0x8000)) { /* IPFIX only */
> pen = tvb_get_ntohl(tvb,offset+4);
> ...
> }
>
> Is this a bug ? Are Enterprise Numbers greater that 16 bits allowed ?
> (It would seem so).
>
> In practical terms: Are there currently values > 16 bits ?
>
> If not, one hack might be to define pen_type in
> dissect_v9_v10_pdu_data() as guint32 which gets around the "silent cast"
> issue for the moment.
RFC 5101 section 3.2 says they're 32 bits. I've checked in a change to
reflect this.
