Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 2764] New: Netflow Dissector - cannot decode IPFIX packets

Date: Sat, 2 Aug 2008 05:50:11 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2764

           Summary: Netflow Dissector - cannot decode IPFIX packets
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: irino@xxxxxxxxxxxxxx


Build Information:
$ ./wireshark -v
wireshark 1.0.99 (SVN Rev 25902)

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.9, with GLib 2.16.4, with libpcap 0.9.8, with libz
1.2.3.3, without POSIX capabilities, without libpcre, without SMI, without
ADNS,
without Lua, without GnuTLS, without Gcrypt, without Kerberos, without
PortAudio, without AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.6.24-19-generic, with libpcap version 0.9.8.

Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).

--
This patch is tested against IPFIX packets exported from YAF
(http://tools.netsa.cert.org/yaf/)

This patch
(1) fixes to decode IPFIX packets.
The revision 25601 warns and be not able to decodes IPFIX packets fully,
because the array "hf_register_info" does not have an entry
"hf_cflow_datarecord_length", and a length check for IPFIX packets is incorrect
in "dissect_netflow" function.
(2) is able to decode all Information Elements standardized by RFC 5102
(3) is able to decode IPFIX templates and data that contains PEN (Private
Enterprise Number) fields standardized by RFC 5101, and is able to decode
bi-directional flow standardized by RFC 5103.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.