Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 5121] Netflow parsing has a problem in sampler ID in case

Date: Wed, 19 Oct 2011 15:10:13 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5121

Paul Aitken <paitken@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |paitken@xxxxxxxxx

--- Comment #10 from Paul Aitken <paitken@xxxxxxxxx> 2011-10-19 15:10:11 PDT ---
(In reply to comment #8)

> I think wireshark should *always* use the length in the template for any field. 
> This is part of rfc5101 at least for reducing the size of information elements.

To confirm what Andrew says: this is absolutely necessary. NetFlow versions
prior to NFv9 can be decoded with static tables, but NFv9 and IPFIX must
respect the templates sent in the export stream because the received fields
could be of almost any size.

The field sizes assumed by the current dissector are based on RFC 3954 which is
a) informational, and b) seven years old.

Modern routers support many more samplers than can be accommodated in just 8
bits.

Today we could export the sampler ID field (#48) with a size of up to 4 bytes.

P.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.