Bill Meier
changed
bug 10432
| What |
Removed |
Added |
| Summary |
Not decoding netflow v9 flowset that uses options template
|
netflow v9 flowset not decoded if options template has zero-length scope section
|
Comment # 1
on bug 10432
from Bill Meier
Ok: After fixing the bug to allow an Options template to have a zero-length
scope section, I encountered another issue:
The field info for the field INPUT_SNMP in the various options templates
indicates that the length of that field is 0.
However, looking in the capture at an actual data flowset based upon each
options template I note that the INPUT_SNMP field actually exists in each flow
of the flowset (and has a length of 2).
Since the template specifies a length of 0 for the field, Wireshark skips the
field and treats that data as the beginning of the next field (IF_NAME or
IF_DESC) and thus doesn't display that field correctly.
One could take the zero length as meaning "use the default length for this
field". The default length for the INPUT_SNMP field is 2 according to:
http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html
Is specifying a zero length for a field in the template valid ?
Does a zero mean "use a default length" ?
In our (very limited) set of netflow v9 captures, I do not see any other
examples of a field specified as zero length in a template but which actually
exists in the data flowset based upon the template.
Do you have any insight on this ?
In any case, for now I'm going to fix fix the code to fix the reported bug
(retitled to reflect the actual problem).
Pending further input, I'm not going to do anything with respect to the new
issue: handling a field length specification of 0 in a template.
You are receiving this mail because:
- You are watching all bug changes.
