(I think my previous attempt to send this failed, so resending)
A few months ago I updated the Netflow dissector to do sequence
analysis using the Sequence Number field within an Obvservation
Domain, based upon RFC 3954 and a capture file I was looking at.
RFC 3954 describes the field as follows:
Sequence Number
Incremental sequence counter of all Export Packets sent from
the current Observation Domain by the Exporter. This value
MUST be cumulative, and SHOULD be used by the Collector to
identify whether any Export Packets have been missed.
A Netflow frame has the Obvervation-domain + Sequence number at the
top, then a number of flows below. What is not clear to me is whether
this field should advance by the number of flows in this frame, or the
previous frame.
The capture included in this bug report
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11047 increments
according to the number found in the previous frame for this
Obvervation domain (i.e. it represents the SN at the beginning of the
current frame).
Whereas a different capture I was looking (when the sequence analysis
was written) increments according to the number of flows in this frame
(i.e. it represents the SN at/beyond the end of the current frame).
Could someone with a working knowledge of Netflow put me right? Is
there another spec where the usage of this field is made clear? Are
both approaches valid?
Thanks,
Martin
