Wireshark mailing list archives
Re: Netflow dissector bug-to-be
From: Gerald Combs <gerald () wireshark org>
Date: Sun, 07 Nov 2010 12:35:12 -0600
Bill Meier wrote:
On 11/7/2010 10:46 AM, Hadriel Kaplan wrote:Howdy, The current packet-netflow.c dissector has a big "switch (pen_type) {...}" block in dissect_v9_v10_pdu_data(), which looks up specific known netflow/ipfix fields as it walks netflow v9/10 PDUs. Unfortunately, it's a bit of a hack as pen_type is a guint64 and a switch statement will silently cast it to an int. I say "unfortunately", because I discovered to my chagrin that it's a *signed* int, so any case statement can't use a constant greater than 0x7fffffff, which given how the current code works, means one can't have a Private Enterprise Number greater than 0x7fff and use it to define a known field in this code. As it turns out, my Enterprise number is higher than that. (Cace Technology's is just under it, which is why the current code works for Cace's netflow fields)Looking at the code a bit I see that currently "pen" seems to be effectively limited to 16 bits even though 32 bits are fetched from the tvbuff: dissect_v9_v10_template_fields(...) { ... guint16 pen; ... if ((ver == 10) && (type & 0x8000)) { /* IPFIX only */ pen = tvb_get_ntohl(tvb,offset+4); ... } Is this a bug ? Are Enterprise Numbers greater that 16 bits allowed ? (It would seem so). In practical terms: Are there currently values > 16 bits ? If not, one hack might be to define pen_type in dissect_v9_v10_pdu_data() as guint32 which gets around the "silent cast" issue for the moment.
RFC 5101 section 3.2 says they're 32 bits. I've checked in a change to reflect this. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Netflow dissector bug-to-be Hadriel Kaplan (Nov 07)
- Re: Netflow dissector bug-to-be Jakub Zawadzki (Nov 07)
- Re: Netflow dissector bug-to-be Hadriel Kaplan (Nov 07)
- Re: Netflow dissector bug-to-be Guy Harris (Nov 07)
- Re: Netflow dissector bug-to-be Jakub Zawadzki (Nov 07)
- Re: Netflow dissector bug-to-be Hadriel Kaplan (Nov 07)
- Re: Netflow dissector bug-to-be Hadriel Kaplan (Nov 07)
- Re: Netflow dissector bug-to-be Jakub Zawadzki (Nov 07)
- Re: Netflow dissector bug-to-be Bill Meier (Nov 07)
- Re: Netflow dissector bug-to-be Gerald Combs (Nov 07)
- Re: Netflow dissector bug-to-be Hadriel Kaplan (Nov 07)