Ethereal

RE: [Ethereal-users] cflow v9 template records
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: March 2006

 

Motonori,

After further investigation, it turns out that what I was actually
seeing was a problem due to the fact that Ethereal appears to only
detect the first template record if there are multiple template records
in a single packet. I have attached an example packet. There are two
template records followed by two data records. The CFLOW decode shows
the first template record as Flowset 1/4, then the two data records as
2/4 and 3/4. The second template record can only be viewed by looking
directly at the hex output, from bytes 8E through D2. 

Thanks,

Paul Sellnow

-----Original Message-----
From: Motonori Shindo [mailto:mshindo@xxxxxxxxxxx] 
Sent: Thursday, February 23, 2006 1:07 AM
To: ethereal-users@xxxxxxxxxxxx; Sellnow, Paul
Subject: Re: [Ethereal-users] cflow v9 template records

Paul,

From: <paul.sellnow@xxxxxxx>
Subject: [Ethereal-users] cflow v9 template records
Date: Wed, 22 Feb 2006 16:44:23 -0600

> I see that in version 0.10.13 there is now support for the
Netflow/CFLOW
> version 9 template records. However, for the decodes of the actual
flow
> records it appears that all flows are decoded using Cisco's #256
> template record. I have some traces which also include some #257
> template records, which are 4 bytes longer than the #256 template, but
> the cflow decode seems to only use the #256 template format regardless
> of the template id in the flowset header. If a #256 record follows a
> #257 record then all the fields are offset by an extra four bytes.
>  
> Is there a way for me to create my own #257 template format in an
ASCII
> file off to the side, and have ethereal look for it when the data
> contains that value in the flowset header? Or is that compiled into
the
> binary and out of reach?

I don't think such a default template is built in (although there was
a discussion as to whether we should have such a default template or
not in the past). If you don't mind, will you send me the trace file
you have? I will take a look at it.

---
Motonori Shindo

Fivefront Corporation
Chief Technology Officer
http://www.fivefront.com

Attachment: consecutive-templates.cap
Description: consecutive-templates.cap

Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.