Hi,
In both netflow_v5_v7.c and netflow_v9.c is an error in handling an overflow
of the SysUptime counter. However I can't test this it at the moment, because
I don't have any packet in which there is an overflow of SysUptime, but going
through the c-code I think it is wrong (unless I'm missing something
obvious).
This is the part where the header gets read:
v5_header->SysUptime = ntohl(v5_header->SysUptime);
v5_header->unix_secs = ntohl(v5_header->unix_secs);
v5_header->unix_nsecs = ntohl(v5_header->unix_nsecs);
/* calculate boot time in msec */
boot_time = ((uint64_t)(v5_header->unix_secs)*1000 +
((uint64_t(v5_header->unix_nsecs) / 1000000) ) -
(uint64_t)(v5_header->SysUptime);
And here where the overflow correction takes place, when a flow record is
processed:
// Time issues
First = ntohl(v5_record->First);
Last = ntohl(v5_record->Last);
if ( First > Last )
/* Last in msec, in case of msec overflow, between start and end */
end_time = 0x100000000LL + Last + boot_time;
else
end_time = (uint64_t)Last + boot_time;
/* start time in msecs */
start_time = (uint64_t)First + boot_time;
This is going wrong, because when SysUptime overflows Last is indead smaller
than First, but so will be SysUptime in the NetFlow header. So the unix
timestamp in the header is matched to the SysUptime value in the header. So
the end-time was allready correct and the start-time should be corrceted.
This way the flow will be exported as it were 50 days in the future.
Another option when the correction goes wrong is for example if both First and
Last are just before the overflow value (2^32), but the value of SysUptime in
the NetFlow header is overflown we again get the wrong value calculated.
Since now both the start_time and the end_time need to be corrected.
I'm assuming that the SysUptime in the NetFlow header is always after Last (in
time, not neccesary in value). If I understood the netflow documentation
correctly this is always the case, since sysuptime header is the value of the
SysUptime counter at the moment the packet is sent.
I hope it is clear, but I strongly belief that the overflow is not correctly
implemented. But please correct me if I'm wrong.
Daan
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
