-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Daan,
Daan van der Sanden wrote:
| Hi,
|
| In both netflow_v5_v7.c and netflow_v9.c is an error in handling an overflow
| of the SysUptime counter. However I can't test this it at the moment, because
| I don't have any packet in which there is an overflow of SysUptime, but going
| through the c-code I think it is wrong (unless I'm missing something
| obvious).
|
| This is the part where the header gets read:
| v5_header->SysUptime = ntohl(v5_header->SysUptime);
| v5_header->unix_secs = ntohl(v5_header->unix_secs);
| v5_header->unix_nsecs = ntohl(v5_header->unix_nsecs);
|
| /* calculate boot time in msec */
| boot_time = ((uint64_t)(v5_header->unix_secs)*1000 +
| ((uint64_t(v5_header->unix_nsecs) / 1000000) ) -
| (uint64_t)(v5_header->SysUptime);
|
| And here where the overflow correction takes place, when a flow record is
| processed:
| // Time issues
| First = ntohl(v5_record->First);
| Last = ntohl(v5_record->Last);
| if ( First > Last )
| /* Last in msec, in case of msec overflow, between start and end */
| end_time = 0x100000000LL + Last + boot_time;
| else
| end_time = (uint64_t)Last + boot_time;
|
| /* start time in msecs */
| start_time = (uint64_t)First + boot_time;
|
| This is going wrong, because when SysUptime overflows Last is indead smaller
| than First, but so will be SysUptime in the NetFlow header. So the unix
| timestamp in the header is matched to the SysUptime value in the header. So
| the end-time was allready correct and the start-time should be corrceted.
| This way the flow will be exported as it were 50 days in the future.
Indeed - you re right! The start-time needs to be corrected, instead of the
end-time.
I changed to codeto reflect this:
if ( First > Last )
/* First in msec, in case of msec overflow, between start and end */
start_time = boot_time - 0x100000000LL + (uint64_t)First;
else
start_time = (uint64_t)First + boot_time;
/* end time in msecs */
end_time = (uint64_t)Last + boot_time;
Although a bug it does not harm much in current versions as it will affect only
flows
within a time range of +flow timeout around the SysUptime overflow, which is
typically a few seconds up to a few minutes.
|
| Another option when the correction goes wrong is for example if both First and
| Last are just before the overflow value (2^32), but the value of SysUptime in
| the NetFlow header is overflown we again get the wrong value calculated.
| Since now both the start_time and the end_time need to be corrected.
True - in fact, this would mean, the overflow occurred after the flow ended but
did not get exported so far. In case of
this overflow, First and Last are > Sysuptime in absolute value.
This could be corrected with the code snipped below, inserted after the
the first correction:
// if overflow happened after flow ended but before got exported
if ( Last > v5_header->SysUptime ) {
start_time -= 0x100000000LL;
end_time -= 0x100000000LL;
}
|
| I'm assuming that the SysUptime in the NetFlow header is always after Last (in
| time, not neccesary in value). If I understood the netflow documentation
| correctly this is always the case, since sysuptime header is the value of the
| SysUptime counter at the moment the packet is sent.
|
| I hope it is clear, but I strongly belief that the overflow is not correctly
| implemented. But please correct me if I'm wrong.
Many thanks for this input. It's nice to see people digging into the details of
the code!
Any feedback is welcome to improve nfdump.
- Peter
|
| Daan
|
| -------------------------------------------------------------------------
| Check out the new SourceForge.net Marketplace.
| It's the best place to buy or sell services for
| just about anything Open Source.
| http://sourceforge.net/services/buy/index.php
| _______________________________________________
| Nfdump-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSG9Dzv5AbZRALNr/AQL86AQAkY4WQXzSvDZ0lW3/ysDAMP2buH+fqKpi
DHA/9dMJXQSy7x4TSb/hhEPoQuDT5qpWHsDER14Qldjq06Ldf9EGwri5kR9ILhgy
KJtB22M0i8WZAJN4d17RD+tYPjeSbFteJQbM3kiwsmsUsZTaUFbXp9KkiPiNcYf6
ID01pM3OQ/g=
=vl52
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
