David using wireshark 1.1.2 I don't see any problem. Can you please mail me (not to the list) a pcap file (full packet capture) I can use for reproducing the problem.
Thanks Luca On May 1, 2009, at 3:57 PM, Maltby, David wrote: > Just wondering if you had an answer on whether this was a bug or not. > Maybe you missed the response to your questions from my colleague > Georgiy. I've include it below. > > Thanks, > David Maltby > > -----Original Message----- > From: Zhytar, Georgiy > Sent: Friday, April 17, 2009 4:02 AM > To: [email protected] > Cc: Maltby, David > Subject: RE: [Ntop-dev] IPFIX generated traffic from nProbe > > Hi, > > Here is command line: > nprobe /c -i 1 -n 10.140.2.53:2055 -V 10 -b 2 -s 5 -l 5 -u 1 -Q > 2 -T "%IPV4_SRC_ADDR % IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP > %OUTPUT_SNMP %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES %FIRST_SWITCHED > %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS > %SRC_AS %DST_AS %SRC_MASK %DST_MASK" -U 777 > > WireShark version 1.1.3 shows that flows as IPFIX partial flow > (254/1) where 254 - expected length, 1-length in a header. > > Thanks for your collaboration! > > Georgiy Zhytar > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Luca Deri > Sent: Thursday, April 16, 2009 6:17 PM > To: [email protected] > Subject: Re: [Ntop-dev] IPFIX generated traffic from nProbe > > David > I need to look at the issue: > - What command line arguments you passed to nprobe in your test? > - what wireshark version are you using? > > Luca > > On Apr 17, 2009, at 1:10 AM, Maltby, David wrote: > >> Hi, >> My company is considering buying "nProbe 5.x [Win32]" because of its >> ability to generate IPFIX traffic. We downloaded the demo version >> and took a packet capture of the traffic. The flow headers >> indicated version 10, as expected, but the Length field in the flow >> header is reporting the number of FlowSets (like was done in NetFlow >> Version 9). >> >> The RFC > (http://www.ietf.org/internet-drafts/draft-ietf-ipfix-file-03.txt >> ) indicates: >> >> 1. Search for the first occurrence of the octet string 0x00, >> 0x0A (the IPFIX Message Header Version field) >> >> 2. Treat this field as the beginning of a candidate IPFIX >> Message. Read the two bytes following the Version field as a >> Message Length, and seek to that offset from the beginning of the >> candidate IPFIX Message. >> >> Also, Wireshark is unable to decode the IPFIX packets, until I >> manually modify a packet so that it is the message length. So, I >> guess my question is, is this a bug or intended behavior? >> >> >> >> Thanks, >> >> David >> >> >> >> >> >> >> >> _______________________________________________ >> Ntop-dev mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-dev > > _______________________________________________ > Ntop-dev mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev > _______________________________________________ > Ntop-dev mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev _______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
