[Matthew Smart <smart@xxxxxxxxxx>]

If you could provide me with documentation on how Juniper treats
the last, reserved field in the header, I would be grateful.

Cisco treats this as undocumented and unsupported.
Also, the field only represents the sampling rate if the top
two bits are == 10b.  I have code to do the right thing in
this case.

I have removed Cisco-specific language from the dissector.

mattSMART

On Thu, Sep 05, 2002 at 07:32:47PM +0200, Hannes Gredler wrote: 
> hi,
> 
> pls find attached patch that supports decoding of the
> sample rate factor in cflowd5 headers;
> 
> ---
> another question: is there a way to tell ethereal on startup
> that is should register the netflow dissector on a specific UDP
> port ?
> 
> matthew already pointed out the dillemma - currently there is
> no wellknown port for cflowd records and on most of my customers
> networks it is an arbitrary UDP port [2000, 2032 etc.]
> 
> /hannes
> 
> On Wed, Sep 04, 2002 at 03:39:42PM -0400, Matthew Smart wrote:
> | This dissector properly reads NetFlow version 5 and can be
> | enhanced to handle version 1, 7, 8, and with a bit more work
> | version 9.  I have a lot of code that processes the different
> | versions, and I'd be happy to continue to make this dissector
> | better if it makes it into the tree.
> | 
> | The patch to 0.9.6-current is trivial: just added the source file
> | to Makefile.am and Makefile.nmake and two new files, packet-netflow.h
> | and packet-netflow.c.
> | 
> | I realize that there is no default port for NetFlow exports, so
> | I have set default value to port 5000.
> 
> [ ... ]
> Index: packet-netflow.c
> ===================================================================
> RCS file: /cvsroot/ethereal/packet-netflow.c,v
> retrieving revision 1.1
> diff -u -r1.1 packet-netflow.c
> --- packet-netflow.c	2002/09/04 20:23:53	1.1
> +++ packet-netflow.c	2002/09/05 17:26:36
> @@ -41,6 +41,7 @@
>  static int hf_netflow_sys_uptime = -1;
>  static int hf_netflow_unix_sec = -1;
>  static int hf_netflow_unix_nsec = -1;
> +static int hf_netflow_sample_rate = -1; 
>  static int hf_netflow_flow_sequence = -1;
>  static int hf_netflow_record = -1;
>  
> @@ -56,7 +57,7 @@
>  	gint offset = 0;
>  	struct netflow5_hdr nfh;
>  	struct netflow5_rec nfr;
> -	guint16 nfh_version, nfh_count;
> +	guint16 nfh_version, nfh_count, nfh_sample_rate;
>  	guint32 nfh_sys_uptime, nfh_unix_sec, nfh_unix_nsec;
>  	guint32 nfh_sequence;
>  	int i;
> @@ -73,18 +74,19 @@
>  	nfh_sys_uptime = ntohl(nfh.sys_uptime);
>  	nfh_unix_sec = ntohl(nfh.unix_sec);
>  	nfh_unix_nsec = ntohl(nfh.unix_nsec);
> +	nfh_sample_rate = ntohs(nfh.sample_rate);
>  	nfh_sequence = ntohl(nfh.flow_sequence);
>  
>  	if (check_col(pinfo->cinfo, COL_INFO))
>  		col_add_fstr(pinfo->cinfo, COL_INFO,
> -		    "v%u, %u records, sequence number %u",
> +		    "Netflow v%u, %u records, sequence number %u",
>  		    nfh_version, nfh_count, nfh_sequence);
>  
>  	if (tree != NULL) {
>  		/* Add NetFlow to to the tree */
>  		ti = proto_tree_add_protocol_format(tree, proto_netflow, tvb,
>  		    offset, sizeof(nfh.version) + sizeof(nfh.count)*sizeof(nfr),
> -		    "Cisco Netflow, v%u, %u records, sequence number %u",
> +		    "Netflow v%u, %u records, sequence number %u",
>  		    nfh_version, nfh_count, nfh_sequence);
>  		netflow_tree = proto_item_add_subtree(ti, ett_netflow);
>  
> @@ -115,6 +117,11 @@
>  		    tvb, offset + 12, sizeof(nfh.unix_nsec), nfh_unix_nsec,
>  		    "Residual: %u nanoseconds", nfh_unix_nsec);
>  
> +		/* On high-speed interfaces often just statistical sample records are produced */
> +		proto_tree_add_uint_format(netflow_tree, hf_netflow_sample_rate,
> +		    tvb, offset + 22, sizeof(nfh.sample_rate), nfh_sample_rate,
> +		    "Sample Rate: 1/%u", nfh_sample_rate);
> +
>  		for (i = 0; i < nfh_count; i++) {
>  			guint rec_offset = sizeof(nfh) + i * sizeof(nfr);
>  
> @@ -202,6 +209,9 @@
>  		  BASE_DEC, NULL, 0x0, "", HFILL }},
>  		{ &hf_netflow_unix_nsec,
>  		{ "Unix nanonseconds", "netflow.unix_nsec", FT_UINT32,
> +		  BASE_DEC, NULL, 0x0, "", HFILL }},
> +		{ &hf_netflow_sample_rate,
> +		{ "Sample Rate", "netflow.sample_rate", FT_UINT16,
>  		  BASE_DEC, NULL, 0x0, "", HFILL }},
>  		{ &hf_netflow_flow_sequence,
>  		{ "Sequence number", "netflow.flow_sequence", FT_UINT32,
> Index: packet-netflow.h
> ===================================================================
> RCS file: /cvsroot/ethereal/packet-netflow.h,v
> retrieving revision 1.1
> diff -u -r1.1 packet-netflow.h
> --- packet-netflow.h	2002/09/04 20:23:54	1.1
> +++ packet-netflow.h	2002/09/05 17:26:36
> @@ -39,7 +39,7 @@
>  	guint32	flow_sequence;	/* Sequence num of flows seen */
>  	guint8	engine_type;	/* Type of flow switching engine */
>  	guint8	engine_id;	/* Slot number of switching engine */
> -	guint16	reserved;
> +	guint16	sample_rate;    /* sample 1/sample_rate packets */
>  };
>  
>  struct netflow5_rec {