On further inspection, it appears that the problems I am seeing are due
to improperly formed Netflow records being generated by the Cisco device
under test. (It appears to be omitting the TCP Flags field for some
non-TCP flows, which throws the remainder of the record off and causes
the flow record to be one byte shorter than specified by the template.)
The Ethereal template decodes appear to be working correctly when the
data is correct.
Thanks again,
Paul SEllnow
-----Original Message-----
From: Motonori Shindo [mailto:mshindo@xxxxxxxxxxx]
Sent: Thursday, February 23, 2006 1:07 AM
To: ethereal-users@xxxxxxxxxxxx; Sellnow, Paul
Subject: Re: [Ethereal-users] cflow v9 template records
Paul,
From: <paul.sellnow@xxxxxxx>
Subject: [Ethereal-users] cflow v9 template records
Date: Wed, 22 Feb 2006 16:44:23 -0600
> I see that in version 0.10.13 there is now support for the
Netflow/CFLOW
> version 9 template records. However, for the decodes of the actual
flow
> records it appears that all flows are decoded using Cisco's #256
> template record. I have some traces which also include some #257
> template records, which are 4 bytes longer than the #256 template, but
> the cflow decode seems to only use the #256 template format regardless
> of the template id in the flowset header. If a #256 record follows a
> #257 record then all the fields are offset by an extra four bytes.
>
> Is there a way for me to create my own #257 template format in an
ASCII
> file off to the side, and have ethereal look for it when the data
> contains that value in the flowset header? Or is that compiled into
the
> binary and out of reach?
I don't think such a default template is built in (although there was
a discussion as to whether we should have such a default template or
not in the past). If you don't mind, will you send me the trace file
you have? I will take a look at it.
---
Motonori Shindo
Fivefront Corporation
Chief Technology Officer
http://www.fivefront.com
Visit our website at http://www.ubs.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.