Motonori,
After further investigation, it turns out that what I was actually
seeing was a problem due to the fact that Ethereal appears to only
detect the first template record if there are multiple template records
in a single packet. I have attached an example packet. There are two
template records followed by two data records. The CFLOW decode shows
the first template record as Flowset 1/4, then the two data records as
2/4 and 3/4. The second template record can only be viewed by looking
directly at the hex output, from bytes 8E through D2.
Thanks,
Paul Sellnow
-----Original Message-----
From: Motonori Shindo [mailto:mshindo@xxxxxxxxxxx]
Sent: Thursday, February 23, 2006 1:07 AM
To: ethereal-users@xxxxxxxxxxxx; Sellnow, Paul
Subject: Re: [Ethereal-users] cflow v9 template records
Paul,
From: <paul.sellnow@xxxxxxx>
Subject: [Ethereal-users] cflow v9 template records
Date: Wed, 22 Feb 2006 16:44:23 -0600
> I see that in version 0.10.13 there is now support for the
Netflow/CFLOW
> version 9 template records. However, for the decodes of the actual
flow
> records it appears that all flows are decoded using Cisco's #256
> template record. I have some traces which also include some #257
> template records, which are 4 bytes longer than the #256 template, but
> the cflow decode seems to only use the #256 template format regardless
> of the template id in the flowset header. If a #256 record follows a
> #257 record then all the fields are offset by an extra four bytes.
>
> Is there a way for me to create my own #257 template format in an
ASCII
> file off to the side, and have ethereal look for it when the data
> contains that value in the flowset header? Or is that compiled into
the
> binary and out of reach?
I don't think such a default template is built in (although there was
a discussion as to whether we should have such a default template or
not in the past). If you don't mind, will you send me the trace file
you have? I will take a look at it.
---
Motonori Shindo
Fivefront Corporation
Chief Technology Officer
http://www.fivefront.com
Attachment:
consecutive-templates.cap
Description: consecutive-templates.cap
Visit our website at http://www.ubs.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.