Wireshark-bugs: [Wireshark-bugs] [Bug 11295] Incorrect interpretation of IPFIX flowEndSysUpTime,

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 25 Jun 2015 06:36:12 +0000

Comment # 14 on bug 11295 from 
(In reply to Tomas Danek from comment #11)
> I tried it and it is great, thank you!
> 
> I have only 2 additional notes:
> 1. Line 3511 - showing (milliseconds) instead of (microseconds)
> 2. Fow (switched) StartTime and EndTime are displayed in seconds, for all
> other duration types, StartTime and EndTime are displayed as formatted date
> string. Is there a reason for this? I know that this field is in sysUpTime,
> so some calculation is needed...

I fixed the typo for 1, which was a simple blunder.

I'm not sure about 2 though.  RFC 3954 describes the fields as follows:

                                           sysUptime in msec at which
   LAST_SWITCHED                21   4     the last packet of this
                                           Flow was switched

                                           sysUptime in msec at which
   FIRST_SWITCHED               22   4     the first packet of this
                                           Flow was switched

The current code treats the 2 values as millisecond counts, and calculates the
difference between these 2 values.  I'm not really sure what it means for a
Flow to be switched, but your example uses pretty large values.

You are receiving this mail because:
  • You are watching all bug changes.