thr3ads.net - netflow tools - [netflow-tools] LAST_SWITCHED and FIRST_SWITCHED should be swapped in netflow9.c of softflowd. [Jun 2008]

If this information is useful, please help other people find it:
Share via:

Hitoshi Irino

2008-Jun-10 14:18 UTC

[netflow-tools] LAST_SWITCHED and FIRST_SWITCHED should be swapped in netflow9.c of softflowd.

Hello Damien and all,

I tested softflowd 0.98 and cvs version, and I found a problem.

In netflow9.c, the NF9_SOFTFLOWD_DATA_COMMON is defined as:
struct NF9_SOFTFLOWD_DATA_COMMON {
         u_int32_t first_switched, last_switched;
         u_int32_t bytes, packets;
         u_int16_t src_port, dst_port;
         u_int8_t protocol, tcp_flags, ipproto;
} __packed;

However, in "nf9_init_template(void)" makes templates that have
NF9_LAST_SWITCHED as 2nd field and NF9_FIRST_SWITCHED as 3rd field.

Therefore collectors interpret exported FIRST_SWITCHED value as 
LAST_SWITCHED and exported LAST_SWITCHED value as
FIRST_SWITCHED.
wireshark and nfdump displays inaccurate values for duration of flows.

So, I propose that the field for NF9_LAST_SWITCHED and the field for
NF9_FIRST_SWITCHED should be swapped.

regards,
Hitoshi Irino

netflow tools - Jun 2008 - LAST_SWITCHED and FIRST_SWITCHED should be swapped in netflow9.c of softflowd.

[netflow-tools] LAST_SWITCHED and FIRST_SWITCHED should be swapped in netflow9.c of softflowd.