[netflow-tools] LAST_SWITCHED and FIRST_SWITCHED should be swapped in netflow9.c of softflowd.
Hitoshi Irino
irino at sfc.wide.ad.jp
Wed Jun 11 00:18:00 EST 2008
Hello Damien and all,
I tested softflowd 0.98 and cvs version, and I found a problem.
In netflow9.c, the NF9_SOFTFLOWD_DATA_COMMON is defined as:
struct NF9_SOFTFLOWD_DATA_COMMON {
u_int32_t first_switched, last_switched;
u_int32_t bytes, packets;
u_int16_t src_port, dst_port;
u_int8_t protocol, tcp_flags, ipproto;
} __packed;
However, in "nf9_init_template(void)" makes templates that have
NF9_LAST_SWITCHED as 2nd field and NF9_FIRST_SWITCHED as 3rd field.
Therefore collectors interpret exported FIRST_SWITCHED value as
LAST_SWITCHED and exported LAST_SWITCHED value as
FIRST_SWITCHED.
wireshark and nfdump displays inaccurate values for duration of flows.
So, I propose that the field for NF9_LAST_SWITCHED and the field for
NF9_FIRST_SWITCHED should be swapped.
regards,
Hitoshi Irino
More information about the netflow-tools
mailing list