From irino at sfc.wide.ad.jp  Wed Jun 11 00:18:00 2008
From: irino at sfc.wide.ad.jp (Hitoshi Irino)
Date: Tue, 10 Jun 2008 23:18:00 +0900
Subject: [netflow-tools] LAST_SWITCHED and FIRST_SWITCHED should be swapped
 in netflow9.c of softflowd.
Message-ID: <484E8D18.80604@sfc.wide.ad.jp>

Hello Damien and all,

I tested softflowd 0.98 and cvs version, and I found a problem.

In netflow9.c, the NF9_SOFTFLOWD_DATA_COMMON is defined as:
struct NF9_SOFTFLOWD_DATA_COMMON {
         u_int32_t first_switched, last_switched;
         u_int32_t bytes, packets;
         u_int16_t src_port, dst_port;
         u_int8_t protocol, tcp_flags, ipproto;
} __packed;

However, in "nf9_init_template(void)" makes templates that have
NF9_LAST_SWITCHED as 2nd field and NF9_FIRST_SWITCHED as 3rd field.

Therefore collectors interpret exported FIRST_SWITCHED value as 
LAST_SWITCHED and exported LAST_SWITCHED value as
FIRST_SWITCHED.
wireshark and nfdump displays inaccurate values for duration of flows.

So, I propose that the field for NF9_LAST_SWITCHED and the field for
NF9_FIRST_SWITCHED should be swapped.

regards,
Hitoshi Irino