| Subject: | Multiple flowsets are not parsed correctly for NetFlow v9 |
decode() counts each flow with $FlowCount. It uses that variable to
verify it hasn't finished reading the packet in line 919:
while( $FlowCount < $NetFlowHeaderRef->{Count} ){
The count in the NetFlow header is of *flowsets* and not the separate
flows in them. Each flowsets contain its own length field that implies
the number of flows.
This can cause entire flowsets to be skipped. For example, decode() will
not parse a single flow in the following packet. It will only parse the
templates.
* header
- count = 2
* flowset
- id: 0 #templates
* template flow
- id: 256
* template flow
- id: 257
* flowset #ignored
- id = 256
* flow
* flow
* flow
Since every flow, including the template flows, is counted against the
header's flowset count, $FlowCount will be 2 before it reaches the
second flowset. The loop will stop and the flows will be ignored.
I've attached a patch that fixes this by only incrementing $FlowCount
once per flowset. The name should probably be changed to $FlowSetCount,
but I wanted to keep it simple.
| Subject: | fix_flowset_counter.patch |
diff -ru Net-Flow-0.04/lib/Net/Flow.pm Net-Flow-0.04.patched/lib/Net/Flow.pm
--- Net-Flow-0.04/lib/Net/Flow.pm 2012-12-08 04:58:22.000000000 +0200
+++ Net-Flow-0.04.patched/lib/Net/Flow.pm 2012-12-08 04:58:49.000000000 +0200
@@ -1000,8 +1000,6 @@
}
- $FlowCount += 1 ;
-
@Template =
grep{
$_ if( $_->{TemplateId} ne $TemplateRef->{TemplateId} ) ;
@@ -1028,13 +1026,14 @@
last ;
}
- $FlowCount += 1 ;
push(@Flows,$FlowRef) ;
}
}
+ $FlowCount += 1 ;
+
}
#