6 ** (c) 2002 bill fumerola <fumerola@yahoo-inc.com>
7 ** (C) 2005-06 Luca Deri <deri@ntop.org>
9 ** All rights reserved.
11 ** Wireshark - Network traffic analyzer
12 ** By Gerald Combs <gerald@wireshark.org>
13 ** Copyright 1998 Gerald Combs
15 ** This program is free software; you can redistribute it and/or
16 ** modify it under the terms of the GNU General Public License
17 ** as published by the Free Software Foundation; either version 2
18 ** of the License, or (at your option) any later version.
20 ** This program is distributed in the hope that it will be useful,
21 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
22 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 ** GNU General Public License for more details.
25 ** You should have received a copy of the GNU General Public License
26 ** along with this program; if not, write to the Free Software
27 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 *****************************************************************************
30 ** Previous NetFlow dissector written by Matthew Smart <smart@monkey.org>
31 ** NetFlow v9 support added by same.
33 ** NetFlow v9 patches by Luca Deri <deri@ntop.org>
37 ** http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm
38 ** http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html
40 ** Cisco ASA5500 Series
41 ** http://www.cisco.com/en/US/docs/security/asa/asa83/netflow/netflow.html
43 ** for NetFlow v9 information.
44 ** ( http://www.ietf.org/rfc/rfc3954.txt ?)
45 ** http://www.ietf.org/rfc/rfc5101.txt
46 ** http://www.ietf.org/rfc/rfc5102.txt
47 ** http://www.ietf.org/rfc/rfc5103.txt
48 ** http://www.iana.org/assignments/ipfix/ipfix.xml
49 ** http://www.iana.org/assignments/psamp-parameters/psamp-parameters.xml
52 *****************************************************************************
54 ** this code was written from the following documentation:
56 ** http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_6/iug/format.pdf
57 ** http://www.caida.org/tools/measurement/cflowd/configuration/configuration-9.html
59 ** some documentation is more accurate then others. in some cases, live data and
60 ** information contained in responses from vendors were also used. some fields
61 ** are dissected as vendor specific fields.
65 ** http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.html
67 *****************************************************************************
68 ** NetFlow forwarding status and template fixes
69 ** by Aamer Akhter <aakhter@cisco.com>
70 ** Copyright 2010, cisco Systems, Inc.
72 ** $Yahoo: //depot/fumerola/packet-netflow/packet-netflow.c#14 $
74 *****************************************************************************
80 * September 2010: WMeier: Extensive v9/v10 code cleanup, bug fixing and field display improvements.
82 * ToDo: [09/16/2010: WMeier]
84 * 1. (See the various XXX comments)
85 * 2. Template processing:
86 * a. source port needs to be part of the template identifier ?
87 * b. Use GHashTable instead of home-grown hash so no collisions;
88 * c. (Verify that template with same ID is actually identical to that previously seen ?)
89 * d. Review use of lengths from template when dissecting fields in a data flow: not really OK ?
90 * The proto_tree_add_item() calls in dissect_v9_v10_pdu_data() use:
91 * - "lengths" as specified in the previously seen template for the flow;
92 * - a hardwired Wireshark "field-type" (FT_UINT8, etc) in the hf[]array entries.
93 * Since many/most netfow/ipfix field-types have a specified fixed size (int32, ether addr, etc),
94 * and since the code in dissect_v9_v10_pdu_data() "knows" these sizes, "DISSECTOR_BUG" errors
95 * will occur if the "known" length and the length as gotten from the template don't match.
96 * Consider: validate length fields when processing templates ?
97 * Don't cache template if errors in particular fields of template (eg: v10: pen == 0) ?
103 * November 2010: acferen: Add ntop nProbe and Plixer Mailinizer extensions
105 * nProbe changes are for nprobe >= 5.5.6. Earlier nprobe versions
106 * "supported" some of the same fields, but they used element IDs that
107 * collide with standard IDs. Because of this versions prior to 5.5.6
108 * using IDs above 80 (nprobe extensions) cannot be decoded correctly.
110 * nprobe supports extensions in v9 and IPFIX. IPFIX is done in the
111 * standard way. See the NTOP_BASE for handling v9 with no collisions
114 * Plixer changes are just new field definitions. (IPFIX only)
116 * extended core code to allow naming vendor extensions.
118 * Put the length for variable length strings in a tree under the
119 * decoded string. Wonder if this might be overkill. Could probably
120 * just format the "(Variable length)" string to include the actual
123 * Did some minor cleanup.
125 * Note for WMeier... Added YYY comments with some XXX comments.
132 #include <epan/packet.h>
134 #include <epan/prefs.h>
135 #include <epan/sminmpec.h>
136 #include <epan/dissectors/packet-tcp.h>
137 #include <epan/dissectors/packet-udp.h>
138 #include "packet-ntp.h"
139 #include <epan/expert.h>
140 #include <epan/strutil.h>
144 #define ipfix_debug0(str) g_warning(str)
145 #define ipfix_debug1(str,p1) g_warning(str,p1)
146 #define ipfix_debug2(str,p1,p2) g_warning(str,p1,p2)
147 #define ipfix_debug3(str,p1,p2,p3) g_warning(str,p1,p2,p3)
149 #define ipfix_debug0(str)
150 #define ipfix_debug1(str,p1)
151 #define ipfix_debug2(str,p1,p2)
152 #define ipfix_debug3(str,p1,p2,p3)
157 2055 and 9996 are common defaults for Netflow
159 #define NETFLOW_UDP_PORTS "2055,9996"
160 #define IPFIX_UDP_PORTS "4739"
162 static dissector_handle_t netflow_handle;
164 /* If you want sort of safely to send enterprise specific element IDs
165 using v9 you need to stake a claim in the wilds with the high bit
166 set. Still no naming authority, but at least it will never collide
168 #define NTOP_BASE 57472u /* nprobe >= 5.5.6 */
171 * global_netflow_ports : holds the configured range of ports for netflow
173 static range_t *global_netflow_ports = NULL;
175 * global_ipfix_ports : holds the configured range of ports for IPFIX
177 static range_t *global_ipfix_ports = NULL;
180 * Flowset (template) ID's
182 #define FLOWSET_ID_V9_DATA_TEMPLATE 0
183 #define FLOWSET_ID_V9_OPTIONS_TEMPLATE 1
184 #define FLOWSET_ID_V10_DATA_TEMPLATE 2
185 #define FLOWSET_ID_V10_OPTIONS_TEMPLATE 3
186 #define FLOWSET_ID_RESERVED_MIN 4
187 #define FLOWSET_ID_RESERVED_MAX 255
188 #define FLOWSET_ID_DATA_MIN 256
189 #define FLOWSET_ID_DATA_MAX 65535
191 static const range_string rs_flowset_ids[] = {
192 { FLOWSET_ID_V9_DATA_TEMPLATE , FLOWSET_ID_V9_DATA_TEMPLATE , "Data Template (V9)" },
193 { FLOWSET_ID_V9_OPTIONS_TEMPLATE , FLOWSET_ID_V9_OPTIONS_TEMPLATE , "Options Template(V9)" },
194 { FLOWSET_ID_V10_DATA_TEMPLATE , FLOWSET_ID_V10_DATA_TEMPLATE , "Data Template (V10 [IPFIX])" },
195 { FLOWSET_ID_V10_OPTIONS_TEMPLATE, FLOWSET_ID_V10_OPTIONS_TEMPLATE, "Options Template (V10 [IPFIX])" },
196 { FLOWSET_ID_RESERVED_MIN , FLOWSET_ID_RESERVED_MAX , "(Reserved)" },
197 { FLOWSET_ID_DATA_MIN , FLOWSET_ID_DATA_MAX , "(Data)" },
202 * pdu identifiers & sizes
205 #define V1PDU_SIZE (4 * 12)
206 #define V5PDU_SIZE (4 * 12)
207 #define V7PDU_SIZE (4 * 13)
208 #define V8PDU_AS_SIZE (4 * 7)
209 #define V8PDU_PROTO_SIZE (4 * 7)
210 #define V8PDU_SPREFIX_SIZE (4 * 8)
211 #define V8PDU_DPREFIX_SIZE (4 * 8)
212 #define V8PDU_MATRIX_SIZE (4 * 10)
213 #define V8PDU_DESTONLY_SIZE (4 * 8)
214 #define V8PDU_SRCDEST_SIZE (4 * 10)
215 #define V8PDU_FULL_SIZE (4 * 11)
216 #define V8PDU_TOSAS_SIZE (V8PDU_AS_SIZE + 4)
217 #define V8PDU_TOSPROTOPORT_SIZE (V8PDU_PROTO_SIZE + 4)
218 #define V8PDU_TOSSRCPREFIX_SIZE (V8PDU_SPREFIX_SIZE)
219 #define V8PDU_TOSDSTPREFIX_SIZE (V8PDU_DPREFIX_SIZE)
220 #define V8PDU_TOSMATRIX_SIZE (V8PDU_MATRIX_SIZE)
221 #define V8PDU_PREPORTPROTOCOL_SIZE (4 * 10)
223 #define VARIABLE_LENGTH 65535
225 static const value_string v5_sampling_mode[] = {
226 {0, "No sampling mode configured"},
227 {1, "Packet Interval sampling mode configured"},
228 {2, "Random sampling mode configured"},
236 V8PDU_SPREFIX_METHOD,
237 V8PDU_DPREFIX_METHOD,
239 V8PDU_DESTONLY_METHOD,
240 V8PDU_SRCDEST_METHOD,
243 V8PDU_TOSPROTOPORT_METHOD,
244 V8PDU_TOSSRCPREFIX_METHOD,
245 V8PDU_TOSDSTPREFIX_METHOD,
246 V8PDU_TOSMATRIX_METHOD,
247 V8PDU_PREPORTPROTOCOL_METHOD
250 static const value_string v8_agg[] = {
251 {V8PDU_AS_METHOD, "V8 AS aggregation"},
252 {V8PDU_PROTO_METHOD, "V8 Proto/Port aggregation"},
253 {V8PDU_SPREFIX_METHOD, "V8 Source Prefix aggregation"},
254 {V8PDU_DPREFIX_METHOD, "V8 Destination Prefix aggregation"},
255 {V8PDU_MATRIX_METHOD, "V8 Network Matrix aggregation"},
256 {V8PDU_DESTONLY_METHOD, "V8 Destination aggregation (Cisco Catalyst)"},
257 {V8PDU_SRCDEST_METHOD, "V8 Src/Dest aggregation (Cisco Catalyst)"},
258 {V8PDU_FULL_METHOD, "V8 Full aggregation (Cisco Catalyst)"},
259 {V8PDU_TOSAS_METHOD, "V8 TOS+AS aggregation"},
260 {V8PDU_TOSPROTOPORT_METHOD, "V8 TOS+Protocol aggregation"},
261 {V8PDU_TOSSRCPREFIX_METHOD, "V8 TOS+Source Prefix aggregation"},
262 {V8PDU_TOSDSTPREFIX_METHOD, "V8 TOS+Destination Prefix aggregation"},
263 {V8PDU_TOSMATRIX_METHOD, "V8 TOS+Prefix Matrix aggregation"},
264 {V8PDU_PREPORTPROTOCOL_METHOD, "V8 Port+Protocol aggregation"},
267 static value_string_ext v8_agg_ext = VALUE_STRING_EXT_INIT(v8_agg);
269 /* Version 9 template cache structures */
270 /* This was 100, but this gives a horrible hash distribution. */
271 /* I've also increased this to reduce the chance of collisions until I
272 have a chance to add chaining (or something) to the template cache
274 #define V9_V10_TEMPLATE_CACHE_MAX_ENTRIES 521
276 /* Max number of entries/scopes per template */
277 /* Space is allocated dynamically so there isn't really a need to
278 bound this except to cap possible memory use. Unfortunately if
279 this value is too low we can't decode any template with more than
280 v9template_max_fields fields in it. The best compromise seems
281 to be to make v9template_max_fields a user preference.
282 A value of 0 will be unlimited.
284 #define V9TEMPLATE_MAX_FIELDS_DEF 60
285 static guint v9template_max_fields = V9TEMPLATE_MAX_FIELDS_DEF;
287 struct v9_v10_template_entry {
291 const gchar *pen_str;
297 /* START IPFIX VENDOR FIELDS */
301 } v9_v10_template_fields_type_t;
303 #define TF_NUM_EXT 5 /* includes vendor fields */
305 struct v9_v10_template {
310 gboolean template_exists; /* TRUE: template exists */
311 guint16 field_count[TF_NUM]; /* 0:scopes; 1:entries */
312 struct v9_v10_template_entry *fields[TF_NUM_EXT]; /* 0:scopes; 1:entries; n:vendor_entries */
315 static struct v9_v10_template v9_v10_template_cache[V9_V10_TEMPLATE_CACHE_MAX_ENTRIES];
317 static const value_string v9_v10_template_types[] = {
324 { 7, "L4_SRC_PORT" },
325 { 8, "IP_SRC_ADDR" },
327 { 10, "INPUT_SNMP" },
328 { 11, "L4_DST_PORT" },
329 { 12, "IP_DST_ADDR" },
331 { 14, "OUTPUT_SNMP" },
332 { 15, "IP_NEXT_HOP" },
335 { 18, "BGP_NEXT_HOP" },
337 { 20, "MUL_DOCTETS" },
338 { 21, "LAST_SWITCHED" },
339 { 22, "FIRST_SWITCHED" },
342 { 25, "IP LENGTH MINIMUM" },
343 { 26, "IP LENGTH MAXIMUM" },
344 { 27, "IPV6_SRC_ADDR" },
345 { 28, "IPV6_DST_ADDR" },
346 { 29, "IPV6_SRC_MASK" },
347 { 30, "IPV6_DST_MASK" },
348 { 31, "FLOW_LABEL" },
351 { 34, "SAMPLING_INTERVAL" },
352 { 35, "SAMPLING_ALGORITHM" },
353 { 36, "FLOW_ACTIVE_TIMEOUT" },
354 { 37, "FLOW_INACTIVE_TIMEOUT" },
355 { 38, "ENGINE_TYPE" },
357 { 40, "TOTAL_BYTES_EXP" },
358 { 41, "TOTAL_PKTS_EXP" },
359 { 42, "TOTAL_FLOWS_EXP" },
360 { 44, "IP_SRC_PREFIX" },
361 { 45, "IP_DST_PREFIX" },
362 { 46, "MPLS_TOP_LABEL_TYPE" },
363 { 47, "MPLS_TOP_LABEL_ADDR" },
364 { 48, "FLOW_SAMPLER_ID" },
365 { 49, "FLOW_SAMPLER_MODE" },
366 { 50, "FLOW_SAMPLER_RANDOM_INTERVAL" },
367 { 51, "FLOW_CLASS" },
368 { 52, "IP TTL MINIMUM" },
369 { 53, "IP TTL MAXIMUM" },
376 { 60, "IP_PROTOCOL_VERSION" },
378 { 62, "IPV6_NEXT_HOP" },
379 { 63, "BGP_IPV6_NEXT_HOP" },
380 { 64, "IPV6_OPTION_HEADERS" },
381 { 70, "MPLS_LABEL_1" },
382 { 71, "MPLS_LABEL_2" },
383 { 72, "MPLS_LABEL_3" },
384 { 73, "MPLS_LABEL_4" },
385 { 74, "MPLS_LABEL_5" },
386 { 75, "MPLS_LABEL_6" },
387 { 76, "MPLS_LABEL_7" },
388 { 77, "MPLS_LABEL_8" },
389 { 78, "MPLS_LABEL_9" },
390 { 79, "MPLS_LABEL_10" },
391 { 80, "DESTINATION_MAC" },
392 { 81, "SOURCE_MAC" },
395 { 84, "SAMPLER_NAME" },
396 { 85, "BYTES_TOTAL" },
397 { 86, "PACKETS_TOTAL" },
398 { 88, "FRAGMENT_OFFSET" },
399 { 89, "FORWARDING_STATUS" },
400 { 90, "VPN_ROUTE_DISTINGUISHER" },
401 { 91, "mplsTopLabelPrefixLength" },
402 { 92, "SRC_TRAFFIC_INDEX" },
403 { 93, "DST_TRAFFIC_INDEX" },
404 { 94, "APPLICATION_DESC" },
405 { 95, "APPLICATION_ID" },
406 { 96, "APPLICATION_NAME" },
407 { 98, "postIpDiffServCodePoint" },
408 { 99, "multicastReplicationFactor" },
409 { 128, "DST_AS_PEER" },
410 { 129, "SRC_AS_PEER" },
411 { 130, "exporterIPv4Address" },
412 { 131, "exporterIPv6Address" },
413 { 132, "DROPPED_BYTES" },
414 { 133, "DROPPED_PACKETS" },
415 { 134, "DROPPED_BYTES_TOTAL" },
416 { 135, "DROPPED_PACKETS_TOTAL" },
417 { 136, "flowEndReason" },
418 { 137, "commonPropertiesId" },
419 { 138, "observationPointId" },
420 { 139, "icmpTypeCodeIPv6" },
421 { 140, "MPLS_TOP_LABEL_IPv6_ADDRESS" },
422 { 141, "lineCardId" },
424 { 143, "meteringProcessId" },
425 { 144, "FLOW_EXPORTER" },
426 { 145, "templateId" },
427 { 146, "wlanChannelId" },
430 { 149, "observationDomainId" },
431 { 150, "flowStartSeconds" },
432 { 151, "flowEndSeconds" },
433 { 152, "flowStartMilliseconds" },
434 { 153, "flowEndMilliseconds" },
435 { 154, "flowStartMicroseconds" },
436 { 155, "flowEndMicroseconds" },
437 { 156, "flowStartNanoseconds" },
438 { 157, "flowEndNanoseconds" },
439 { 158, "flowStartDeltaMicroseconds" },
440 { 159, "flowEndDeltaMicroseconds" },
441 { 160, "systemInitTimeMilliseconds" },
442 { 161, "flowDurationMilliseconds" },
443 { 162, "flowDurationMicroseconds" },
444 { 163, "observedFlowTotalCount" },
445 { 164, "ignoredPacketTotalCount" },
446 { 165, "ignoredOctetTotalCount" },
447 { 166, "notSentFlowTotalCount" },
448 { 167, "notSentPacketTotalCount" },
449 { 168, "notSentOctetTotalCount" },
450 { 169, "destinationIPv6Prefix" },
451 { 170, "sourceIPv6Prefix" },
452 { 171, "postOctetTotalCount" },
453 { 172, "postPacketTotalCount" },
454 { 173, "flowKeyIndicator" },
455 { 174, "postMCastPacketTotalCount" },
456 { 175, "postMCastOctetTotalCount" },
457 { 176, "ICMP_IPv4_TYPE" },
458 { 177, "ICMP_IPv4_CODE" },
459 { 178, "ICMP_IPv6_TYPE" },
460 { 179, "ICMP_IPv6_CODE" },
461 { 180, "UDP_SRC_PORT" },
462 { 181, "UDP_DST_PORT" },
463 { 182, "TCP_SRC_PORT" },
464 { 183, "TCP_DST_PORT" },
465 { 184, "TCP_SEQ_NUM" },
466 { 185, "TCP_ACK_NUM" },
467 { 186, "TCP_WINDOW_SIZE" },
468 { 187, "TCP_URGENT_PTR" },
469 { 188, "TCP_HEADER_LEN" },
470 { 189, "IP_HEADER_LEN" },
471 { 190, "IP_TOTAL_LEN" },
472 { 191, "payloadLengthIPv6" },
474 { 193, "nextHeaderIPv6" },
477 { 196, "IP_PRECEDENCE" },
478 { 197, "IP_FRAGMENT_FLAGS" },
479 { 198, "BYTES_SQUARED" },
480 { 199, "BYTES_SQUARED_PERMANENT" },
481 { 200, "MPLS_TOP_LABEL_TTL" },
482 { 201, "MPLS_LABEL_STACK_OCTETS" },
483 { 202, "MPLS_LABEL_STACK_DEPTH" },
484 { 203, "MPLS_TOP_LABEL_EXP" },
485 { 204, "IP_PAYLOAD_LENGTH" },
486 { 205, "UDP_LENGTH" },
487 { 206, "IS_MULTICAST" },
488 { 207, "IP_HEADER_WORDS" },
489 { 208, "IP_OPTION_MAP" },
490 { 209, "TCP_OPTION_MAP" },
491 { 210, "paddingOctets" },
492 { 211, "collectorIPv4Address" },
493 { 212, "collectorIPv6Address" },
494 { 213, "collectorInterface" },
495 { 214, "collectorProtocolVersion" },
496 { 215, "collectorTransportProtocol" },
497 { 216, "collectorTransportPort" },
498 { 217, "exporterTransportPort" },
499 { 218, "tcpSynTotalCount" },
500 { 219, "tcpFinTotalCount" },
501 { 220, "tcpRstTotalCount" },
502 { 221, "tcpPshTotalCount" },
503 { 222, "tcpAckTotalCount" },
504 { 223, "tcpUrgTotalCount" },
505 { 224, "ipTotalLength" },
506 { 225, "postNATSourceIPv4Address" },
507 { 226, "postNATDestinationIPv4Address" },
508 { 227, "postNAPTSourceTransportPort" },
509 { 228, "postNAPTDestinationTransportPort" },
510 { 229, "natOriginatingAddressRealm" },
512 { 231, "initiatorOctets" },
513 { 232, "responderOctets" },
514 { 233, "firewallEvent" },
515 { 234, "ingressVRFID" },
516 { 235, "egressVRFID" },
518 { 237, "postMplsTopLabelExp" },
519 { 238, "tcpWindowScale" },
520 { 239, "biflowDirection" },
521 { 240, "ethernetHeaderLength" },
522 { 241, "ethernetPayloadLength" },
523 { 242, "ethernetTotalLength" },
524 { 243, "dot1qVlanId" },
525 { 244, "dot1qPriority" },
526 { 245, "dot1qCustomerVlanId" },
527 { 246, "dot1qCustomerPriority" },
528 { 247, "metroEvcId" },
529 { 248, "metroEvcType" },
530 { 249, "pseudoWireId" },
531 { 250, "pseudoWireType" },
532 { 251, "pseudoWireControlWord" },
533 { 252, "ingressPhysicalInterface" },
534 { 253, "egressPhysicalInterface" },
535 { 254, "postDot1qVlanId" },
536 { 255, "postDot1qCustomerVlanId" },
537 { 256, "ethernetType" },
538 { 257, "postIpPrecedence" },
539 { 258, "collectionTimeMilliseconds" },
540 { 259, "exportSctpStreamId" },
541 { 260, "maxExportSeconds" },
542 { 261, "maxFlowEndSeconds" },
543 { 262, "messageMD5Checksum" },
544 { 263, "messageScope" },
545 { 264, "minExportSeconds" },
546 { 265, "minFlowStartSeconds" },
547 { 266, "opaqueOctets" },
548 { 267, "sessionScope" },
549 { 268, "maxFlowEndMicroseconds" },
550 { 269, "maxFlowEndMilliseconds" },
551 { 270, "maxFlowEndNanoseconds" },
552 { 271, "minFlowStartMicroseconds" },
553 { 272, "minFlowStartMilliseconds" },
554 { 273, "minFlowStartNanoseconds" },
555 { 274, "collectorCertificate" },
556 { 275, "exporterCertificate" },
557 { 301, "selectionSequenceId" },
558 { 302, "selectorId" },
559 { 303, "informationElementId" },
560 { 304, "selectorAlgorithm" },
561 { 305, "samplingPacketInterval" },
562 { 306, "samplingPacketSpace" },
563 { 307, "samplingTimeInterval" },
564 { 308, "samplingTimeSpace" },
565 { 309, "samplingSize" },
566 { 310, "samplingPopulation" },
567 { 311, "samplingProbability" },
568 { 313, "IP_SECTION HEADER" },
569 { 314, "IP_SECTION PAYLOAD" },
570 { 316, "mplsLabelStackSection" },
571 { 317, "mplsPayloadPacketSection" },
572 { 318, "selectorIdTotalPktsObserved" },
573 { 319, "selectorIdTotalPktsSelected" },
574 { 320, "absoluteError" },
575 { 321, "relativeError" },
576 { 322, "observationTimeSeconds" },
577 { 323, "observationTimeMilliseconds" },
578 { 324, "observationTimeMicroseconds" },
579 { 325, "observationTimeNanoseconds" },
580 { 326, "digestHashValue" },
581 { 327, "hashIPPayloadOffset" },
582 { 328, "hashIPPayloadSize" },
583 { 329, "hashOutputRangeMin" },
584 { 330, "hashOutputRangeMax" },
585 { 331, "hashSelectedRangeMin" },
586 { 332, "hashSelectedRangeMax" },
587 { 333, "hashDigestOutput" },
588 { 334, "hashInitialiserValue" },
589 { 335, "selectorName" },
590 { 336, "upperCILimit" },
591 { 337, "lowerCILimit" },
592 { 338, "confidenceLevel" },
593 { 339, "informationElementDataType" },
594 { 340, "informationElementDescription" },
595 { 341, "informationElementName" },
596 { 342, "informationElementRangeBegin" },
597 { 343, "informationElementRangeEnd" },
598 { 344, "informationElementSemantics" },
599 { 345, "informationElementUnits" },
600 { 346, "privateEnterpriseNumber" },
601 /* Ericsson NAT Logging */
602 { 24628, "NAT_LOG_FIELD_IDX_CONTEXT_ID" },
603 { 24629, "NAT_LOG_FIELD_IDX_CONTEXT_NAME" },
604 { 24630, "NAT_LOG_FIELD_IDX_ASSIGN_TS_SEC" },
605 { 24631, "NAT_LOG_FIELD_IDX_UNASSIGN_TS_SEC" },
606 { 24632, "NAT_LOG_FIELD_IDX_IPV4_INT_ADDR" },
607 { 24633, "NAT_LOG_FIELD_IDX_IPV4_EXT_ADDR" },
608 { 24634, "NAT_LOG_FIELD_IDX_EXT_PORT_FIRST" },
609 { 24635, "NAT_LOG_FIELD_IDX_EXT_PORT_LAST" },
610 /* Cisco ASA5500 Series NetFlow */
611 { 33000, "INGRESS_ACL_ID" },
612 { 33001, "EGRESS_ACL_ID" },
613 { 33002, "FW_EXT_EVENT" },
614 /* medianet performance monitor */
615 { 37000, "PACKETS_DROPPED" },
616 { 37003, "BYTE_RATE" },
617 { 37004, "APPLICATION_MEDIA_BYTES" },
618 { 37006, "APPLICATION_MEDIA_BYTE_RATE" },
619 { 37007, "APPLICATION_MEDIA_PACKETS" },
620 { 37009, "APPLICATION_MEDIA_PACKET_RATE" },
621 { 37011, "APPLICATION_MEDIA_EVENT" },
622 { 37012, "MONITOR_EVENT" },
623 { 37013, "TIMESTAMP_INTERVAL" },
624 { 37014, "TRANSPORT_PACKETS_EXPECTED" },
625 { 37016, "TRANSPORT_ROUND_TRIP_TIME" },
626 { 37017, "TRANSPORT_EVENT_PACKET_LOSS" },
627 { 37019, "TRANSPORT_PACKETS_LOST" },
628 { 37021, "TRANSPORT_PACKETS_LOST_RATE" },
629 { 37022, "TRANSPORT_RTP_SSRC" },
630 { 37023, "TRANSPORT_RTP_JITTER_MEAN" },
631 { 37024, "TRANSPORT_RTP_JITTER_MIN" },
632 { 37025, "TRANSPORT_RTP_JITTER_MAX" },
633 { 40000, "AAA_USERNAME" },
634 { 40001, "XLATE_SRC_ADDR_IPV4" },
635 { 40002, "XLATE_DST_ADDR_IPV4" },
636 { 40003, "XLATE_SRC_PORT" },
637 { 40004, "XLATE_DST_PORT" },
638 { 40005, "FW_EVENT" },
639 /* v9 nTop extensions. */
640 { 80 + NTOP_BASE, "FRAGMENTS" },
641 { 82 + NTOP_BASE, "CLIENT_NW_DELAY_SEC" },
642 { 83 + NTOP_BASE, "CLIENT_NW_DELAY_USEC" },
643 { 84 + NTOP_BASE, "SERVER_NW_DELAY_SEC" },
644 { 85 + NTOP_BASE, "SERVER_NW_DELAY_USEC" },
645 { 86 + NTOP_BASE, "APPL_LATENCY_SEC" },
646 { 87 + NTOP_BASE, "APPL_LATENCY_USEC" },
647 { 98 + NTOP_BASE, "ICMP_FLAGS" },
648 { 101 + NTOP_BASE, "SRC_IP_COUNTRY" },
649 { 102 + NTOP_BASE, "SRC_IP_CITY" },
650 { 103 + NTOP_BASE, "DST_IP_COUNTRY" },
651 { 104 + NTOP_BASE, "DST_IP_CITY" },
652 { 105 + NTOP_BASE, "FLOW_PROTO_PORT" },
653 { 106 + NTOP_BASE, "TUNNEL_ID" },
654 { 107 + NTOP_BASE, "LONGEST_FLOW_PKT" },
655 { 108 + NTOP_BASE, "SHORTEST_FLOW_PKT" },
656 { 109 + NTOP_BASE, "RETRANSMITTED_IN_PKTS" },
657 { 110 + NTOP_BASE, "RETRANSMITTED_OUT_PKTS" },
658 { 111 + NTOP_BASE, "OOORDER_IN_PKTS" },
659 { 112 + NTOP_BASE, "OOORDER_OUT_PKTS" },
660 { 113 + NTOP_BASE, "UNTUNNELED_PROTOCOL" },
661 { 114 + NTOP_BASE, "UNTUNNELED_IPV4_SRC_ADDR" },
662 { 115 + NTOP_BASE, "UNTUNNELED_L4_SRC_PORT" },
663 { 116 + NTOP_BASE, "UNTUNNELED_IPV4_DST_ADDR" },
664 { 117 + NTOP_BASE, "UNTUNNELED_L4_DST_PORT" },
665 { 120 + NTOP_BASE, "DUMP_PATH" },
666 { 130 + NTOP_BASE, "SIP_CALL_ID" },
667 { 131 + NTOP_BASE, "SIP_CALLING_PARTY" },
668 { 132 + NTOP_BASE, "SIP_CALLED_PARTY" },
669 { 133 + NTOP_BASE, "SIP_RTP_CODECS" },
670 { 134 + NTOP_BASE, "SIP_INVITE_TIME" },
671 { 135 + NTOP_BASE, "SIP_TRYING_TIME" },
672 { 136 + NTOP_BASE, "SIP_RINGING_TIME" },
673 { 137 + NTOP_BASE, "SIP_OK_TIME" },
674 { 138 + NTOP_BASE, "SIP_BYE_TIME" },
675 { 139 + NTOP_BASE, "SIP_RTP_SRC_IP" },
676 { 140 + NTOP_BASE, "SIP_RTP_SRC_PORT" },
677 { 141 + NTOP_BASE, "SIP_RTP_DST_IP" },
678 { 142 + NTOP_BASE, "SIP_RTP_DST_PORT" },
679 { 150 + NTOP_BASE, "RTP_FIRST_SSRC" },
680 { 151 + NTOP_BASE, "RTP_FIRST_TS" },
681 { 152 + NTOP_BASE, "RTP_LAST_SSRC" },
682 { 153 + NTOP_BASE, "RTP_LAST_TS" },
683 { 154 + NTOP_BASE, "RTP_IN_JITTER" },
684 { 155 + NTOP_BASE, "RTP_OUT_JITTER" },
685 { 156 + NTOP_BASE, "RTP_IN_PKT_LOST" },
686 { 157 + NTOP_BASE, "RTP_OUT_PKT_LOST" },
687 { 158 + NTOP_BASE, "RTP_OUT_PAYLOAD_TYPE" },
688 { 159 + NTOP_BASE, "RTP_IN_MAX_DELTA" },
689 { 160 + NTOP_BASE, "RTP_OUT_MAX_DELTA" },
690 { 165 + NTOP_BASE, "L7_PROTO" },
691 { 180 + NTOP_BASE, "HTTP_URL" },
692 { 181 + NTOP_BASE, "HTTP_RET_CODE" },
693 { 182 + NTOP_BASE, "HTTP_REFERER" },
694 { 183 + NTOP_BASE, "HTTP_UA" },
695 { 184 + NTOP_BASE, "HTTP_MIME" },
696 { 185 + NTOP_BASE, "SMTP_MAIL_FROM" },
697 { 186 + NTOP_BASE, "SMTP_RCPT_TO" },
698 { 195 + NTOP_BASE, "MYSQL_SERVER_VERSION" },
699 { 196 + NTOP_BASE, "MYSQL_USERNAME" },
700 { 197 + NTOP_BASE, "MYSQL_DB" },
701 { 198 + NTOP_BASE, "MYSQL_QUERY" },
702 { 199 + NTOP_BASE, "MYSQL_RESPONSE" },
705 static const value_string v10_template_types_plixer[] = {
706 { 100, "client_ip_v4" },
707 { 101, "client_hostname" },
708 { 102, "partner_name" },
709 { 103, "server_hostname" },
710 { 104, "server_ip_v4" },
711 { 105, "recipient_address" },
715 { 109, "recipient_report_status" },
716 { 110, "number_recipients" },
717 { 111, "origination_time" },
718 { 112, "encryption" },
719 { 113, "service_version" },
720 { 114, "linked_msgid" },
721 { 115, "message_subject" },
722 { 116, "sender_address" },
723 { 117, "date_time" },
724 { 118, "client_ip_v6" },
725 { 119, "server_ip_v6" },
726 { 120, "source_context" },
727 { 121, "connector_id" },
728 { 122, "source_component" },
729 { 124, "related_recipient_address" },
730 { 125, "reference" },
731 { 126, "return_path" },
732 { 127, "message_info" },
733 { 128, "directionality" },
734 { 129, "tenant_id" },
735 { 130, "original_client_ip_v4" },
736 { 131, "original_server_ip_v4" },
737 { 132, "custom_data" },
738 { 133, "internal_message_id" },
741 static const value_string v10_template_types_ntop[] = {
743 { 82, "CLIENT_NW_DELAY_SEC" },
744 { 83, "CLIENT_NW_DELAY_USEC" },
745 { 84, "SERVER_NW_DELAY_SEC" },
746 { 85, "SERVER_NW_DELAY_USEC" },
747 { 86, "APPL_LATENCY_SEC" },
748 { 87, "APPL_LATENCY_USEC" },
749 { 98, "ICMP_FLAGS" },
750 { 101, "SRC_IP_COUNTRY" },
751 { 102, "SRC_IP_CITY" },
752 { 103, "DST_IP_COUNTRY" },
753 { 104, "DST_IP_CITY" },
754 { 105, "FLOW_PROTO_PORT" },
755 { 106, "TUNNEL_ID" },
756 { 107, "LONGEST_FLOW_PKT" },
757 { 108, "SHORTEST_FLOW_PKT" },
758 { 109, "RETRANSMITTED_IN_PKTS" },
759 { 110, "RETRANSMITTED_OUT_PKTS" },
760 { 111, "OOORDER_IN_PKTS" },
761 { 112, "OOORDER_OUT_PKTS" },
762 { 113, "UNTUNNELED_PROTOCOL" },
763 { 114, "UNTUNNELED_IPV4_SRC_ADDR" },
764 { 115, "UNTUNNELED_L4_SRC_PORT" },
765 { 116, "UNTUNNELED_IPV4_DST_ADDR" },
766 { 117, "UNTUNNELED_L4_DST_PORT" },
767 { 120, "DUMP_PATH" },
768 { 130, "SIP_CALL_ID" },
769 { 131, "SIP_CALLING_PARTY" },
770 { 132, "SIP_CALLED_PARTY" },
771 { 133, "SIP_RTP_CODECS" },
772 { 134, "SIP_INVITE_TIME" },
773 { 135, "SIP_TRYING_TIME" },
774 { 136, "SIP_RINGING_TIME" },
775 { 137, "SIP_OK_TIME" },
776 { 138, "SIP_BYE_TIME" },
777 { 139, "SIP_RTP_SRC_IP" },
778 { 140, "SIP_RTP_SRC_PORT" },
779 { 141, "SIP_RTP_DST_IP" },
780 { 142, "SIP_RTP_DST_PORT" },
781 { 150, "RTP_FIRST_SSRC" },
782 { 151, "RTP_FIRST_TS" },
783 { 152, "RTP_LAST_SSRC" },
784 { 153, "RTP_LAST_TS" },
785 { 154, "RTP_IN_JITTER" },
786 { 155, "RTP_OUT_JITTER" },
787 { 156, "RTP_IN_PKT_LOST" },
788 { 157, "RTP_OUT_PKT_LOST" },
789 { 158, "RTP_OUT_PAYLOAD_TYPE" },
790 { 159, "RTP_IN_MAX_DELTA" },
791 { 160, "RTP_OUT_MAX_DELTA" },
794 { 181, "HTTP_RET_CODE" },
795 { 182, "HTTP_REFERER" },
797 { 184, "HTTP_MIME" },
798 { 185, "SMTP_MAIL_FROM" },
799 { 186, "SMTP_RCPT_TO" },
800 { 195, "MYSQL_SERVER_VERSION" },
801 { 196, "MYSQL_USERNAME" },
803 { 198, "MYSQL_QUERY" },
804 { 199, "MYSQL_RESPONSE" },
808 static value_string_ext v9_v10_template_types_ext = VALUE_STRING_EXT_INIT(v9_v10_template_types);
810 static value_string_ext v10_template_types_plixer_ext = VALUE_STRING_EXT_INIT(v10_template_types_plixer);
811 static value_string_ext v10_template_types_ntop_ext = VALUE_STRING_EXT_INIT(v10_template_types_ntop);
813 static const value_string v9_scope_field_types[] = {
817 { 4, "NetFlow Cache" },
821 static value_string_ext v9_scope_field_types_ext = VALUE_STRING_EXT_INIT(v9_scope_field_types);
823 static const value_string v9_sampler_mode[] = {
824 { 0, "Deterministic" },
825 { 1, "Unknown" }, /* "Time-Based" ?? */
830 static const value_string v9_direction[] = {
836 #define FORWARDING_STATUS_UNKNOWN 0
837 #define FORWARDING_STATUS_FORWARD 1
838 #define FORWARDING_STATUS_DROP 2
839 #define FORWARDING_STATUS_CONSUME 3
841 static const value_string v9_forwarding_status[] = {
842 { FORWARDING_STATUS_UNKNOWN, "Unknown"}, /* Observed on IOS-XR 3.2 */
843 { FORWARDING_STATUS_FORWARD, "Forward"}, /* Observed on 7200 12.4(9)T */
844 { FORWARDING_STATUS_DROP, "Drop"}, /* Observed on 7200 12.4(9)T */
845 { FORWARDING_STATUS_CONSUME, "Consume"}, /* Observed on 7200 12.4(9)T */
849 static const value_string v9_forwarding_status_unknown_code[] = {
853 static const value_string v9_forwarding_status_forward_code[] = {
854 { 0, "Forwarded (Unknown)" },
855 { 1, "Forwarded Fragmented" },
856 { 2, "Forwarded not Fragmented" },
860 static const value_string v9_forwarding_status_drop_code[] = {
861 { 0, "Dropped (Unknown)" },
862 { 1, "Drop ACL Deny" },
863 { 2, "Drop ACL drop" },
864 { 3, "Drop Unroutable" },
865 { 4, "Drop Adjacency" },
866 { 5, "Drop Fragmentation & DF set" },
867 { 6, "Drop Bad header checksum" },
868 { 7, "Drop Bad total Length" },
869 { 8, "Drop Bad Header Length" },
870 { 9, "Drop bad TTL" },
871 { 10, "Drop Policer" },
874 { 13, "Drop For us" },
875 { 14, "Drop Bad output interface" },
876 { 15, "Drop Hardware" },
880 static const value_string v9_forwarding_status_consume_code[] = {
881 { 0, "Consumed (Unknown)" },
882 { 1, "Terminate Punt Adjacency" },
883 { 2, "Terminate Incomplete Adjacency" },
884 { 3, "Terminate For us" },
888 static const value_string v9_firewall_event[] = {
889 { 0, "Default (ignore)"},
890 { 1, "Flow created"},
891 { 2, "Flow deleted"},
897 static const value_string v9_extended_firewall_event[] = {
899 { 1001, "Flow denied by an ingress ACL"},
900 { 1002, "Flow denied by an egress ACL"},
901 { 1003, "Flow denied by security appliance"},
902 { 1004, "Flow denied (TCP flow beginning with not TCP SYN)"},
906 static const value_string engine_type[] = {
908 { 1, "VIP/Linecard"},
913 static const value_string v9_flow_end_reason[] = {
915 { 1, "Idle timeout"},
916 { 2, "Active timeout" },
917 { 3, "End of Flow detected" },
919 { 5, "Lack of resources" },
923 static const value_string v9_biflow_direction[] = {
926 { 2, "ReverseInitiator" },
931 static const value_string selector_algorithm[] = {
933 { 1, "Systematic count-based Sampling"},
934 { 2, "Systematic time-based Sampling"},
935 { 3, "Random n-out-of-N Sampling"},
936 { 4, "Uniform probabilistic Sampling"},
937 { 5, "Property match Filtering"},
938 { 6, "Hash based Filtering using BOB"},
939 { 7, "Hash based Filtering using IPSX"},
940 { 8, "Hash based Filtering using CRC"},
943 static value_string_ext selector_algorithm_ext = VALUE_STRING_EXT_INIT(selector_algorithm);
945 static const value_string performance_monitor_specials[] = {
946 { 0xFFFFFFFF, "Not Measured"},
947 { 0xFFFF, "Not Measured"},
953 * wireshark tree identifiers
956 static int proto_netflow = -1;
957 static int ett_netflow = -1;
958 static int ett_unixtime = -1;
959 static int ett_flow = -1;
960 static int ett_flowtime = -1;
961 static int ett_str_len = -1;
962 static int ett_template = -1;
963 static int ett_field = -1;
964 static int ett_dataflowset = -1;
965 static int ett_fwdstat = -1;
971 static int hf_cflow_version = -1;
972 static int hf_cflow_count = -1;
973 static int hf_cflow_len = -1;
974 static int hf_cflow_sysuptime = -1;
975 static int hf_cflow_exporttime = -1;
976 static int hf_cflow_unix_secs = -1;
977 static int hf_cflow_unix_nsecs = -1;
978 static int hf_cflow_timestamp = -1;
979 static int hf_cflow_samplingmode = -1;
980 static int hf_cflow_samplerate = -1;
982 static int hf_cflow_unknown_field_type = -1;
985 * cflow version specific info
987 static int hf_cflow_sequence = -1;
988 static int hf_cflow_engine_type = -1;
989 static int hf_cflow_engine_id = -1;
990 static int hf_cflow_source_id = -1;
992 static int hf_cflow_aggmethod = -1;
993 static int hf_cflow_aggversion = -1;
997 static int hf_cflow_flowset_id = -1;
998 static int hf_cflow_flowset_length = -1;
999 static int hf_cflow_template_id = -1;
1000 static int hf_cflow_template_field_count = -1;
1001 static int hf_cflow_template_field_type = -1;
1002 static int hf_cflow_template_field_length = -1;
1003 static int hf_cflow_option_scope_length = -1;
1004 static int hf_cflow_option_length = -1;
1005 static int hf_cflow_template_scope_field_type = -1;
1007 static int hf_cflow_scope_system = -1;
1008 static int hf_cflow_scope_interface = -1;
1009 static int hf_cflow_scope_linecard = -1;
1010 static int hf_cflow_scope_cache = -1;
1011 static int hf_cflow_scope_template = -1;
1014 static int hf_cflow_template_ipfix_total_field_count = -1;
1015 static int hf_cflow_template_ipfix_scope_field_count = -1;
1016 static int hf_cflow_template_ipfix_pen_provided = -1;
1017 static int hf_cflow_template_ipfix_field_type = -1;
1018 static int hf_cflow_template_ipfix_field_type_enterprise = -1;
1019 static int hf_cflow_template_ipfix_field_pen = -1;
1021 /* IPFIX / vendor */
1022 static int hf_cflow_template_plixer_field_type = -1;
1023 static int hf_cflow_template_ntop_field_type = -1;
1029 static int hf_cflow_srcaddr = -1;
1030 static int hf_cflow_srcaddr_v6 = -1;
1031 static int hf_cflow_srcnet = -1;
1032 static int hf_cflow_dstaddr = -1;
1033 static int hf_cflow_dstaddr_v6 = -1;
1034 static int hf_cflow_dstnet = -1;
1035 static int hf_cflow_nexthop = -1;
1036 static int hf_cflow_nexthop_v6 = -1;
1037 static int hf_cflow_bgpnexthop = -1;
1038 static int hf_cflow_bgpnexthop_v6 = -1;
1039 static int hf_cflow_inputint = -1;
1040 static int hf_cflow_outputint = -1;
1041 static int hf_cflow_flows = -1;
1042 static int hf_cflow_flows64 = -1;
1043 static int hf_cflow_packets = -1;
1044 static int hf_cflow_packets64 = -1;
1045 static int hf_cflow_octets = -1;
1046 static int hf_cflow_octets64 = -1;
1047 static int hf_cflow_length_min = -1;
1048 static int hf_cflow_length_max = -1;
1049 static int hf_cflow_timedelta = -1;
1050 static int hf_cflow_sys_init_time = -1;
1051 static int hf_cflow_timestart = -1;
1052 static int hf_cflow_timeend = -1;
1053 static int hf_cflow_srcport = -1;
1054 static int hf_cflow_dstport = -1;
1055 static int hf_cflow_prot = -1;
1056 static int hf_cflow_tos = -1;
1057 static int hf_cflow_flags = -1;
1058 static int hf_cflow_tcpflags = -1;
1059 static int hf_cflow_dstas = -1;
1060 static int hf_cflow_srcas = -1;
1061 static int hf_cflow_dstmask = -1;
1062 static int hf_cflow_dstmask_v6 = -1;
1063 static int hf_cflow_srcmask = -1;
1064 static int hf_cflow_srcmask_v6 = -1;
1065 static int hf_cflow_routersc = -1;
1066 static int hf_cflow_mulpackets = -1;
1067 static int hf_cflow_muloctets = -1;
1068 static int hf_cflow_octets_exp = -1;
1069 static int hf_cflow_octets_exp64 = -1;
1070 static int hf_cflow_packets_exp = -1;
1071 static int hf_cflow_packets_exp64 = -1;
1072 static int hf_cflow_flows_exp = -1;
1073 static int hf_cflow_flows_exp64 = -1;
1074 static int hf_cflow_srcprefix = -1;
1075 static int hf_cflow_dstprefix = -1;
1076 static int hf_cflow_flow_class = -1;
1077 static int hf_cflow_ttl_minimum = -1;
1078 static int hf_cflow_ttl_maximum = -1;
1079 static int hf_cflow_ipv4_id = -1;
1080 static int hf_cflow_ip_version = -1;
1081 static int hf_cflow_icmp_type = -1;
1082 static int hf_cflow_igmp_type = -1;
1083 static int hf_cflow_sampling_interval = -1;
1084 static int hf_cflow_sampling_algorithm = -1;
1085 static int hf_cflow_flow_active_timeout = -1;
1086 static int hf_cflow_flow_inactive_timeout = -1;
1087 static int hf_cflow_mpls_top_label_type = -1;
1088 static int hf_cflow_mpls_pe_addr = -1;
1089 static int hf_cflow_sampler_id = -1;
1090 static int hf_cflow_sampler_mode = -1;
1091 static int hf_cflow_sampler_random_interval = -1;
1092 static int hf_cflow_direction = -1;
1093 static int hf_cflow_if_name = -1;
1094 static int hf_cflow_if_descr = -1;
1095 static int hf_cflow_sampler_name = -1;
1096 static int hf_cflow_forwarding_status = -1;
1097 static int hf_cflow_forwarding_status_unknown_code = -1;
1098 static int hf_cflow_forwarding_status_forward_code = -1;
1099 static int hf_cflow_forwarding_status_consume_code = -1;
1100 static int hf_cflow_forwarding_status_drop_code = -1;
1101 static int hf_cflow_nbar_appl_desc = -1;
1102 static int hf_cflow_nbar_appl_id = -1;
1103 static int hf_cflow_nbar_appl_name = -1;
1104 static int hf_cflow_peer_srcas = -1;
1105 static int hf_cflow_peer_dstas = -1;
1106 static int hf_cflow_flow_exporter = -1;
1107 static int hf_cflow_icmp_ipv4_type = -1;
1108 static int hf_cflow_icmp_ipv4_code = -1;
1109 static int hf_cflow_icmp_ipv6_type = -1;
1110 static int hf_cflow_icmp_ipv6_code = -1;
1111 static int hf_cflow_tcp_window_size = -1;
1112 static int hf_cflow_ipv4_total_length = -1;
1113 static int hf_cflow_ip_ttl = -1;
1114 static int hf_cflow_ip_tos = -1;
1115 static int hf_cflow_ip_dscp = -1;
1116 static int hf_cflow_octets_squared64 = -1;
1117 static int hf_cflow_udp_length = -1;
1118 static int hf_cflow_is_multicast = -1;
1119 static int hf_cflow_ip_header_words = -1;
1120 static int hf_cflow_option_map = -1;
1121 static int hf_cflow_section_header = -1;
1122 static int hf_cflow_section_payload = -1;
1123 /* IPFIX (version 10) Information Elements */
1124 static int hf_cflow_post_octets = -1;
1125 static int hf_cflow_post_octets64 = -1;
1126 static int hf_cflow_post_packets = -1;
1127 static int hf_cflow_post_packets64 = -1;
1128 static int hf_cflow_ipv6_flowlabel = -1;
1129 static int hf_cflow_ipv6_flowlabel24 = -1;
1130 static int hf_cflow_post_tos = -1;
1131 static int hf_cflow_srcmac = -1;
1132 static int hf_cflow_post_dstmac = -1;
1133 static int hf_cflow_vlanid = -1;
1134 static int hf_cflow_post_vlanid = -1;
1135 static int hf_cflow_ipv6_exthdr = -1;
1136 static int hf_cflow_dstmac = -1;
1137 static int hf_cflow_post_srcmac = -1;
1138 static int hf_cflow_permanent_packets = -1;
1139 static int hf_cflow_permanent_packets64 = -1;
1140 static int hf_cflow_permanent_octets = -1;
1141 static int hf_cflow_permanent_octets64 = -1;
1142 static int hf_cflow_fragment_offset = -1;
1143 static int hf_cflow_mpls_vpn_rd = -1;
1144 static int hf_cflow_mpls_top_label_prefix_length = -1; /* ID: 91 */
1145 static int hf_cflow_post_ip_diff_serv_code_point = -1; /* ID: 98 */
1146 static int hf_cflow_multicast_replication_factor = -1; /* ID: 99 */
1147 static int hf_cflow_exporter_addr = -1;
1148 static int hf_cflow_exporter_addr_v6 = -1;
1149 static int hf_cflow_drop_octets = -1;
1150 static int hf_cflow_drop_octets64 = -1;
1151 static int hf_cflow_drop_packets = -1;
1152 static int hf_cflow_drop_packets64 = -1;
1153 static int hf_cflow_drop_total_octets = -1;
1154 static int hf_cflow_drop_total_octets64 = -1;
1155 static int hf_cflow_drop_total_packets = -1;
1156 static int hf_cflow_drop_total_packets64 = -1;
1157 static int hf_cflow_flow_end_reason = -1;
1158 static int hf_cflow_common_properties_id = -1;
1159 static int hf_cflow_observation_point_id = -1;
1160 static int hf_cflow_mpls_pe_addr_v6 = -1;
1161 static int hf_cflow_port_id = -1;
1162 static int hf_cflow_mp_id = -1;
1163 static int hf_cflow_wlan_channel_id = -1;
1164 static int hf_cflow_wlan_ssid = -1;
1165 static int hf_cflow_flow_id = -1;
1166 static int hf_cflow_od_id = -1;
1167 static int hf_cflow_abstimestart = -1;
1168 static int hf_cflow_abstimeend = -1;
1169 static int hf_cflow_dstnet_v6 = -1;
1170 static int hf_cflow_srcnet_v6 = -1;
1171 static int hf_cflow_ignore_packets = -1;
1172 static int hf_cflow_ignore_packets64 = -1;
1173 static int hf_cflow_ignore_octets = -1;
1174 static int hf_cflow_ignore_octets64 = -1;
1175 static int hf_cflow_notsent_flows = -1;
1176 static int hf_cflow_notsent_flows64 = -1;
1177 static int hf_cflow_notsent_packets = -1;
1178 static int hf_cflow_notsent_packets64 = -1;
1179 static int hf_cflow_notsent_octets = -1;
1180 static int hf_cflow_notsent_octets64 = -1;
1181 static int hf_cflow_post_total_octets = -1;
1182 static int hf_cflow_post_total_octets64 = -1;
1183 static int hf_cflow_post_total_packets = -1;
1184 static int hf_cflow_post_total_packets64 = -1;
1185 static int hf_cflow_key = -1;
1186 static int hf_cflow_post_total_mulpackets = -1;
1187 static int hf_cflow_post_total_mulpackets64 = -1;
1188 static int hf_cflow_post_total_muloctets = -1;
1189 static int hf_cflow_post_total_muloctets64 = -1;
1190 static int hf_cflow_tcp_seq_num = -1;
1191 static int hf_cflow_tcp_ack_num = -1;
1192 static int hf_cflow_tcp_urg_ptr = -1;
1193 static int hf_cflow_tcp_header_length = -1;
1194 static int hf_cflow_ip_header_length = -1;
1195 static int hf_cflow_ipv6_payload_length = -1;
1196 static int hf_cflow_ipv6_next_hdr = -1;
1197 static int hf_cflow_ip_precedence = -1;
1198 static int hf_cflow_ip_fragment_flags = -1;
1199 static int hf_cflow_mpls_top_label_ttl = -1;
1200 static int hf_cflow_mpls_label_length = -1;
1201 static int hf_cflow_mpls_label_depth = -1;
1202 static int hf_cflow_mpls_top_label_exp = -1;
1203 static int hf_cflow_ip_payload_length = -1;
1204 static int hf_cflow_tcp_option_map = -1;
1205 static int hf_cflow_collector_addr = -1;
1206 static int hf_cflow_collector_addr_v6 = -1;
1207 static int hf_cflow_export_interface = -1;
1208 static int hf_cflow_export_protocol_version = -1;
1209 static int hf_cflow_export_prot = -1;
1210 static int hf_cflow_collector_port = -1;
1211 static int hf_cflow_exporter_port = -1;
1212 static int hf_cflow_total_tcp_syn = -1;
1213 static int hf_cflow_total_tcp_fin = -1;
1214 static int hf_cflow_total_tcp_rst = -1;
1215 static int hf_cflow_total_tcp_psh = -1;
1216 static int hf_cflow_total_tcp_ack = -1;
1217 static int hf_cflow_total_tcp_urg = -1;
1218 static int hf_cflow_ip_total_length = -1;
1219 static int hf_cflow_post_natsource_ipv4_address = -1; /* ID: 225 */
1220 static int hf_cflow_post_natdestination_ipv4_address = -1; /* ID: 226 */
1221 static int hf_cflow_post_naptsource_transport_port = -1; /* ID: 227 */
1222 static int hf_cflow_post_naptdestination_transport_port = -1; /* ID: 228 */
1223 static int hf_cflow_nat_originating_address_realm = -1; /* ID: 229 */
1224 static int hf_cflow_nat_event = -1; /* ID: 230 */
1225 static int hf_cflow_initiator_octets = -1; /* ID: 231 */
1226 static int hf_cflow_responder_octets = -1; /* ID: 232 */
1227 static int hf_cflow_firewall_event = -1; /* ID: 233 */
1228 static int hf_cflow_ingress_vrfid = -1; /* ID: 234 */
1229 static int hf_cflow_egress_vrfid = -1; /* ID: 235 */
1230 static int hf_cflow_vrfname = -1; /* ID: 236 */
1231 static int hf_cflow_post_mpls_top_label_exp = -1; /* ID: 237 */
1232 static int hf_cflow_tcp_window_scale = -1; /* ID: 238 */
1233 static int hf_cflow_biflow_direction = -1;
1234 static int hf_cflow_ethernet_header_length = -1; /* ID: 240 */
1235 static int hf_cflow_ethernet_payload_length = -1; /* ID: 241 */
1236 static int hf_cflow_ethernet_total_length = -1; /* ID: 242 */
1237 static int hf_cflow_dot1q_vlan_id = -1; /* ID: 243 */
1238 static int hf_cflow_dot1q_priority = -1; /* ID: 244 */
1239 static int hf_cflow_dot1q_customer_vlan_id = -1; /* ID: 245 */
1240 static int hf_cflow_dot1q_customer_priority = -1; /* ID: 246 */
1241 static int hf_cflow_metro_evc_id = -1; /* ID: 247 */
1242 static int hf_cflow_metro_evc_type = -1; /* ID: 248 */
1243 static int hf_cflow_pseudo_wire_id = -1; /* ID: 249 */
1244 static int hf_cflow_pseudo_wire_type = -1; /* ID: 250 */
1245 static int hf_cflow_pseudo_wire_control_word = -1; /* ID: 251 */
1246 static int hf_cflow_ingress_physical_interface = -1; /* ID: 252 */
1247 static int hf_cflow_egress_physical_interface = -1; /* ID: 253 */
1248 static int hf_cflow_post_dot1q_vlan_id = -1; /* ID: 254 */
1249 static int hf_cflow_post_dot1q_customer_vlan_id = -1; /* ID: 255 */
1250 static int hf_cflow_ethernet_type = -1; /* ID: 256 */
1251 static int hf_cflow_post_ip_precedence = -1; /* ID: 257 */
1252 static int hf_cflow_collection_time_milliseconds = -1; /* ID: 258 */
1253 static int hf_cflow_export_sctp_stream_id = -1; /* ID: 259 */
1254 static int hf_cflow_max_export_seconds = -1; /* ID: 260 */
1255 static int hf_cflow_max_flow_end_seconds = -1; /* ID: 261 */
1256 static int hf_cflow_message_md5_checksum = -1; /* ID: 262 */
1257 static int hf_cflow_message_scope = -1; /* ID: 263 */
1258 static int hf_cflow_min_export_seconds = -1; /* ID: 264 */
1259 static int hf_cflow_min_flow_start_seconds = -1; /* ID: 265 */
1260 static int hf_cflow_opaque_octets = -1; /* ID: 266 */
1261 static int hf_cflow_session_scope = -1; /* ID: 267 */
1262 static int hf_cflow_max_flow_end_microseconds = -1; /* ID: 268 */
1263 static int hf_cflow_max_flow_end_milliseconds = -1; /* ID: 269 */
1264 static int hf_cflow_max_flow_end_nanoseconds = -1; /* ID: 270 */
1265 static int hf_cflow_min_flow_start_microseconds = -1; /* ID: 271 */
1266 static int hf_cflow_min_flow_start_milliseconds = -1; /* ID: 272 */
1267 static int hf_cflow_min_flow_start_nanoseconds = -1; /* ID: 273 */
1268 static int hf_cflow_collector_certificate = -1; /* ID: 274 */
1269 static int hf_cflow_exporter_certificate = -1; /* ID: 275 */
1270 static int hf_cflow_selection_sequence_id = -1; /* ID: 301 */
1271 static int hf_cflow_selector_id = -1; /* ID: 302 */
1272 static int hf_cflow_information_element_id = -1; /* ID: 303 */
1273 static int hf_cflow_selector_algorithm = -1; /* ID: 304 */
1274 static int hf_cflow_sampling_packet_interval = -1; /* ID: 305 */
1275 static int hf_cflow_sampling_packet_space = -1; /* ID: 306 */
1276 static int hf_cflow_sampling_time_interval = -1; /* ID: 307 */
1277 static int hf_cflow_sampling_time_space = -1; /* ID: 308 */
1278 static int hf_cflow_sampling_size = -1; /* ID: 309 */
1279 static int hf_cflow_sampling_population = -1; /* ID: 310 */
1280 static int hf_cflow_sampling_probability = -1; /* ID: 311 */
1281 static int hf_cflow_mpls_label_stack_section = -1; /* ID: 316 */
1282 static int hf_cflow_mpls_payload_packet_section = -1; /* ID: 317 */
1283 static int hf_cflow_selector_id_total_pkts_observed = -1; /* ID: 318 */
1284 static int hf_cflow_selector_id_total_pkts_selected = -1; /* ID: 319 */
1285 static int hf_cflow_absolute_error = -1; /* ID: 320 */
1286 static int hf_cflow_relative_error = -1; /* ID: 321 */
1287 static int hf_cflow_observation_time_seconds = -1; /* ID: 322 */
1288 static int hf_cflow_observation_time_milliseconds = -1; /* ID: 323 */
1289 static int hf_cflow_observation_time_microseconds = -1; /* ID: 324 */
1290 static int hf_cflow_observation_time_nanoseconds = -1; /* ID: 325 */
1291 static int hf_cflow_digest_hash_value = -1; /* ID: 326 */
1292 static int hf_cflow_hash_ippayload_offset = -1; /* ID: 327 */
1293 static int hf_cflow_hash_ippayload_size = -1; /* ID: 328 */
1294 static int hf_cflow_hash_output_range_min = -1; /* ID: 329 */
1295 static int hf_cflow_hash_output_range_max = -1; /* ID: 330 */
1296 static int hf_cflow_hash_selected_range_min = -1; /* ID: 331 */
1297 static int hf_cflow_hash_selected_range_max = -1; /* ID: 332 */
1298 static int hf_cflow_hash_digest_output = -1; /* ID: 333 */
1299 static int hf_cflow_hash_initialiser_value = -1; /* ID: 334 */
1300 static int hf_cflow_selector_name = -1; /* ID: 335 */
1301 static int hf_cflow_upper_cilimit = -1; /* ID: 336 */
1302 static int hf_cflow_lower_cilimit = -1; /* ID: 337 */
1303 static int hf_cflow_confidence_level = -1; /* ID: 338 */
1304 static int hf_cflow_information_element_data_type = -1; /* ID: 339 */
1305 static int hf_cflow_information_element_description = -1; /* ID: 340 */
1306 static int hf_cflow_information_element_name = -1; /* ID: 341 */
1307 static int hf_cflow_information_element_range_begin = -1; /* ID: 342 */
1308 static int hf_cflow_information_element_range_end = -1; /* ID: 343 */
1309 static int hf_cflow_information_element_semantics = -1; /* ID: 344 */
1310 static int hf_cflow_information_element_units = -1; /* ID: 345 */
1311 static int hf_cflow_private_enterprise_number = -1; /* ID: 346 */
1312 static int hf_cflow_packets_dropped = -1; /* ID: 37000 */
1313 static int hf_cflow_byte_rate = -1; /* ID: 37003 */
1314 static int hf_cflow_application_media_bytes = -1; /* ID: 37004 */
1315 static int hf_cflow_application_media_byte_rate = -1; /* ID: 37006 */
1316 static int hf_cflow_application_media_packets = -1; /* ID: 37007 */
1317 static int hf_cflow_application_media_packet_rate = -1; /* ID: 37009 */
1318 static int hf_cflow_application_media_event = -1; /* ID: 37011 */
1319 static int hf_cflow_monitor_event = -1; /* ID: 37012 */
1320 static int hf_cflow_timestamp_interval = -1; /* ID: 37013 */
1321 static int hf_cflow_transport_packets_expected = -1; /* ID: 37014 */
1322 static int hf_cflow_transport_round_trip_time = -1; /* ID: 37016 */
1323 static int hf_cflow_transport_round_trip_time_string = -1; /* ID: 37016 */
1324 static int hf_cflow_transport_event_packet_loss = -1; /* ID: 37017 */
1325 static int hf_cflow_transport_packets_lost = -1; /* ID: 37019 */
1326 static int hf_cflow_transport_packets_lost_string = -1; /* ID: 37019 */
1327 static int hf_cflow_transport_packets_lost_rate = -1; /* ID: 37021 */
1328 static int hf_cflow_transport_packets_lost_rate_string = -1; /* ID: 37021 */
1329 static int hf_cflow_transport_rtp_ssrc = -1; /* ID: 37022 */
1330 static int hf_cflow_transport_rtp_jitter_mean = -1; /* ID: 37023 */
1331 static int hf_cflow_transport_rtp_jitter_mean_string = -1; /* ID: 37023 */
1332 static int hf_cflow_transport_rtp_jitter_min = -1; /* ID: 37024 */
1333 static int hf_cflow_transport_rtp_jitter_min_string = -1; /* ID: 37024 */
1334 static int hf_cflow_transport_rtp_jitter_max = -1; /* ID: 37025 */
1335 static int hf_cflow_transport_rtp_jitter_max_string = -1; /* ID: 37025 */
1337 /* Ericsson SE NAT Logging */
1338 static int hf_cflow_nat_context_id = -1; /* ID: 24628 */
1339 static int hf_cflow_nat_context_name = -1; /* ID: 24629 */
1340 static int hf_cflow_nat_assign_time = -1; /* ID: 24630 */
1341 static int hf_cflow_nat_unassign_time = -1; /* ID: 24631 */
1342 static int hf_cflow_nat_int_addr = -1; /* ID: 24632 */
1343 static int hf_cflow_nat_ext_addr = -1; /* ID: 24633 */
1344 static int hf_cflow_nat_ext_port_first = -1; /* ID: 24634 */
1345 static int hf_cflow_nat_ext_port_last = -1; /* ID: 24635 */
1348 /* Cisco ASA 5500 Series */
1349 static int hf_cflow_ingress_acl_id = -1; /* NF_F_INGRESS_ACL_ID (33000) */
1350 static int hf_cflow_egress_acl_id = -1; /* NF_F_EGRESS_ACL_ID (33001) */
1351 static int hf_cflow_fw_ext_event = -1; /* NF_F_FW_EXT_EVENT (33002) */
1352 static int hf_cflow_aaa_username = -1; /* NF_F_USERNAME[_MAX] (40000) */
1354 static int hf_ipfix_enterprise_private_entry = -1;
1356 /* pie = private information element */
1358 static int hf_pie_cace_local_ipv4_address = -1;
1359 static int hf_pie_cace_remote_ipv4_address = -1;
1360 static int hf_pie_cace_local_ipv6_address = -1;
1361 static int hf_pie_cace_remote_ipv6_address = -1;
1362 static int hf_pie_cace_local_port = -1;
1363 static int hf_pie_cace_remote_port = -1;
1364 static int hf_pie_cace_local_ipv4_id = -1;
1365 static int hf_pie_cace_local_icmp_id = -1;
1366 static int hf_pie_cace_local_uid = -1;
1367 static int hf_pie_cace_local_pid = -1;
1368 static int hf_pie_cace_local_username_len = -1;
1369 static int hf_pie_cace_local_username = -1;
1370 static int hf_pie_cace_local_cmd_len = -1;
1371 static int hf_pie_cace_local_cmd = -1;
1373 static int hf_pie_ntop_fragmented = -1;
1374 static int hf_pie_ntop_fingerprint = -1;
1375 static int hf_pie_ntop_client_nw_delay_sec = -1;
1376 static int hf_pie_ntop_client_nw_delay_usec = -1;
1377 static int hf_pie_ntop_server_nw_delay_sec = -1;
1378 static int hf_pie_ntop_server_nw_delay_usec = -1;
1379 static int hf_pie_ntop_appl_latency_sec = -1;
1380 static int hf_pie_ntop_icmp_flags = -1;
1381 static int hf_pie_ntop_src_ip_country = -1;
1382 static int hf_pie_ntop_src_ip_city = -1;
1383 static int hf_pie_ntop_dst_ip_country = -1;
1384 static int hf_pie_ntop_dst_ip_city = -1;
1385 static int hf_pie_ntop_flow_proto_port = -1;
1387 static int hf_pie_ntop_longest_flow_pkt = -1;
1388 static int hf_pie_ntop_ooorder_in_pkts = -1;
1389 static int hf_pie_ntop_ooorder_out_pkts = -1;
1390 static int hf_pie_ntop_retransmitted_in_pkts = -1;
1391 static int hf_pie_ntop_retransmitted_out_pkts = -1;
1392 static int hf_pie_ntop_shortest_flow_pkt = -1;
1393 static int hf_pie_ntop_tunnel_id = -1;
1394 static int hf_pie_ntop_untunneled_ipv4_dst_addr = -1;
1395 static int hf_pie_ntop_untunneled_ipv4_src_addr = -1;
1396 static int hf_pie_ntop_untunneled_l4_dst_port = -1;
1397 static int hf_pie_ntop_untunneled_l4_src_port = -1;
1398 static int hf_pie_ntop_untunneled_protocol = -1;
1400 static int hf_pie_ntop_dump_path = -1;
1401 static int hf_pie_ntop_sip_call_id = -1;
1402 static int hf_pie_ntop_sip_calling_party = -1;
1403 static int hf_pie_ntop_sip_called_party = -1;
1404 static int hf_pie_ntop_sip_rtp_codecs = -1;
1405 static int hf_pie_ntop_sip_invite_time = -1;
1406 static int hf_pie_ntop_sip_trying_time = -1;
1407 static int hf_pie_ntop_sip_ringing_time = -1;
1408 static int hf_pie_ntop_sip_ok_time = -1;
1409 static int hf_pie_ntop_sip_bye_time = -1;
1410 static int hf_pie_ntop_sip_rtp_src_ip = -1;
1411 static int hf_pie_ntop_sip_rtp_src_port = -1;
1412 static int hf_pie_ntop_sip_rtp_dst_ip = -1;
1413 static int hf_pie_ntop_sip_rtp_dst_port = -1;
1414 static int hf_pie_ntop_rtp_first_ssrc = -1;
1415 static int hf_pie_ntop_rtp_first_ts = -1;
1416 static int hf_pie_ntop_rtp_last_ssrc = -1;
1417 static int hf_pie_ntop_rtp_last_ts = -1;
1418 static int hf_pie_ntop_rtp_in_jitter = -1;
1419 static int hf_pie_ntop_rtp_out_jitter = -1;
1420 static int hf_pie_ntop_rtp_in_pkt_lost = -1;
1421 static int hf_pie_ntop_rtp_out_pkt_lost = -1;
1422 static int hf_pie_ntop_rtp_out_payload_type = -1;
1423 static int hf_pie_ntop_rtp_in_max_delta = -1;
1424 static int hf_pie_ntop_rtp_out_max_delta = -1;
1425 static int hf_pie_ntop_proc_id = -1;
1426 static int hf_pie_ntop_proc_name = -1;
1427 static int hf_pie_ntop_http_url = -1;
1428 static int hf_pie_ntop_http_ret_code = -1;
1429 static int hf_pie_ntop_smtp_mail_from = -1;
1430 static int hf_pie_ntop_smtp_rcpt_to = -1;
1432 static int hf_pie_ntop_mysql_server_version = -1;
1433 static int hf_pie_ntop_mysql_username = -1;
1434 static int hf_pie_ntop_mysql_db = -1;
1435 static int hf_pie_ntop_mysql_query = -1;
1436 static int hf_pie_ntop_mysql_response = -1;
1438 static int hf_pie_plixer_client_ip_v4 = -1;
1439 static int hf_pie_plixer_client_hostname = -1; /* string */
1440 static int hf_pie_plixer_partner_name = -1; /* string */
1441 static int hf_pie_plixer_server_hostname = -1; /* string */
1442 static int hf_pie_plixer_server_ip_v4 = -1;
1443 static int hf_pie_plixer_recipient_address = -1; /* string */
1444 static int hf_pie_plixer_event_id = -1;
1445 static int hf_pie_plixer_msgid = -1; /* string */
1447 static int hf_pie_plixer_priority = -1;
1448 static int hf_pie_plixer_recipient_report_status = -1;
1449 static int hf_pie_plixer_number_recipients = -1;
1450 static int hf_pie_plixer_origination_time = -1;
1451 static int hf_pie_plixer_encryption = -1; /* string */
1452 static int hf_pie_plixer_service_version = -1; /* string */
1453 static int hf_pie_plixer_linked_msgid = -1; /* string */
1454 static int hf_pie_plixer_message_subject = -1; /* string */
1455 static int hf_pie_plixer_sender_address = -1; /* string */
1456 static int hf_pie_plixer_date_time = -1;
1458 static int hf_string_len_short = -1;
1459 static int hf_string_len_long = -1;
1462 static const value_string special_mpls_top_label_type[] = {
1473 proto_tree_add_mpls_label(proto_tree *pdutree, tvbuff_t *tvb, int offset, int length, int level)
1477 guint8 b0 = tvb_get_guint8(tvb, offset);
1478 guint8 b1 = tvb_get_guint8(tvb, offset + 1);
1479 guint8 b2 = tvb_get_guint8(tvb, offset + 2);
1480 ti = proto_tree_add_text(pdutree, tvb, offset, length,
1481 "MPLS-Label%d: %u exp-bits: %u %s", level,
1482 ((b0<<12)+(b1<<4)+(b2>>4)),
1484 ((b2&0x1)?"top-of-stack":""));
1486 ti = proto_tree_add_text(pdutree, tvb, offset, length,
1487 "MPLS-Label%d: bad length %d", level, length);
1494 nbar_fmt_id(gchar *result, guint32 nbar_id)
1496 guint32 nbar_id_type = (nbar_id>>24)&0xFF;
1497 nbar_id &= 0xFFFFFF;
1499 g_snprintf(result, ITEM_LABEL_LENGTH,
1500 "NBAR Application ID: %d:%d (type:id)", nbar_id_type, nbar_id);
1504 void proto_reg_handoff_netflow(void);
1506 typedef struct _hdrinfo_t {
1508 guint32 src_id; /* SourceID in NetFlow V9, Observation Domain ID in IPFIX */
1510 time_t export_time_secs; /* secs since epoch */
1513 typedef int dissect_pdu_t(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
1514 hdrinfo_t *hdrinfo);
1516 static int dissect_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
1517 hdrinfo_t *hdrinfo);
1518 static int dissect_v8_aggpdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1519 int offset, hdrinfo_t *hdrinfo);
1520 static int dissect_v8_flowpdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1521 int offset, hdrinfo_t *hdrinfo);
1522 static int dissect_v9_v10_flowset(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1523 int offset, hdrinfo_t *hdrinfo);
1524 static int dissect_v9_v10_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1525 int offset, guint16 id, guint length, hdrinfo_t *hdrinfo);
1526 static guint dissect_v9_v10_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1527 int offset, struct v9_v10_template *tplt, hdrinfo_t *hdrinfo);
1528 static guint dissect_v9_pdu_scope(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1529 int offset, struct v9_v10_template *tplt);
1530 static guint dissect_v9_v10_pdu_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1531 int offset, struct v9_v10_template *tplt, hdrinfo_t *hdrinfo,
1532 v9_v10_template_fields_type_t fields_type);
1533 static int dissect_v9_v10_options_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1534 int offset, int len, hdrinfo_t *hdrinfo, guint16 flowset_id);
1535 static int dissect_v9_v10_data_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1536 int offset, int len, hdrinfo_t *hdrinfo, guint16 flowset_id);
1537 static int v9_v10_template_hash(guint16 id, const address *net_src,
1539 static struct v9_v10_template *v9_v10_template_cache_addr(guint16 id, address *net_src, guint32 src_id);
1540 static struct v9_v10_template *v9_v10_template_get(guint16 id, address *net_src, guint32 src_id);
1541 static const gchar *getprefix(const guint32 *address, int prefix);
1543 static int flow_process_ints(proto_tree *pdutree, tvbuff_t *tvb,
1545 static int flow_process_ports(proto_tree *pdutree, tvbuff_t *tvb,
1547 static int flow_process_timeperiod(proto_tree *pdutree, tvbuff_t *tvb,
1549 static int flow_process_aspair(proto_tree *pdutree, tvbuff_t *tvb,
1551 static int flow_process_sizecount(proto_tree *pdutree, tvbuff_t *tvb,
1553 static int flow_process_textfield(proto_tree *pdutree, tvbuff_t *tvb,
1554 int offset, int bytes,
1557 static int pen_to_type_hf_list (guint32 pen) {
1564 return TF_NO_VENDOR_INFO;
1569 dissect_netflow(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
1571 proto_tree *netflow_tree = NULL;
1573 proto_item *timeitem, *pduitem;
1574 proto_tree *timetree, *pdutree;
1575 unsigned int pduret, ver, pdus, x;
1578 guint available, pdusize, offset = 0;
1580 dissect_pdu_t *pduptr;
1582 ipfix_debug0("dissect_netflow: start");
1584 ver = tvb_get_ntohs(tvb, offset);
1586 ipfix_debug1("dissect_netflow: found version %d", ver);
1590 pdusize = V1PDU_SIZE;
1591 pduptr = &dissect_pdu;
1594 pdusize = V5PDU_SIZE;
1595 pduptr = &dissect_pdu;
1598 pdusize = V7PDU_SIZE;
1599 pduptr = &dissect_pdu;
1602 pdusize = -1; /* deferred */
1603 pduptr = &dissect_v8_aggpdu;
1606 case 10: /* IPFIX */
1607 pdusize = -1; /* deferred */
1608 pduptr = &dissect_v9_v10_flowset;
1611 /* This does not appear to be a valid netflow packet;
1612 * return 0 to let another dissector have a chance at
1618 col_set_str(pinfo->cinfo, COL_PROTOCOL, "CFLOW");
1619 col_clear(pinfo->cinfo, COL_INFO);
1620 ipfix_debug0("dissect_netflow: column cleared");
1623 ti = proto_tree_add_item(tree, proto_netflow, tvb,
1624 offset, -1, ENC_NA);
1625 netflow_tree = proto_item_add_subtree(ti, ett_netflow);
1627 ipfix_debug0("dissect_netflow: tree added");
1629 hdrinfo.vspec = ver;
1631 SET_ADDRESS(&hdrinfo.net_src, pinfo->net_src.type, pinfo->net_src.len,
1632 pinfo->net_src.data);
1635 proto_tree_add_uint(netflow_tree, hf_cflow_version, tvb,
1639 pdus = tvb_get_ntohs(tvb, offset);
1642 proto_tree_add_uint(netflow_tree, hf_cflow_len, tvb,
1646 proto_tree_add_uint(netflow_tree, hf_cflow_count, tvb,
1654 * set something interesting in the display now that we have info
1656 if (check_col(pinfo->cinfo, COL_INFO)) {
1658 col_add_fstr(pinfo->cinfo, COL_INFO,
1659 "total: %u (v%u) record%s", pdus, ver,
1660 plurality(pdus, "", "s"));
1661 } else if (ver == 10) {
1662 gint remaining = tvb_reported_length_remaining(tvb, offset)+4;
1664 if(remaining == flow_len)
1665 col_add_fstr(pinfo->cinfo, COL_INFO, "IPFIX flow (%d bytes)", flow_len);
1667 col_add_fstr(pinfo->cinfo, COL_INFO,
1668 "IPFIX partial flow (%u/%u bytes)",
1669 remaining, flow_len);
1671 col_add_fstr(pinfo->cinfo, COL_INFO,
1672 "total: %u (v%u) flow%s", pdus, ver,
1673 plurality(pdus, "", "s"));
1678 * The rest is only interesting if we're displaying/searching the
1679 * packet or if V9/V10 so we need to keep going to find any templates
1681 if ( (ver != 9) && (ver != 10) && !tree )
1682 return tvb_length(tvb);
1685 proto_tree_add_item(netflow_tree, hf_cflow_sysuptime, tvb,
1686 offset, 4, ENC_BIG_ENDIAN);
1690 ts.secs = tvb_get_ntohl(tvb, offset);
1691 hdrinfo.export_time_secs = ts.secs;
1693 if ((ver != 9) && (ver != 10)) {
1694 ts.nsecs = tvb_get_ntohl(tvb, offset + 4);
1695 timeitem = proto_tree_add_time(netflow_tree,
1696 hf_cflow_timestamp, tvb, offset,
1700 timeitem = proto_tree_add_time(netflow_tree,
1701 hf_cflow_timestamp, tvb, offset,
1705 timetree = proto_item_add_subtree(timeitem, ett_unixtime);
1707 proto_tree_add_item(timetree,
1708 (ver == 10) ? hf_cflow_exporttime : hf_cflow_unix_secs,
1709 tvb, offset, 4, ENC_BIG_ENDIAN);
1713 if ((ver != 9) && (ver != 10)) {
1714 proto_tree_add_item(timetree, hf_cflow_unix_nsecs, tvb,
1715 offset, 4, ENC_BIG_ENDIAN);
1720 * version specific header
1722 if (ver == 5 || ver == 7 || ver == 8 || ver == 9 || ver == 10) {
1723 proto_tree_add_item(netflow_tree, hf_cflow_sequence,
1724 tvb, offset, 4, ENC_BIG_ENDIAN);
1727 if (ver == 5 || ver == 8) {
1728 proto_tree_add_item(netflow_tree, hf_cflow_engine_type,
1729 tvb, offset++, 1, ENC_NA);
1730 proto_tree_add_item(netflow_tree, hf_cflow_engine_id,
1731 tvb, offset++, 1, ENC_NA);
1732 } else if ((ver == 9) || (ver == 10)) {
1733 proto_tree_add_item(netflow_tree,
1734 (ver == 9) ? hf_cflow_source_id : hf_cflow_od_id,
1735 tvb, offset, 4, ENC_BIG_ENDIAN);
1736 hdrinfo.src_id = tvb_get_ntohl(tvb, offset);
1740 hdrinfo.vspec = tvb_get_guint8(tvb, offset);
1741 switch (hdrinfo.vspec) {
1742 case V8PDU_AS_METHOD:
1743 pdusize = V8PDU_AS_SIZE;
1745 case V8PDU_PROTO_METHOD:
1746 pdusize = V8PDU_PROTO_SIZE;
1748 case V8PDU_SPREFIX_METHOD:
1749 pdusize = V8PDU_SPREFIX_SIZE;
1751 case V8PDU_DPREFIX_METHOD:
1752 pdusize = V8PDU_DPREFIX_SIZE;
1754 case V8PDU_MATRIX_METHOD:
1755 pdusize = V8PDU_MATRIX_SIZE;
1757 case V8PDU_DESTONLY_METHOD:
1758 pdusize = V8PDU_DESTONLY_SIZE;
1759 pduptr = &dissect_v8_flowpdu;
1761 case V8PDU_SRCDEST_METHOD:
1762 pdusize = V8PDU_SRCDEST_SIZE;
1763 pduptr = &dissect_v8_flowpdu;
1765 case V8PDU_FULL_METHOD:
1766 pdusize = V8PDU_FULL_SIZE;
1767 pduptr = &dissect_v8_flowpdu;
1769 case V8PDU_TOSAS_METHOD:
1770 pdusize = V8PDU_TOSAS_SIZE;
1772 case V8PDU_TOSPROTOPORT_METHOD:
1773 pdusize = V8PDU_TOSPROTOPORT_SIZE;
1775 case V8PDU_TOSSRCPREFIX_METHOD:
1776 pdusize = V8PDU_TOSSRCPREFIX_SIZE;
1778 case V8PDU_TOSDSTPREFIX_METHOD:
1779 pdusize = V8PDU_TOSDSTPREFIX_SIZE;
1781 case V8PDU_TOSMATRIX_METHOD:
1782 pdusize = V8PDU_TOSMATRIX_SIZE;
1784 case V8PDU_PREPORTPROTOCOL_METHOD:
1785 pdusize = V8PDU_PREPORTPROTOCOL_SIZE;
1792 proto_tree_add_uint(netflow_tree, hf_cflow_aggmethod,
1793 tvb, offset++, 1, hdrinfo.vspec);
1794 proto_tree_add_item(netflow_tree, hf_cflow_aggversion,
1795 tvb, offset++, 1, ENC_NA);
1797 if (ver == 7 || ver == 8)
1798 offset = flow_process_textfield(netflow_tree, tvb, offset, 4,
1800 else if (ver == 5) {
1801 proto_tree_add_item(netflow_tree, hf_cflow_samplingmode,
1802 tvb, offset, 2, ENC_BIG_ENDIAN);
1803 proto_tree_add_item(netflow_tree, hf_cflow_samplerate,
1804 tvb, offset, 2, ENC_BIG_ENDIAN);
1808 if (pdus == 0) { /* no payload to decode - in theory */
1809 /* This is absurd, but does happen in practice. */
1810 proto_tree_add_text(netflow_tree, tvb, offset, tvb_length_remaining(tvb, offset),
1811 "FlowSets impossible - PDU Count is %d", pdus);
1812 return tvb_length(tvb);
1815 * everything below here should be payload
1817 available = tvb_reported_length_remaining(tvb, offset);
1818 for (x = 1; ((ver != 10) && (x < pdus + 1)) || ((ver == 10) && ((available - pdusize) > 0)); x++) {
1820 * make sure we have a pdu's worth of data
1822 available = tvb_reported_length_remaining(tvb, offset);
1823 if(((ver == 9) || (ver == 10)) && available >= 4) {
1824 /* pdusize can be different for each v9/v10 flowset */
1825 pdusize = tvb_get_ntohs(tvb, offset + 2);
1828 if (available < pdusize)
1831 if ((ver == 9) || (ver == 10)) {
1832 pduitem = proto_tree_add_text(netflow_tree, tvb,
1834 (ver == 9) ? "FlowSet %u" : "Set %u", x);
1836 pduitem = proto_tree_add_text(netflow_tree, tvb,
1837 offset, pdusize, "pdu %u/%u", x, pdus);
1839 pdutree = proto_item_add_subtree(pduitem, ett_flow);
1841 pduret = pduptr(tvb, pinfo, pdutree, offset, &hdrinfo);
1843 if (pduret < pdusize) pduret = pdusize; /* padding */
1846 * if we came up short, stop processing
1848 if ((pduret == pdusize) && (pduret != 0))
1854 return tvb_length(tvb);
1858 * flow_process_* == common groups of fields, probably could be inline
1862 flow_process_ints(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1864 proto_tree_add_item(pdutree, hf_cflow_inputint, tvb, offset, 2, ENC_BIG_ENDIAN);
1867 proto_tree_add_item(pdutree, hf_cflow_outputint, tvb, offset, 2,
1875 flow_process_ports(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1877 proto_tree_add_item(pdutree, hf_cflow_srcport, tvb, offset, 2, ENC_BIG_ENDIAN);
1880 proto_tree_add_item(pdutree, hf_cflow_dstport, tvb, offset, 2, ENC_BIG_ENDIAN);
1887 flow_process_timeperiod(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1889 nstime_t ts_start, ts_end;
1890 int offset_s, offset_e;
1892 guint32 msec_start, msec_end;
1894 proto_tree *timetree;
1895 proto_item *timeitem;
1898 msec_start = tvb_get_ntohl(tvb, offset);
1899 ts_start.secs = msec_start / 1000;
1900 ts_start.nsecs = (msec_start % 1000) * 1000000;
1904 msec_end = tvb_get_ntohl(tvb, offset);
1905 ts_end.secs = msec_end / 1000;
1906 ts_end.nsecs = (msec_end % 1000) * 1000000;
1910 msec_delta = msec_end - msec_start;
1911 ts_delta.secs = msec_delta / 1000;
1912 ts_delta.nsecs = (msec_delta % 1000) * 1000000;
1915 timeitem = proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
1916 offset_s, 8, &ts_delta);
1917 PROTO_ITEM_SET_GENERATED(timeitem);
1918 timetree = proto_item_add_subtree(timeitem, ett_flowtime);
1920 proto_tree_add_time(timetree, hf_cflow_timestart, tvb, offset_s, 4,
1922 proto_tree_add_time(timetree, hf_cflow_timeend, tvb, offset_e, 4,
1930 flow_process_aspair(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1932 proto_tree_add_item(pdutree, hf_cflow_srcas, tvb, offset, 2, ENC_BIG_ENDIAN);
1935 proto_tree_add_item(pdutree, hf_cflow_dstas, tvb, offset, 2, ENC_BIG_ENDIAN);
1942 flow_process_sizecount(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1944 proto_tree_add_item(pdutree, hf_cflow_packets, tvb, offset, 4, ENC_BIG_ENDIAN);
1947 proto_tree_add_item(pdutree, hf_cflow_octets, tvb, offset, 4, ENC_BIG_ENDIAN);
1954 flow_process_textfield(proto_tree *pdutree, tvbuff_t *tvb, int offset,
1955 int bytes, const char *text)
1957 proto_tree_add_text(pdutree, tvb, offset, bytes, "%s", text);
1964 dissect_v8_flowpdu(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *pdutree, int offset,
1967 int startoffset = offset;
1970 proto_tree_add_item(pdutree, hf_cflow_dstaddr, tvb, offset, 4, ENC_NA);
1973 verspec = hdrinfo->vspec;
1975 if (verspec != V8PDU_DESTONLY_METHOD) {
1976 proto_tree_add_item(pdutree, hf_cflow_srcaddr, tvb, offset, 4,
1980 if (verspec == V8PDU_FULL_METHOD) {
1981 proto_tree_add_item(pdutree, hf_cflow_dstport, tvb, offset, 2,
1984 proto_tree_add_item(pdutree, hf_cflow_srcport, tvb, offset, 2,
1989 offset = flow_process_sizecount(pdutree, tvb, offset);
1990 offset = flow_process_timeperiod(pdutree, tvb, offset);
1992 proto_tree_add_item(pdutree, hf_cflow_outputint, tvb, offset, 2,
1996 if (verspec != V8PDU_DESTONLY_METHOD) {
1997 proto_tree_add_item(pdutree, hf_cflow_inputint, tvb, offset, 2,
2002 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, ENC_NA);
2003 if (verspec == V8PDU_FULL_METHOD)
2004 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
2006 offset = flow_process_textfield(pdutree, tvb, offset, 1, "marked tos");
2008 if (verspec == V8PDU_SRCDEST_METHOD)
2010 flow_process_textfield(pdutree, tvb, offset, 2,
2012 else if (verspec == V8PDU_FULL_METHOD)
2014 flow_process_textfield(pdutree, tvb, offset, 1, "padding");
2017 flow_process_textfield(pdutree, tvb, offset, 4, "extra packets");
2019 proto_tree_add_item(pdutree, hf_cflow_routersc, tvb, offset, 4, ENC_NA);
2022 return (offset - startoffset);
2026 * dissect a version 8 pdu, returning the length of the pdu processed
2030 dissect_v8_aggpdu(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *pdutree, int offset,
2033 int startoffset = offset;
2035 int local_cflow_as; /* hf_cflow_srcas || hf_cflow_dstas */
2036 int local_cflow_net; /* hf_cflow_srcnet || hf_cflow_dstnet */
2037 int local_cflow_int; /* hf_cflow_outputint || hf_cflow_inputint */
2038 int local_cflow_mask; /* hf_cflow_srcmask || hf_cflow_dstmask */
2040 proto_tree_add_item(pdutree, hf_cflow_flows, tvb, offset, 4, ENC_BIG_ENDIAN);
2043 offset = flow_process_sizecount(pdutree, tvb, offset);
2044 offset = flow_process_timeperiod(pdutree, tvb, offset);
2046 verspec = hdrinfo->vspec;
2049 case V8PDU_AS_METHOD:
2050 case V8PDU_TOSAS_METHOD:
2051 offset = flow_process_aspair(pdutree, tvb, offset);
2053 if (verspec == V8PDU_TOSAS_METHOD) {
2054 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
2055 offset++, 1, ENC_NA);
2057 flow_process_textfield(pdutree, tvb, offset, 1,
2060 flow_process_textfield(pdutree, tvb, offset, 2,
2063 /* ACF - Seen in the wild and documented here...
2064 http://www.caida.org/tools/measurement/cflowd/configuration/configuration-9.html#ss9.1
2066 offset = flow_process_ints(pdutree, tvb, offset);
2068 case V8PDU_PROTO_METHOD:
2069 case V8PDU_TOSPROTOPORT_METHOD:
2070 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
2073 if (verspec == V8PDU_PROTO_METHOD)
2075 flow_process_textfield(pdutree, tvb, offset, 1,
2077 else if (verspec == V8PDU_TOSPROTOPORT_METHOD)
2078 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
2079 offset++, 1, ENC_NA);
2082 flow_process_textfield(pdutree, tvb, offset, 2,
2084 offset = flow_process_ports(pdutree, tvb, offset);
2086 if (verspec == V8PDU_TOSPROTOPORT_METHOD)
2087 offset = flow_process_ints(pdutree, tvb, offset);
2089 case V8PDU_SPREFIX_METHOD:
2090 case V8PDU_DPREFIX_METHOD:
2091 case V8PDU_TOSSRCPREFIX_METHOD:
2092 case V8PDU_TOSDSTPREFIX_METHOD:
2094 case V8PDU_SPREFIX_METHOD:
2095 case V8PDU_TOSSRCPREFIX_METHOD:
2096 local_cflow_net = hf_cflow_srcnet;
2097 local_cflow_mask = hf_cflow_srcmask;
2098 local_cflow_as = hf_cflow_srcas;
2099 local_cflow_int = hf_cflow_inputint;
2101 case V8PDU_DPREFIX_METHOD:
2102 case V8PDU_TOSDSTPREFIX_METHOD:
2103 default: /* stop warning that :
2104 'local_cflow_*' may be used
2105 uninitialized in this function */
2106 local_cflow_net = hf_cflow_dstnet;
2107 local_cflow_mask = hf_cflow_dstmask;
2108 local_cflow_as = hf_cflow_dstas;
2109 local_cflow_int = hf_cflow_outputint;
2113 proto_tree_add_item(pdutree,
2114 local_cflow_net, tvb, offset, 4, ENC_NA);
2117 proto_tree_add_item(pdutree,
2118 local_cflow_mask, tvb, offset++, 1, ENC_NA);
2120 if (verspec == V8PDU_SPREFIX_METHOD
2121 || verspec == V8PDU_DPREFIX_METHOD)
2123 flow_process_textfield(pdutree, tvb, offset, 1,
2125 else if (verspec == V8PDU_TOSSRCPREFIX_METHOD
2126 || verspec == V8PDU_TOSDSTPREFIX_METHOD)
2127 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
2128 offset++, 1, ENC_NA);
2130 proto_tree_add_item(pdutree,
2131 local_cflow_as, tvb, offset, 2, ENC_BIG_ENDIAN);
2134 proto_tree_add_item(pdutree,
2135 local_cflow_int, tvb, offset, 2, ENC_BIG_ENDIAN);
2139 flow_process_textfield(pdutree, tvb, offset, 2,
2142 case V8PDU_MATRIX_METHOD:
2143 case V8PDU_TOSMATRIX_METHOD:
2144 case V8PDU_PREPORTPROTOCOL_METHOD:
2145 proto_tree_add_item(pdutree, hf_cflow_srcnet, tvb, offset, 4,
2149 proto_tree_add_item(pdutree, hf_cflow_dstnet, tvb, offset, 4,
2153 proto_tree_add_item(pdutree, hf_cflow_srcmask, tvb, offset++,
2156 proto_tree_add_item(pdutree, hf_cflow_dstmask, tvb, offset++,
2159 if (verspec == V8PDU_TOSMATRIX_METHOD ||
2160 verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
2161 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
2162 offset++, 1, ENC_NA);
2163 if (verspec == V8PDU_TOSMATRIX_METHOD) {
2165 flow_process_textfield(pdutree, tvb,
2168 } else if (verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
2169 proto_tree_add_item(pdutree, hf_cflow_prot,
2170 tvb, offset++, 1, ENC_NA);
2174 flow_process_textfield(pdutree, tvb, offset, 2,
2178 if (verspec == V8PDU_MATRIX_METHOD
2179 || verspec == V8PDU_TOSMATRIX_METHOD) {
2180 offset = flow_process_aspair(pdutree, tvb, offset);
2181 } else if (verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
2182 offset = flow_process_ports(pdutree, tvb, offset);
2185 offset = flow_process_ints(pdutree, tvb, offset);
2190 return (offset - startoffset);
2193 /* Dissect a version 9 FlowSet and return the length we processed. */
2196 dissect_v9_v10_flowset(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset, hdrinfo_t *hdrinfo)
2202 ver = hdrinfo->vspec;
2204 if ((ver != 9) && (ver != 10))
2207 flowset_id = tvb_get_ntohs(tvb, offset);
2208 length = tvb_get_ntohs(tvb, offset + 2);
2211 expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_WARN,
2212 "Length (%u) too short", length);
2213 return tvb_length_remaining(tvb, offset);
2216 proto_tree_add_item(pdutree, hf_cflow_flowset_id, tvb, offset, 2, ENC_BIG_ENDIAN);
2219 proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb, offset, 2, ENC_BIG_ENDIAN);
2222 switch (flowset_id) {
2223 case FLOWSET_ID_V9_DATA_TEMPLATE:
2224 case FLOWSET_ID_V10_DATA_TEMPLATE:
2225 dissect_v9_v10_data_template(tvb, pinfo, pdutree, offset, length - 4, hdrinfo, flowset_id);
2227 case FLOWSET_ID_V9_OPTIONS_TEMPLATE:
2228 case FLOWSET_ID_V10_OPTIONS_TEMPLATE:
2229 dissect_v9_v10_options_template(tvb, pinfo, pdutree, offset, length - 4, hdrinfo, flowset_id);
2232 if (flowset_id >= FLOWSET_ID_DATA_MIN) {
2233 dissect_v9_v10_data(tvb, pinfo, pdutree, offset, flowset_id, (guint)length - 4, hdrinfo);
2242 dissect_v9_v10_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset,
2243 guint16 id, guint length, hdrinfo_t *hdrinfo)
2245 struct v9_v10_template *tplt;
2246 proto_tree *data_tree;
2247 proto_item *data_item;
2251 expert_add_info_format(pinfo, pdutree, PI_MALFORMED,
2252 PI_WARN, "No flow information");
2255 tplt = v9_v10_template_get(id, &hdrinfo->net_src, hdrinfo->src_id);
2256 if (tplt != NULL && tplt->length != 0) {
2258 /* Note: If the flow contains variable length fields then */
2259 /* tplt->length will be less then actual length of the flow. */
2260 while (length >= tplt->length) {
2261 data_item = proto_tree_add_text(pdutree, tvb,
2262 offset, tplt->length, "Flow %d", count++);
2263 data_tree = proto_item_add_subtree(data_item, ett_dataflowset);
2265 pdu_len = dissect_v9_v10_pdu(tvb, pinfo, data_tree, offset, tplt, hdrinfo);
2268 /* XXX - Throw an exception */
2269 length -= (pdu_len < length) ? pdu_len : length;
2272 proto_tree_add_text(pdutree, tvb, offset, length,
2273 "Padding (%u byte%s)",
2274 length, plurality(length, "", "s"));
2277 proto_tree_add_text(pdutree, tvb, offset, length,
2278 "Data (%u byte%s), no template found",
2279 length, plurality(length, "", "s"));
2285 #define GOT_LOCAL_ADDR (1 << 0)
2286 #define GOT_REMOTE_ADDR (1 << 1)
2287 #define GOT_LOCAL_PORT (1 << 2)
2288 #define GOT_REMOTE_PORT (1 << 3)
2289 #define GOT_IPv4_ID (1 << 4)
2290 #define GOT_ICMP_ID (1 << 5)
2291 #define GOT_UID (1 << 6)
2292 #define GOT_PID (1 << 7)
2293 #define GOT_USERNAME (1 << 8)
2294 #define GOT_COMMAND (1 << 9)
2296 #define GOT_BASE ( \
2305 #define GOT_TCP_UDP (GOT_BASE | GOT_LOCAL_PORT | GOT_REMOTE_PORT)
2306 #define GOT_ICMP (GOT_BASE | GOT_IPv4_ID | GOT_ICMP_ID)
2309 dissect_v9_v10_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset,
2310 struct v9_v10_template *tplt, hdrinfo_t *hdrinfo)
2312 int orig_offset = offset;
2314 if ((tplt->fields[TF_SCOPES] != NULL)
2315 && (tplt->field_count[TF_SCOPES] > 0)) {
2316 if (hdrinfo->vspec == 9) {
2317 offset += dissect_v9_pdu_scope(tvb, pinfo, pdutree, offset, tplt);
2318 } else if (hdrinfo->vspec == 10) {
2319 offset += dissect_v9_v10_pdu_data(tvb, pinfo, pdutree, offset, tplt, hdrinfo, TF_SCOPES);
2322 offset += dissect_v9_v10_pdu_data(tvb, pinfo, pdutree, offset, tplt, hdrinfo, TF_ENTRIES);
2324 return (guint) (offset - orig_offset);
2328 dissect_v9_pdu_scope(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *pdutree, int offset,
2329 struct v9_v10_template *tplt)
2334 DISSECTOR_ASSERT(tplt->fields[TF_SCOPES] != NULL);
2336 orig_offset = offset;
2338 for(i = 0; i < tplt->field_count[TF_SCOPES]; i++) {
2339 guint16 type = tplt->fields[TF_SCOPES][i].type;
2340 guint16 length = tplt->fields[TF_SCOPES][i].length;
2341 if (length == 0) { /* XXX: Zero length fields probably shouldn't be included in the cached template */
2342 /* YYY: Maybe. If you don't cache the zero length fields can you still compare that you actually have the same template with the same ID. See WMeier comment "c." above */
2346 /* XXX: template length fields should be validated during template processing ... */
2347 case 1: /* system */
2348 proto_tree_add_item(pdutree, hf_cflow_scope_system,
2349 tvb, offset, length, ENC_NA);
2351 case 2: /* interface */
2352 proto_tree_add_item(pdutree, hf_cflow_scope_interface,
2353 tvb, offset, length, ENC_NA);
2355 case 3: /* linecard */
2356 proto_tree_add_item(pdutree, hf_cflow_scope_linecard,
2357 tvb, offset, length, ENC_NA);
2359 case 4: /* netflow cache */
2360 proto_tree_add_item(pdutree, hf_cflow_scope_cache,
2361 tvb, offset, length, ENC_NA);
2364 proto_tree_add_item(pdutree, hf_cflow_scope_template,
2365 tvb, offset, length, ENC_NA);
2367 default: /* unknown */
2368 proto_tree_add_item(pdutree, hf_cflow_unknown_field_type,
2369 tvb, offset, length, ENC_NA);
2374 return (guint) (offset - orig_offset);
2378 dissect_v9_v10_pdu_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset,
2379 struct v9_v10_template *tplt, hdrinfo_t *hdrinfo, v9_v10_template_fields_type_t fields_type)
2383 nstime_t ts_start[2], ts_end[2];
2384 int offset_s[2], offset_e[2];
2386 guint32 msec_start[2], msec_end[2];
2392 address local_addr, remote_addr;
2393 guint16 local_port = 0, remote_port = 0/*, ipv4_id = 0, icmp_id = 0*/;
2394 guint32 uid = 0, pid = 0;
2396 gchar *uname_str = NULL;
2398 gchar *cmd_str = NULL;
2399 guint16 got_flags = 0;
2401 int string_len_short = 0;
2402 int string_len_long = 0;
2404 proto_tree *string_tree;
2406 gchar * gen_str = NULL;
2407 int gen_str_offset = 0;
2411 struct v9_v10_template_entry *entries;
2412 proto_tree *fwdstattree;
2414 entries = tplt->fields[fields_type];
2415 if (entries == NULL) {
2416 /* I don't think we can actually hit this condition.
2417 If we can, what would cause it? Does this need a
2422 orig_offset = offset;
2423 count = tplt->field_count[fields_type];
2425 offset_s[0] = offset_s[1] = offset_e[0] = offset_e[1] = 0;
2426 msec_start[0] = msec_start[1] = msec_end[0] = msec_end[1] = 0;
2428 for (i = 0; i < count; i++) {
2431 guint16 masked_type;
2434 const gchar *pen_str;
2437 type = entries[i].type;
2438 length = entries[i].length;
2439 pen = entries[i].pen;
2440 pen_str = entries[i].pen_str;
2442 if (length == 0) { /* XXX: Zero length fields probably shouldn't be included in the cached template */
2443 /* YYY: Maybe. If you don't cache the zero length fields can you still compare that you actually have the same template with the same ID. See WMeier comment "c." above */
2446 /* See if variable length field */
2448 if (length == VARIABLE_LENGTH) {
2450 string_len_short = length = tvb_get_guint8(tvb, offset);
2451 if (length == 255) {
2453 string_len_long = length = tvb_get_ntohs(tvb, offset+1);
2456 gen_str_offset = offset;
2460 * 0x 0000 0000 0000 to
2462 * v10 global types (presumably consistent with v9 types 0x0000 - 0x7fff)
2463 * 0x 0000 0000 0000 to
2465 * V10 Enterprise types
2466 * 0x 0000 0001 0000 to
2469 pen_type = masked_type = type;
2472 if ((hdrinfo->vspec == 10) && (type & 0x8000)) {
2473 pen_type = masked_type = type & 0x7fff;
2474 if (pen == REVPEN) { /* reverse PEN */
2476 } else if (pen == 0) {
2477 pen_type = (0xffff << 16) | pen_type; /* hack to force "unknown" */
2479 pen_type = (pen << 16) | pen_type;
2488 ti = proto_tree_add_item(pdutree, hf_cflow_octets,
2489 tvb, offset, length, ENC_BIG_ENDIAN);
2490 } else if (length == 8) {
2491 ti = proto_tree_add_item(pdutree, hf_cflow_octets64,
2492 tvb, offset, length, ENC_BIG_ENDIAN);
2494 ti = proto_tree_add_text(pdutree,
2495 tvb, offset, length,
2496 "Octets: length %u", length);
2500 case 2: /* packets */
2502 ti = proto_tree_add_item(pdutree, hf_cflow_packets,
2503 tvb, offset, length, ENC_BIG_ENDIAN);
2504 } else if (length == 8) {
2505 ti = proto_tree_add_item(pdutree, hf_cflow_packets64,
2506 tvb, offset, length, ENC_BIG_ENDIAN);
2508 ti = proto_tree_add_text(pdutree,
2509 tvb, offset, length,
2510 "Packets: length %u", length);
2514 case 163: /* observedFlowTotalCount */
2517 ti = proto_tree_add_item(pdutree, hf_cflow_flows,
2518 tvb, offset, length, ENC_BIG_ENDIAN);
2519 } else if (length == 8) {
2520 ti = proto_tree_add_item(pdutree, hf_cflow_flows64,
2521 tvb, offset, length, ENC_BIG_ENDIAN);
2523 ti = proto_tree_add_text(pdutree,
2524 tvb, offset, length,
2525 "Flows: length %u", length);
2530 ti = proto_tree_add_item(pdutree, hf_cflow_prot,
2531 tvb, offset, length, ENC_NA);
2535 ti = proto_tree_add_item(pdutree, hf_cflow_tos,
2536 tvb, offset, length, ENC_NA);
2539 case 6: /* TCP flags */
2540 ti = proto_tree_add_item(pdutree, hf_cflow_tcpflags,
2541 tvb, offset, length, ENC_NA);
2544 case 7: /* source port */
2545 case 180: /* udpSourcePort */
2546 case 182: /* tcpSourcePort */
2547 ti = proto_tree_add_item(pdutree, hf_cflow_srcport,
2548 tvb, offset, length, ENC_BIG_ENDIAN);
2551 case 8: /* source IP */
2553 ti = proto_tree_add_item(pdutree, hf_cflow_srcaddr,
2554 tvb, offset, length, ENC_NA);
2555 } else if (length == 16) {
2556 ti = proto_tree_add_item(pdutree, hf_cflow_srcaddr_v6,
2557 tvb, offset, length, ENC_NA);
2559 ti = proto_tree_add_text(pdutree,
2560 tvb, offset, length,
2561 "SrcAddr: length %u", length);
2565 case 9: /* source mask */
2566 ti = proto_tree_add_item(pdutree, hf_cflow_srcmask,
2567 tvb, offset, length, ENC_NA);
2570 case 10: /* input SNMP */
2571 ti = proto_tree_add_item(pdutree, hf_cflow_inputint,
2572 tvb, offset, length, ENC_BIG_ENDIAN);
2575 case 11: /* dest port */
2576 case 181: /* udpDestinationPort */
2577 case 183: /* tcpDestinationPort */
2578 ti = proto_tree_add_item(pdutree, hf_cflow_dstport,
2579 tvb, offset, length, ENC_BIG_ENDIAN);
2582 case 12: /* dest IP */
2584 ti = proto_tree_add_item(pdutree, hf_cflow_dstaddr,
2585 tvb, offset, length, ENC_NA);
2586 } else if (length == 16) {
2587 ti = proto_tree_add_item(pdutree, hf_cflow_dstaddr_v6,
2588 tvb, offset, length, ENC_NA);
2590 ti = proto_tree_add_text(pdutree,
2591 tvb, offset, length,
2592 "DstAddr: length %u", length);
2596 case 13: /* dest mask */
2597 ti = proto_tree_add_item(pdutree, hf_cflow_dstmask,
2598 tvb, offset, length, ENC_NA);
2601 case 14: /* output SNMP */
2602 ti = proto_tree_add_item(pdutree, hf_cflow_outputint,
2603 tvb, offset, length, ENC_BIG_ENDIAN);
2606 case 15: /* nexthop IP */
2608 ti = proto_tree_add_item(pdutree, hf_cflow_nexthop,
2609 tvb, offset, length, ENC_NA);
2611 ti = proto_tree_add_text(pdutree,
2612 tvb, offset, length,
2613 "NextHop: length %u", length);
2617 case 16: /* source AS */
2618 ti = proto_tree_add_item(pdutree, hf_cflow_srcas,
2619 tvb, offset, length, ENC_BIG_ENDIAN);
2622 case 17: /* dest AS */
2623 ti = proto_tree_add_item(pdutree, hf_cflow_dstas,
2624 tvb, offset, length, ENC_BIG_ENDIAN);
2627 case 18: /* BGP nexthop IP */
2629 ti = proto_tree_add_item(pdutree, hf_cflow_bgpnexthop,
2630 tvb, offset, length, ENC_NA);
2631 } else if (length == 16) {
2632 ti = proto_tree_add_item(pdutree, hf_cflow_bgpnexthop_v6,
2633 tvb, offset, length, ENC_NA);
2635 ti = proto_tree_add_text(pdutree,
2636 tvb, offset, length,
2637 "BGPNextHop: length %u", length);
2641 case 19: /* multicast packets */
2642 ti = proto_tree_add_item(pdutree, hf_cflow_mulpackets,
2643 tvb, offset, length, ENC_BIG_ENDIAN);
2646 case 20: /* multicast octets */
2647 ti = proto_tree_add_item(pdutree, hf_cflow_muloctets,
2648 tvb, offset, length, ENC_BIG_ENDIAN);
2651 case 21: /* last switched */
2652 offset_e[rev] = offset;
2653 msec_end[rev] = tvb_get_ntohl(tvb, offset);
2654 ts_end[rev].secs = msec_end[rev] / 1000;
2655 ts_end[rev].nsecs = (msec_end[rev] % 1000) * 1000000;
2656 goto timestamp_common;
2658 case 22: /* first switched */
2659 offset_s[rev] = offset;
2660 msec_start[rev] = tvb_get_ntohl(tvb, offset);
2661 ts_start[rev].secs = msec_start[rev] / 1000;
2662 ts_start[rev].nsecs = (msec_start[rev] % 1000) * 1000000;
2663 goto timestamp_common;
2666 case 150: /* flowStartSeconds */
2667 offset_s[rev] = offset;
2668 ts_start[rev].secs = tvb_get_ntohl(tvb, offset);
2669 ts_start[rev].nsecs = 0;
2670 goto timestamp_common;
2673 case 151: /* flowEndSeconds */
2674 offset_e[rev] = offset;
2675 ts_end[rev].secs = tvb_get_ntohl(tvb, offset);
2676 ts_end[rev].nsecs = 0;
2677 goto timestamp_common;
2680 case 152: /* flowStartMilliseconds: 64-bit integer */
2681 offset_s[rev] = offset;
2682 ts_start[rev].secs = tvb_get_ntoh64(tvb, offset)/1000;
2683 ts_start[rev].nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) * 1000000;
2684 goto timestamp_common;
2687 case 153: /* flowEndMilliseconds; 64-bit integer */
2688 offset_e[rev] = offset;
2689 ts_end[rev].secs = (tvb_get_ntoh64(tvb, offset)/1000);
2690 ts_end[rev].nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) * 1000000;
2691 goto timestamp_common;
2694 case 154: /* flowStartMicroseconds: 64-bit NTP format */
2695 offset_s[rev] = offset;
2696 ntp_to_nstime(tvb, offset, &ts_start[rev]);
2697 goto timestamp_common;
2700 case 155: /* flowEndMicroseconds: 64-bit NTP format */
2701 /* XXX: Not tested ... */
2702 offset_e[rev] = offset;
2703 ntp_to_nstime(tvb, offset, &ts_end[rev]);
2704 goto timestamp_common;
2707 case 156: /* flowStartNanoseconds: 64-bit NTP format */
2708 /* XXX: Not tested ... */
2709 offset_s[rev] = offset;
2710 ntp_to_nstime(tvb, offset, &ts_start[rev]);
2711 goto timestamp_common;
2714 case 157: /* flowEndNanoseconds: 64-bit NTP format */
2715 /* XXX: Not tested ... */
2716 offset_e[rev] = offset;
2717 ntp_to_nstime(tvb, offset, &ts_end[rev]);
2718 goto timestamp_common;
2721 case 158: /* flowStartDeltaMicroseconds: 32-bit integer; negative time offset */
2722 /* relative to the export time specified in the IPFIX Message Header */
2723 /* XXX: Not tested ... */
2724 offset_s[rev] = offset;
2725 usec = tvb_get_ntohl(tvb, offset);
2726 ts_start[rev].secs = (((guint64)(hdrinfo->export_time_secs)*1000000 - usec) / 1000000);
2727 ts_start[rev].nsecs = (int)(((guint64)(hdrinfo->export_time_secs)*1000000 - usec) % 1000000) * 1000;
2728 goto timestamp_common;
2731 case 159: /* flowEndDeltaMicroseconds: 32-bit integer; negative time offset */
2732 /* relative to the export time specified in the IPFIX Message Header */
2733 /* XXX: Not tested ... */
2734 offset_e[rev] = offset;
2735 usec = tvb_get_ntohl(tvb, offset);
2736 ts_end[rev].secs = (((guint64)(hdrinfo->export_time_secs)*1000000 - usec) / 1000000);
2737 ts_end[rev].nsecs = (int)(((guint64)(hdrinfo->export_time_secs)*1000000 - usec) % 1000000) * 1000;
2739 /* This code executed for all timestamp fields above */
2740 /* !! Assumption: Only 1 set of time fields in a flow */
2742 if(offset_s[rev] && offset_e[rev]) {
2743 proto_tree *timetree;
2744 proto_item *timeitem;
2746 nstime_delta(&ts_delta, &ts_end[rev], &ts_start[rev]);
2748 proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
2749 offset_s[rev], 0, &ts_delta);
2750 PROTO_ITEM_SET_GENERATED(timeitem);
2751 timetree = proto_item_add_subtree(timeitem, ett_flowtime);
2752 /* Note: length of "start" is assumed to match that of "end" */
2753 if (msec_start[rev]) {
2754 proto_tree_add_time(timetree, hf_cflow_timestart, tvb,
2755 offset_s[rev], length, &ts_start[rev]);
2757 proto_tree_add_time(timetree, hf_cflow_abstimestart, tvb,
2758 offset_s[rev], length, &ts_start[rev]);
2760 if (msec_end[rev]) {
2761 proto_tree_add_time(timetree, hf_cflow_timeend, tvb,
2762 offset_e[rev], length, &ts_end[rev]);
2764 proto_tree_add_time(timetree, hf_cflow_abstimeend, tvb,
2765 offset_e[rev], length, &ts_end[rev]);
2770 case 23: /* postOctetDeltaCount */
2772 ti = proto_tree_add_item(pdutree, hf_cflow_post_octets,
2773 tvb, offset, length, ENC_BIG_ENDIAN);
2774 } else if (length == 8) {
2775 ti = proto_tree_add_item(pdutree, hf_cflow_post_octets64,
2776 tvb, offset, length, ENC_BIG_ENDIAN);
2778 ti = proto_tree_add_text(pdutree,
2779 tvb, offset, length,
2780 "Post Octets: length %u", length);
2784 case 24: /* postPacketDeltaCount */
2786 ti = proto_tree_add_item(pdutree, hf_cflow_post_packets,
2787 tvb, offset, length, ENC_BIG_ENDIAN);
2788 } else if (length == 8) {
2789 ti = proto_tree_add_item(pdutree, hf_cflow_post_packets64,
2790 tvb, offset, length, ENC_BIG_ENDIAN);
2792 ti = proto_tree_add_text(pdutree,
2793 tvb, offset, length,
2794 "Post Packets: length %u", length);
2798 case 25: /* length_min */
2799 ti = proto_tree_add_item(pdutree, hf_cflow_length_min,
2800 tvb, offset, length, ENC_BIG_ENDIAN);
2803 case 26: /* length_max */
2804 ti = proto_tree_add_item(pdutree, hf_cflow_length_max,
2805 tvb, offset, length, ENC_BIG_ENDIAN);
2808 case 27: /* IPv6 src addr */
2809 ti = proto_tree_add_item(pdutree, hf_cflow_srcaddr_v6,
2810 tvb, offset, length, ENC_NA);
2813 case 28: /* IPv6 dst addr */
2814 ti = proto_tree_add_item(pdutree, hf_cflow_dstaddr_v6,
2815 tvb, offset, length, ENC_NA);
2818 case 29: /* IPv6 src addr mask */
2819 ti = proto_tree_add_item(pdutree, hf_cflow_srcmask_v6,
2820 tvb, offset, length, ENC_NA);
2823 case 30: /* IPv6 dst addr mask */
2824 ti = proto_tree_add_item(pdutree, hf_cflow_dstmask_v6,
2825 tvb, offset, length, ENC_NA);
2828 case 31: /* flowLabelIPv6 */
2829 /* RFC5102 defines that Abstract Data Type of this
2830 Information Element is unsigned32 */
2832 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_flowlabel,
2833 tvb, offset, length, ENC_BIG_ENDIAN);
2835 /* RFC3954 defines that length of this field is 3
2837 else if (length == 3) {
2838 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_flowlabel24,
2839 tvb, offset, length, ENC_BIG_ENDIAN);
2843 case 32: /* ICMP_TYPE */
2844 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_type,
2845 tvb, offset, length, ENC_NA);
2848 case 33: /* IGMP_TYPE */
2849 ti = proto_tree_add_item(pdutree, hf_cflow_igmp_type,
2850 tvb, offset, length, ENC_NA);
2853 case 34: /* sampling interval */
2854 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_interval,
2855 tvb, offset, length, ENC_BIG_ENDIAN);
2858 case 35: /* sampling algorithm */
2859 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_algorithm,
2860 tvb, offset, length, ENC_NA);
2863 case 36: /* flow active timeout */
2864 ti = proto_tree_add_item(pdutree, hf_cflow_flow_active_timeout,
2865 tvb, offset, length, ENC_BIG_ENDIAN);
2868 case 37: /* flow inactive timeout */
2869 ti = proto_tree_add_item(pdutree, hf_cflow_flow_inactive_timeout,
2870 tvb, offset, length, ENC_BIG_ENDIAN);
2873 case 38: /* engine type */
2874 ti = proto_tree_add_item(pdutree, hf_cflow_engine_type,
2875 tvb, offset, length, ENC_NA);
2878 case 39: /* engine id*/
2879 ti = proto_tree_add_item(pdutree, hf_cflow_engine_id,
2880 tvb, offset, length, ENC_NA);
2883 case 40: /* bytes exported */
2885 ti = proto_tree_add_item(pdutree, hf_cflow_octets_exp64,
2886 tvb, offset, length, ENC_BIG_ENDIAN);
2887 } else if( length == 4 ) {
2888 ti = proto_tree_add_item(pdutree, hf_cflow_octets_exp,
2889 tvb, offset, length, ENC_BIG_ENDIAN);
2891 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2892 "BytesExported: length %u", length);
2896 case 41: /* packets exported */
2898 ti = proto_tree_add_item(pdutree, hf_cflow_packets_exp64,
2899 tvb, offset, length, ENC_BIG_ENDIAN);
2900 } else if( length == 4 ) {
2901 ti = proto_tree_add_item(pdutree, hf_cflow_packets_exp,
2902 tvb, offset, length, ENC_BIG_ENDIAN);
2904 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2905 "PacketsExported: length %u", length);
2909 case 42: /* flows exported */
2911 ti = proto_tree_add_item(pdutree, hf_cflow_flows_exp64,
2912 tvb, offset, length, ENC_BIG_ENDIAN);
2913 } else if( length == 4 ) {
2914 ti = proto_tree_add_item(pdutree, hf_cflow_flows_exp,
2915 tvb, offset, length, ENC_BIG_ENDIAN);
2917 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2918 "FlowsExported: length %u", length);
2922 case 44: /* IP source prefix */
2924 ti = proto_tree_add_item(pdutree, hf_cflow_srcprefix,
2925 tvb, offset, length, ENC_NA);
2927 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2928 "SrcPrefix: length %u", length);
2932 case 45: /* IP destination prefix */
2934 ti = proto_tree_add_item(pdutree, hf_cflow_dstprefix,
2935 tvb, offset, length, ENC_NA);
2937 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2938 "DstPrefix: length %u", length);
2942 case 46: /* top MPLS label type*/
2943 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_type,
2944 tvb, offset, length, ENC_NA);
2947 case 47: /* top MPLS label PE address*/
2948 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_pe_addr,
2949 tvb, offset, length, ENC_NA);
2952 case 48: /* Flow Sampler ID */
2954 /* XXX: Why was code originally add_text for just this one case ? */
2955 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2956 "FlowSamplerID: %d", tvb_get_guint8(tvb, offset));
2958 ti = proto_tree_add_item(pdutree, hf_cflow_sampler_id,
2959 tvb, offset, length, ENC_NA);
2962 case 49: /* FLOW_SAMPLER_MODE */
2963 ti = proto_tree_add_item(pdutree, hf_cflow_sampler_mode,
2964 tvb, offset, length, ENC_NA);
2967 case 50: /* FLOW_SAMPLER_RANDOM_INTERVAL */
2968 ti = proto_tree_add_item(pdutree, hf_cflow_sampler_random_interval,
2969 tvb, offset, length, ENC_BIG_ENDIAN);
2972 case 51: /* FLOW_CLASS */
2973 ti = proto_tree_add_item(pdutree, hf_cflow_flow_class,
2974 tvb, offset, length, ENC_NA);
2977 case 52: /* TTL_MINIMUM */
2978 ti = proto_tree_add_item(pdutree, hf_cflow_ttl_minimum,
2979 tvb, offset, length, ENC_NA);
2982 case 53: /* TTL_MAXIMUM */
2983 ti = proto_tree_add_item(pdutree, hf_cflow_ttl_maximum,
2984 tvb, offset, length, ENC_NA);
2987 case 54: /* IPV4_ID */
2988 ti = proto_tree_add_item(pdutree, hf_cflow_ipv4_id,
2989 tvb, offset, length, ENC_BIG_ENDIAN);
2992 case 55: /* postIpClassOfService */
2993 ti = proto_tree_add_item(pdutree, hf_cflow_post_tos,
2994 tvb, offset, length, ENC_NA);
2997 case 56: /* sourceMacAddress */
2998 ti = proto_tree_add_item(pdutree, hf_cflow_srcmac,
2999 tvb, offset, length, ENC_NA);
3002 case 57: /* postDestinationMacAddress */
3003 ti = proto_tree_add_item(pdutree, hf_cflow_post_dstmac,
3004 tvb, offset, length, ENC_NA);
3007 case 58: /* vlanId */
3008 ti = proto_tree_add_item(pdutree, hf_cflow_vlanid,
3009 tvb, offset, length, ENC_BIG_ENDIAN);
3012 case 59: /* postVlanId */
3013 ti = proto_tree_add_item(pdutree, hf_cflow_post_vlanid,
3014 tvb, offset, length, ENC_NA);
3017 case 60: /* IP_VERSION */
3018 ti = proto_tree_add_item(pdutree, hf_cflow_ip_version,
3019 tvb, offset, length, ENC_NA);
3022 case 61: /* DIRECTION */
3023 ti = proto_tree_add_item(pdutree, hf_cflow_direction,
3024 tvb, offset, length, ENC_NA);
3027 case 62: /* IPV6_NEXT_HOP */
3029 ti = proto_tree_add_item(pdutree, hf_cflow_nexthop_v6,
3030 tvb, offset, length, ENC_NA);
3032 ti = proto_tree_add_text(pdutree,
3033 tvb, offset, length,
3034 "NextHop: length %u", length);
3038 case 63: /* BGP_IPV6_NEXT_HOP */
3040 ti = proto_tree_add_item(pdutree, hf_cflow_bgpnexthop_v6,
3041 tvb, offset, length, ENC_NA);
3043 ti = proto_tree_add_text(pdutree,
3044 tvb, offset, length,
3045 "BGPNextHop: length %u", length);
3049 case 64: /* ipv6ExtensionHeaders */
3050 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_exthdr,
3051 tvb, offset, length, ENC_BIG_ENDIAN);
3054 case 70: /* MPLS label1*/
3055 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 1);
3058 case 71: /* MPLS label2*/
3059 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 2);
3062 case 72: /* MPLS label3*/
3063 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 3);
3066 case 73: /* MPLS label4*/
3067 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 4);
3070 case 74: /* MPLS label5*/
3071 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 5);
3074 case 75: /* MPLS label6*/
3075 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 6);
3078 case 76: /* MPLS label7*/
3079 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 7);
3082 case 77: /* MPLS label8*/
3083 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 8);
3086 case 78: /* MPLS label9*/
3087 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 9);
3090 case 79: /* MPLS label10*/
3091 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 10);
3094 case 80: /* destinationMacAddress */
3095 ti = proto_tree_add_item(pdutree, hf_cflow_dstmac,
3096 tvb, offset, length, ENC_NA);
3099 case 81: /* postSourceMacAddress */
3100 ti = proto_tree_add_item(pdutree, hf_cflow_post_srcmac,
3101 tvb, offset, length, ENC_NA);
3104 case 82: /* IF_NAME */
3105 ti = proto_tree_add_item(pdutree, hf_cflow_if_name,
3106 tvb, offset, length, ENC_ASCII|ENC_NA);
3109 case 83: /* IF_DESCR */
3110 ti = proto_tree_add_item(pdutree, hf_cflow_if_descr,
3111 tvb, offset, length, ENC_ASCII|ENC_NA);
3114 case 84: /* SAMPLER_NAME */
3115 ti = proto_tree_add_item(pdutree, hf_cflow_sampler_name,
3116 tvb, offset, length, ENC_ASCII|ENC_NA);
3119 case 85: /* BYTES_PERMANENT */
3121 ti = proto_tree_add_item(pdutree, hf_cflow_permanent_octets,
3122 tvb, offset, length, ENC_BIG_ENDIAN);
3123 } else if (length == 8) {
3124 ti = proto_tree_add_item(pdutree, hf_cflow_permanent_octets64,
3125 tvb, offset, length, ENC_BIG_ENDIAN);
3127 ti = proto_tree_add_text(pdutree,
3128 tvb, offset, length,
3129 "Running Octets: length %u", length);
3133 case 86: /* PACKETS_PERMANENT */
3135 ti = proto_tree_add_item(pdutree, hf_cflow_permanent_packets,
3136 tvb, offset, length, ENC_BIG_ENDIAN);
3137 } else if (length == 8) {
3138 ti = proto_tree_add_item(pdutree, hf_cflow_permanent_packets64,
3139 tvb, offset, length, ENC_BIG_ENDIAN);
3141 ti = proto_tree_add_text(pdutree,
3142 tvb, offset, length,
3143 "Running Packets: length %u", length);
3147 case 88: /* fragmentOffset */
3148 ti = proto_tree_add_item(pdutree, hf_cflow_fragment_offset,
3149 tvb, offset, length, ENC_BIG_ENDIAN);
3153 /* FORWARDING_STATUS */
3154 /* Forwarding status is encoded on 1 byte with
3155 * the 2 left bits giving the status and the 6
3156 * remaining bits giving the reason code. */
3158 guint8 forwarding_status;
3159 const value_string *x_vs;
3162 ti = proto_tree_add_text(pdutree, tvb, offset, length, "Forwarding Status");
3163 fwdstattree = proto_item_add_subtree(ti, ett_fwdstat);
3165 forwarding_status = tvb_get_guint8(tvb, offset)>>6;
3166 switch(forwarding_status) {
3168 case FORWARDING_STATUS_UNKNOWN:
3169 x_vs = v9_forwarding_status_unknown_code;
3170 x_hf = hf_cflow_forwarding_status_unknown_code;
3172 case FORWARDING_STATUS_FORWARD:
3173 x_vs = v9_forwarding_status_forward_code;
3174 x_hf = hf_cflow_forwarding_status_forward_code;
3176 case FORWARDING_STATUS_DROP:
3177 x_vs = v9_forwarding_status_drop_code;
3178 x_hf = hf_cflow_forwarding_status_drop_code;
3180 case FORWARDING_STATUS_CONSUME:
3181 x_vs = v9_forwarding_status_consume_code;
3182 x_hf = hf_cflow_forwarding_status_consume_code;
3186 proto_tree_add_item(fwdstattree, hf_cflow_forwarding_status,
3187 tvb, offset, length, ENC_NA);
3189 proto_tree_add_item(fwdstattree, x_hf,
3190 tvb, offset, length, ENC_NA);
3192 /* add status code to tree summary */
3194 proto_item_append_text(ti, ": %s", val_to_str_const(forwarding_status,
3195 v9_forwarding_status, "(Unknown)"));
3196 proto_item_append_text(ti, ": %s", val_to_str_const((tvb_get_guint8(tvb, offset)&0x3F),
3197 x_vs, "(Unknown)"));
3202 case 90: /* mplsVpnRouteDistinguisher */
3203 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_vpn_rd,
3204 tvb, offset, length, ENC_NA);
3207 case 91: /* mplsTopLabelPrefixLength */
3208 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_prefix_length,
3209 tvb, offset, length, ENC_NA);
3212 case 94: /* NBAR applicationDesc */
3213 ti = proto_tree_add_item(pdutree, hf_cflow_nbar_appl_desc,
3214 tvb, offset, length, ENC_ASCII|ENC_NA);
3217 case 95: /* NBAR applicationId */
3218 ti = proto_tree_add_item(pdutree, hf_cflow_nbar_appl_id,
3219 tvb, offset, length, ENC_BIG_ENDIAN);
3222 case 96: /* NBAR applicationName */
3223 ti = proto_tree_add_item(pdutree, hf_cflow_nbar_appl_name,
3224 tvb, offset, length, ENC_ASCII|ENC_NA);
3227 case 98: /* postIpDiffServCodePoint */
3228 ti = proto_tree_add_item(pdutree, hf_cflow_post_ip_diff_serv_code_point,
3229 tvb, offset, length, ENC_NA);
3232 case 99: /* multicastReplicationFactor */
3233 ti = proto_tree_add_item(pdutree, hf_cflow_multicast_replication_factor,
3234 tvb, offset, length, ENC_NA);
3237 case 128: /* dest AS Peer */
3238 ti = proto_tree_add_item(pdutree, hf_cflow_peer_dstas,
3239 tvb, offset, length, ENC_BIG_ENDIAN);
3242 case 129: /* source AS Peer*/
3243 ti = proto_tree_add_item(pdutree, hf_cflow_peer_srcas,
3244 tvb, offset, length, ENC_BIG_ENDIAN);
3247 case 130: /* exporterIPv4Address */
3248 ti = proto_tree_add_item(pdutree, hf_cflow_exporter_addr,
3249 tvb, offset, length, ENC_NA);
3252 case 131: /* exporterIPv6Address */
3253 ti = proto_tree_add_item(pdutree,
3254 hf_cflow_exporter_addr_v6,
3255 tvb, offset, length, ENC_NA);
3258 case 132: /* droppedOctetDeltaCount */
3260 ti = proto_tree_add_item(pdutree, hf_cflow_drop_octets,
3261 tvb, offset, length, ENC_BIG_ENDIAN);
3262 } else if (length == 8) {
3263 ti = proto_tree_add_item(pdutree, hf_cflow_drop_octets64,
3264 tvb, offset, length, ENC_BIG_ENDIAN);
3266 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3267 "Dropped Octets: length %u",
3272 case 133: /* droppedPacketDeltaCount */
3274 ti = proto_tree_add_item(pdutree, hf_cflow_drop_packets,
3275 tvb, offset, length, ENC_BIG_ENDIAN);
3276 } else if (length == 8) {
3277 ti = proto_tree_add_item(pdutree, hf_cflow_drop_packets64,
3278 tvb, offset, length, ENC_BIG_ENDIAN);
3280 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3281 "Dropped Packets: length %u",
3286 case 134: /* droppedOctetTotalCount */
3288 ti = proto_tree_add_item(pdutree, hf_cflow_drop_total_octets,
3289 tvb, offset, length, ENC_BIG_ENDIAN);
3290 } else if (length == 8) {
3291 ti = proto_tree_add_item(pdutree, hf_cflow_drop_total_octets64,
3292 tvb, offset, length, ENC_BIG_ENDIAN);
3294 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3295 "Dropped Total Octets: length %u", length);
3299 case 135: /* droppedPacketTotalCount */
3301 ti = proto_tree_add_item(pdutree, hf_cflow_drop_total_packets,
3302 tvb, offset, length, ENC_BIG_ENDIAN);
3303 } else if (length == 8) {
3304 ti = proto_tree_add_item(pdutree, hf_cflow_drop_total_packets64,
3305 tvb, offset, length, ENC_BIG_ENDIAN);
3307 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3308 "Dropped Total Packets: length %u", length);
3312 case 136: /* flowEndReason */
3313 ti = proto_tree_add_item(pdutree, hf_cflow_flow_end_reason,
3314 tvb, offset, length, ENC_NA);
3317 case 137: /* commonPropertiesId */
3318 ti = proto_tree_add_item(pdutree, hf_cflow_common_properties_id,
3319 tvb, offset, length, ENC_BIG_ENDIAN);
3322 case 138: /* observationPointId */
3323 ti = proto_tree_add_item(pdutree, hf_cflow_observation_point_id,
3324 tvb, offset, length, ENC_BIG_ENDIAN);
3327 case 139: /* icmpTypeCodeIPv6 */
3328 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_type,
3329 tvb, offset, 1, ENC_NA);
3330 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_code,
3331 tvb, offset + 1, 1, ENC_NA);
3334 case 140: /* mplsTopLabelIPv6Address */
3336 ti = proto_tree_add_item(pdutree,
3337 hf_cflow_mpls_pe_addr_v6,
3338 tvb, offset, length, ENC_NA);
3340 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3341 "mplsTopLabelIPv6Addr: length %u",
3346 case 141: /* lineCardId */
3347 ti = proto_tree_add_item(pdutree, hf_cflow_scope_linecard,
3348 tvb, offset, length, ENC_NA);
3351 case 142: /* portId */
3352 ti = proto_tree_add_item(pdutree, hf_cflow_port_id,
3353 tvb, offset, length, ENC_BIG_ENDIAN);
3356 case 143: /* meteringProcessId */
3357 ti = proto_tree_add_item(pdutree, hf_cflow_mp_id,
3358 tvb, offset, length, ENC_BIG_ENDIAN);
3361 case 144: /* FLOW EXPORTER */
3362 ti = proto_tree_add_item(pdutree, hf_cflow_flow_exporter,
3363 tvb, offset, length, ENC_NA);
3366 case 145: /* templateId */
3367 ti = proto_tree_add_item(pdutree, hf_cflow_template_id,
3368 tvb, offset, length, ENC_BIG_ENDIAN);
3371 case 146: /* wlanChannelId */
3372 ti = proto_tree_add_item(pdutree, hf_cflow_wlan_channel_id,
3373 tvb, offset, length, ENC_NA);
3376 case 147: /* wlanSSID */
3377 ti = proto_tree_add_item(pdutree, hf_cflow_wlan_ssid,
3378 tvb, offset, length, ENC_ASCII|ENC_NA);
3381 case 148: /* flowId */
3382 ti = proto_tree_add_item(pdutree, hf_cflow_flow_id,
3383 tvb, offset, length, ENC_BIG_ENDIAN);
3386 case 149: /* observationDomainId */
3387 ti = proto_tree_add_item(pdutree, hf_cflow_od_id,
3388 tvb, offset, length, ENC_BIG_ENDIAN);
3391 case 160: /* systemInitTimeMilliseconds */
3392 ts.secs = (tvb_get_ntoh64(tvb, offset)/1000);
3393 ts.nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) *1000000;
3394 ti = proto_tree_add_time(pdutree,
3395 hf_cflow_sys_init_time,
3396 tvb, offset, length, &ts);
3399 case 161: /* flowDurationMilliseconds */
3400 msec_delta = tvb_get_ntohl(tvb, offset);
3401 ts_delta.secs = msec_delta / 1000;
3402 ts_delta.nsecs = (msec_delta % 1000) * 1000000;
3403 ti = proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
3404 offset, length, &ts_delta);
3407 case 162: /* flowDurationMicroseconds */
3408 msec_delta = tvb_get_ntohl(tvb, offset);
3409 ts_delta.secs = msec_delta / 1000000;
3410 ts_delta.nsecs = (msec_delta % 1000000) * 1000000;
3411 ti = proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
3412 offset, length, &ts_delta);
3415 case 164: /* ignoredPacketTotalCount */
3417 ti = proto_tree_add_item(pdutree, hf_cflow_ignore_packets,
3418 tvb, offset, length, ENC_BIG_ENDIAN);
3419 } else if (length == 8) {
3420 ti = proto_tree_add_item(pdutree, hf_cflow_ignore_packets64,
3421 tvb, offset, length, ENC_BIG_ENDIAN);
3423 ti = proto_tree_add_text(pdutree,
3424 tvb, offset, length,
3425 "Ignored Packets: length %u", length);
3429 case 165: /* ignoredOctetTotalCount */
3431 ti = proto_tree_add_item(pdutree, hf_cflow_ignore_octets,
3432 tvb, offset, length, ENC_BIG_ENDIAN);
3433 } else if (length == 8) {
3434 ti = proto_tree_add_item(pdutree, hf_cflow_ignore_octets64,
3435 tvb, offset, length, ENC_BIG_ENDIAN);
3437 ti = proto_tree_add_text(pdutree,
3438 tvb, offset, length,
3439 "Ignored Octets: length %u", length);
3443 case 166: /* notSentFlowTotalCount */
3445 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_flows,
3446 tvb, offset, length, ENC_BIG_ENDIAN);
3447 } else if (length == 8) {
3448 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_flows64,
3449 tvb, offset, length, ENC_BIG_ENDIAN);
3451 ti = proto_tree_add_text(pdutree,
3452 tvb, offset, length,
3453 "Not Sent Flows: length %u", length);
3457 case 167: /* notSentPacketTotalCount */
3459 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_packets,
3460 tvb, offset, length, ENC_BIG_ENDIAN);
3461 } else if (length == 8) {
3462 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_packets64,
3463 tvb, offset, length, ENC_BIG_ENDIAN);
3465 ti = proto_tree_add_text(pdutree,
3466 tvb, offset, length,
3467 "Not Sent Packets: length %u", length);
3471 case 168: /* notSentOctetTotalCount */
3473 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_octets,
3474 tvb, offset, length, ENC_BIG_ENDIAN);
3475 } else if (length == 8) {
3476 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_octets64,
3477 tvb, offset, length, ENC_BIG_ENDIAN);
3479 ti = proto_tree_add_text(pdutree,
3480 tvb, offset, length,
3481 "Not Sent Packets: length %u", length);
3485 case 169: /* destinationIPv6Prefix */
3487 ti = proto_tree_add_item(pdutree, hf_cflow_dstnet_v6,
3488 tvb, offset, length, ENC_NA);
3490 ti = proto_tree_add_text(pdutree,
3491 tvb, offset, length,
3492 "DstPrefix: length %u", length);
3496 case 170: /* sourceIPv6Prefix */
3498 ti = proto_tree_add_item(pdutree, hf_cflow_srcnet_v6,
3499 tvb, offset, length, ENC_NA);
3500 } else if (length != 4 && length != 16) {
3501 ti = proto_tree_add_text(pdutree,
3502 tvb, offset, length,
3503 "SrcPrefix: length %u", length);
3507 case 171: /* postOctetTotalCount */
3509 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_octets,
3510 tvb, offset, length, ENC_BIG_ENDIAN);
3511 } else if (length == 8) {
3512 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_octets64,
3513 tvb, offset, length, ENC_BIG_ENDIAN);
3515 ti = proto_tree_add_text(pdutree,
3516 tvb, offset, length,
3517 "Post Total Octets: length %u", length);
3521 case 172: /* postPacketTotalCount */
3523 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_packets,
3524 tvb, offset, length, ENC_BIG_ENDIAN);
3525 } else if (length == 8) {
3526 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_packets64,
3527 tvb, offset, length, ENC_BIG_ENDIAN);
3529 ti = proto_tree_add_text(pdutree,
3530 tvb, offset, length,
3531 "Post Total Packets: length %u", length);
3535 case 173: /* flowKeyIndicator */
3536 ti = proto_tree_add_item(pdutree, hf_cflow_key,
3537 tvb, offset, length, ENC_NA);
3540 case 174: /* postMCastPacketTotalCount */
3542 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_mulpackets,
3543 tvb, offset, length, ENC_BIG_ENDIAN);
3544 } else if (length == 8) {
3545 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_mulpackets64,
3546 tvb, offset, length, ENC_BIG_ENDIAN);
3548 ti = proto_tree_add_text(pdutree,
3549 tvb, offset, length,
3550 "Post Total Multicast Packets: length %u", length);
3554 case 175: /* postMCastOctetTotalCount */
3556 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_muloctets,
3557 tvb, offset, length, ENC_BIG_ENDIAN);
3558 } else if (length == 8) {
3559 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_muloctets64,
3560 tvb, offset, length, ENC_BIG_ENDIAN);
3562 ti = proto_tree_add_text(pdutree,
3563 tvb, offset, length,
3564 "Post Total Multicast Octets: length %u", length);
3568 case 176: /* ICMP_IPv4_TYPE */
3569 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv4_type,
3570 tvb, offset, length, ENC_NA);
3573 case 177: /* ICMP_IPv4_CODE */
3574 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv4_code,
3575 tvb, offset, length, ENC_NA);
3578 case 178: /* ICMP_IPv6_TYPE */
3579 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_type,
3580 tvb, offset, length, ENC_NA);
3583 case 179: /* ICMP_IPv6_CODE */
3584 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_code,
3585 tvb, offset, length, ENC_NA);
3588 case 184: /* tcpSequenceNumber */
3589 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_seq_num,
3590 tvb, offset, length, ENC_BIG_ENDIAN);
3593 case 185: /* tcpAcknowledgementNumber */
3594 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_ack_num,
3595 tvb, offset, length, ENC_BIG_ENDIAN);
3598 case 186: /* TCP_WINDOWS_SIZE */
3599 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_window_size,
3600 tvb, offset, length, ENC_BIG_ENDIAN);
3603 case 187: /* tcpUrgentPointer */
3604 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_urg_ptr,
3605 tvb, offset, length, ENC_BIG_ENDIAN);
3608 case 188: /* tcpHeaderLength */
3609 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_header_length,
3610 tvb, offset, length, ENC_NA);
3613 case 189: /* ipHeaderLength */
3614 ti = proto_tree_add_item(pdutree, hf_cflow_ip_header_length,
3615 tvb, offset, length, ENC_NA);
3618 case 190: /* IPV4_TOTAL_LENGTH */
3619 ti = proto_tree_add_item(pdutree, hf_cflow_ipv4_total_length,
3620 tvb, offset, length, ENC_BIG_ENDIAN);
3623 case 191: /* payloadLengthIPv6 */
3624 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_payload_length,
3625 tvb, offset, length, ENC_BIG_ENDIAN);
3628 case 192: /* IP_TTL */
3629 ti = proto_tree_add_item(pdutree, hf_cflow_ip_ttl,
3630 tvb, offset, length, ENC_NA);
3633 case 193: /* nextHeaderIPv6 */
3634 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_next_hdr,
3635 tvb, offset, length, ENC_NA);
3638 case 194: /* IP_TOS */
3639 ti = proto_tree_add_item(pdutree, hf_cflow_ip_tos,
3640 tvb, offset, length, ENC_NA);
3643 case 195: /* IP_DSCP */
3644 ti = proto_tree_add_item(pdutree, hf_cflow_ip_dscp,
3645 tvb, offset, length, ENC_NA);
3648 case 196: /* ipPrecedence */
3649 ti = proto_tree_add_item(pdutree, hf_cflow_ip_precedence,
3650 tvb, offset, length, ENC_NA);
3653 case 197: /* fragmentFlags */
3654 ti = proto_tree_add_item(pdutree, hf_cflow_ip_fragment_flags,
3655 tvb, offset, length, ENC_NA);
3658 case 198: /* BYTES_SQUARED */
3659 case 199: /* BYTES_SQUARED_PERMANENT */
3661 ti = proto_tree_add_item(pdutree, hf_cflow_octets_squared64,
3662 tvb, offset, length, ENC_BIG_ENDIAN);
3664 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3665 "Bytes Squared: length %u", length);
3668 case 200: /* mplsTopLabelTTL */
3669 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_ttl,
3670 tvb, offset, length, ENC_NA);
3673 case 201: /* mplsLabelStackLength */
3674 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_label_length,
3675 tvb, offset, length, ENC_BIG_ENDIAN);
3678 case 202: /* mplsLabelStackDepth */
3679 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_label_depth,
3680 tvb, offset, length, ENC_BIG_ENDIAN);
3683 case 203: /* mplsTopLabelExp */
3684 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_exp,
3685 tvb, offset, length, ENC_NA);
3688 case 204: /* ipPayloadLength */
3689 ti = proto_tree_add_item(pdutree, hf_cflow_ip_payload_length,
3690 tvb, offset, length, ENC_BIG_ENDIAN);
3693 case 205: /* UDP_LENGTH */
3694 ti = proto_tree_add_item(pdutree, hf_cflow_udp_length,
3695 tvb, offset, length, ENC_BIG_ENDIAN);
3698 case 206: /* IS_MULTICAST */
3699 ti = proto_tree_add_item(pdutree, hf_cflow_is_multicast,
3700 tvb, offset, length, ENC_NA);
3703 case 207: /* IP_HEADER_WORDS */
3704 ti = proto_tree_add_item(pdutree, hf_cflow_ip_header_words,
3705 tvb, offset, length, ENC_NA);
3708 case 208: /* OPTION_MAP */
3709 ti = proto_tree_add_item(pdutree, hf_cflow_option_map,
3710 tvb, offset, length, ENC_NA);
3713 case 209: /* tcpOptions */
3714 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_option_map,
3715 tvb, offset, length, ENC_NA);
3718 case 210: /* paddingOctets */
3719 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3720 "Padding (%u byte%s)",
3721 length, plurality(length, "", "s"));
3724 case 211: /* collectorIPv4Address */
3725 ti = proto_tree_add_item(pdutree, hf_cflow_collector_addr,
3726 tvb, offset, length, ENC_NA);
3729 case 212: /* collectorIPv6Address */
3730 ti = proto_tree_add_item(pdutree, hf_cflow_collector_addr_v6,
3731 tvb, offset, length, ENC_NA);
3734 case 213: /* exportInterface */
3736 ti = proto_tree_add_item(pdutree, hf_cflow_export_interface,
3737 tvb, offset, length, ENC_BIG_ENDIAN);
3739 ti = proto_tree_add_text(pdutree,
3740 tvb, offset, length,
3741 "exportInterface: invalid size %d", length );
3745 case 214: /* exportProtocolVersion */
3746 ti = proto_tree_add_item(pdutree, hf_cflow_export_protocol_version,
3747 tvb, offset, length, ENC_NA);
3750 case 215: /* exportTransportProtocol */
3751 ti = proto_tree_add_item(pdutree, hf_cflow_export_prot,
3752 tvb, offset, length, ENC_NA);
3755 case 216: /* collectorTransportPort */
3756 ti = proto_tree_add_item(pdutree, hf_cflow_collector_port,
3757 tvb, offset, length, ENC_BIG_ENDIAN);
3760 case 217: /* exporterTransportPort */
3761 ti = proto_tree_add_item(pdutree, hf_cflow_exporter_port,
3762 tvb, offset, length, ENC_BIG_ENDIAN);
3765 case 218: /* tcpSynTotalCount */
3766 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_syn,
3767 tvb, offset, length, ENC_BIG_ENDIAN);
3770 case 219: /* tcpFinTotalCount */
3771 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_fin,
3772 tvb, offset, length, ENC_BIG_ENDIAN);
3775 case 220: /* tcpRstTotalCount */
3776 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_rst,
3777 tvb, offset, length, ENC_BIG_ENDIAN);
3780 case 221: /* tcpPshTotalCount */
3781 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_psh,
3782 tvb, offset, length, ENC_BIG_ENDIAN);
3785 case 222: /* tcpAckTotalCount */
3786 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_ack,
3787 tvb, offset, length, ENC_BIG_ENDIAN);
3790 case 223: /* tcpUrgTotalCount */
3791 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_urg,
3792 tvb, offset, length, ENC_BIG_ENDIAN);
3795 case 224: /* IP_TOTAL_LENGTH */
3796 ti = proto_tree_add_item(pdutree, hf_cflow_ip_total_length,
3797 tvb, offset, length, ENC_BIG_ENDIAN);
3800 case 225: /* postNATSourceIPv4Address */
3801 case 40001: /* NF_F_XLATE_SRC_ADDR_IPV4 (Cisco ASA 5500 Series) */
3802 ti = proto_tree_add_item(pdutree, hf_cflow_post_natsource_ipv4_address,
3803 tvb, offset, length, ENC_NA);
3806 case 226: /* postNATDestinationIPv4Address */
3807 case 40002: /* NF_F_XLATE_DST_ADDR_IPV4 (Cisco ASA 5500 Series) */
3808 ti = proto_tree_add_item(pdutree, hf_cflow_post_natdestination_ipv4_address,
3809 tvb, offset, length, ENC_NA);
3812 case 227: /* postNAPTSourceTransportPort */
3813 case 40003: /* NF_F_XLATE_SRC_PORT (Cisco ASA 5500 Series) */
3814 ti = proto_tree_add_item(pdutree, hf_cflow_post_naptsource_transport_port,
3815 tvb, offset, length, ENC_BIG_ENDIAN);
3818 case 228: /* postNAPTDestinationTransportPort */
3819 case 40004: /* NF_F_XLATE_DST_PORT (Cisco ASA 5500 Series) */
3820 ti = proto_tree_add_item(pdutree, hf_cflow_post_naptdestination_transport_port,
3821 tvb, offset, length, ENC_BIG_ENDIAN);
3824 case 229: /* natOriginatingAddressRealm */
3825 ti = proto_tree_add_item(pdutree, hf_cflow_nat_originating_address_realm,
3826 tvb, offset, length, ENC_NA);
3829 case 230: /* natEvent */
3830 ti = proto_tree_add_item(pdutree, hf_cflow_nat_event,
3831 tvb, offset, length, ENC_NA);
3834 case 231: /* initiatorOctets */
3835 ti = proto_tree_add_item(pdutree, hf_cflow_initiator_octets,
3836 tvb, offset, length, ENC_BIG_ENDIAN);
3839 case 232: /* responderOctets */
3840 ti = proto_tree_add_item(pdutree, hf_cflow_responder_octets,
3841 tvb, offset, length, ENC_BIG_ENDIAN);
3844 case 233: /* firewallEvent */
3845 case 40005: /* NF_F_FW_EVENT (Cisco ASA 5500 Series) */
3846 ti = proto_tree_add_item(pdutree, hf_cflow_firewall_event,
3847 tvb, offset, length, ENC_NA);
3850 case 234: /* ingressVRFID */
3851 ti = proto_tree_add_item(pdutree, hf_cflow_ingress_vrfid,
3852 tvb, offset, length, ENC_BIG_ENDIAN);
3855 case 235: /* egressVRFID */
3856 ti = proto_tree_add_item(pdutree, hf_cflow_egress_vrfid,
3857 tvb, offset, length, ENC_BIG_ENDIAN);
3860 case 236: /* VRFname */
3861 ti = proto_tree_add_item(pdutree, hf_cflow_vrfname,
3862 tvb, offset, length, ENC_ASCII|ENC_NA);
3865 case 237: /* postMplsTopLabelExp */
3866 ti = proto_tree_add_item(pdutree, hf_cflow_post_mpls_top_label_exp,
3867 tvb, offset, length, ENC_NA);
3870 case 238: /* tcpWindowScale */
3871 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_window_scale,
3872 tvb, offset, length, ENC_BIG_ENDIAN);
3875 case 239: /* biflowDirection */
3876 ti = proto_tree_add_item(pdutree, hf_cflow_biflow_direction,
3877 tvb, offset, length, ENC_NA);
3880 case 240: /* ethernetHeaderLength */
3881 ti = proto_tree_add_item(pdutree, hf_cflow_ethernet_header_length,
3882 tvb, offset, length, ENC_NA);
3885 case 241: /* ethernetPayloadLength */
3886 ti = proto_tree_add_item(pdutree, hf_cflow_ethernet_payload_length,
3887 tvb, offset, length, ENC_BIG_ENDIAN);
3890 case 242: /* ethernetTotalLength */
3891 ti = proto_tree_add_item(pdutree, hf_cflow_ethernet_total_length,
3892 tvb, offset, length, ENC_BIG_ENDIAN);
3895 case 243: /* dot1qVlanId */
3896 ti = proto_tree_add_item(pdutree, hf_cflow_dot1q_vlan_id,
3897 tvb, offset, length, ENC_BIG_ENDIAN);
3900 case 244: /* dot1qPriority */
3901 ti = proto_tree_add_item(pdutree, hf_cflow_dot1q_priority,
3902 tvb, offset, length, ENC_NA);
3905 case 245: /* dot1qCustomerVlanId */
3906 ti = proto_tree_add_item(pdutree, hf_cflow_dot1q_customer_vlan_id,
3907 tvb, offset, length, ENC_BIG_ENDIAN);
3910 case 246: /* dot1qCustomerPriority */
3911 ti = proto_tree_add_item(pdutree, hf_cflow_dot1q_customer_priority,
3912 tvb, offset, length, ENC_NA);
3915 case 247: /* metroEvcId */
3916 ti = proto_tree_add_item(pdutree, hf_cflow_metro_evc_id,
3917 tvb, offset, length, ENC_ASCII|ENC_NA);
3920 case 248: /* metroEvcType */
3921 ti = proto_tree_add_item(pdutree, hf_cflow_metro_evc_type,
3922 tvb, offset, length, ENC_NA);
3925 case 249: /* pseudoWireId */
3926 ti = proto_tree_add_item(pdutree, hf_cflow_pseudo_wire_id,
3927 tvb, offset, length, ENC_BIG_ENDIAN);
3930 case 250: /* pseudoWireType */
3931 ti = proto_tree_add_item(pdutree, hf_cflow_pseudo_wire_type,
3932 tvb, offset, length, ENC_BIG_ENDIAN);
3935 case 251: /* pseudoWireControlWord */
3936 ti = proto_tree_add_item(pdutree, hf_cflow_pseudo_wire_control_word,
3937 tvb, offset, length, ENC_BIG_ENDIAN);
3940 case 252: /* ingressPhysicalInterface */
3941 ti = proto_tree_add_item(pdutree, hf_cflow_ingress_physical_interface,
3942 tvb, offset, length, ENC_BIG_ENDIAN);
3945 case 253: /* egressPhysicalInterface */
3946 ti = proto_tree_add_item(pdutree, hf_cflow_egress_physical_interface,
3947 tvb, offset, length, ENC_BIG_ENDIAN);
3950 case 254: /* postDot1qVlanId */
3951 ti = proto_tree_add_item(pdutree, hf_cflow_post_dot1q_vlan_id,
3952 tvb, offset, length, ENC_BIG_ENDIAN);
3955 case 255: /* postDot1qCustomerVlanId */
3956 ti = proto_tree_add_item(pdutree, hf_cflow_post_dot1q_customer_vlan_id,
3957 tvb, offset, length, ENC_BIG_ENDIAN);
3960 case 256: /* ethernetType */
3961 ti = proto_tree_add_item(pdutree, hf_cflow_ethernet_type,
3962 tvb, offset, length, ENC_BIG_ENDIAN);
3965 case 257: /* postIpPrecedence */
3966 ti = proto_tree_add_item(pdutree, hf_cflow_post_ip_precedence,
3967 tvb, offset, length, ENC_NA);
3970 case 258: /* collectionTimeMilliseconds */
3971 ts.secs = (tvb_get_ntoh64(tvb, offset)/1000);
3972 ts.nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) *1000000;
3973 ti = proto_tree_add_time(pdutree,
3974 hf_cflow_collection_time_milliseconds,
3975 tvb, offset, length, &ts);
3978 case 259: /* exportSctpStreamId */
3979 ti = proto_tree_add_item(pdutree, hf_cflow_export_sctp_stream_id,
3980 tvb, offset, length, ENC_BIG_ENDIAN);
3983 case 260: /* maxExportSeconds */
3984 ts.secs = tvb_get_ntohl(tvb, offset);
3986 ti = proto_tree_add_time(pdutree, hf_cflow_max_export_seconds,
3987 tvb, offset, length, &ts);
3990 case 261: /* maxFlowEndSeconds */
3991 ts.secs = tvb_get_ntohl(tvb, offset);
3993 ti = proto_tree_add_time(pdutree, hf_cflow_max_flow_end_seconds,
3994 tvb, offset, length, &ts);
3997 case 262: /* messageMD5Checksum */
3998 ti = proto_tree_add_item(pdutree, hf_cflow_message_md5_checksum,
3999 tvb, offset, length, ENC_NA);
4002 case 263: /* messageScope */
4003 ti = proto_tree_add_item(pdutree, hf_cflow_message_scope,
4004 tvb, offset, length, ENC_NA);
4007 case 264: /* minExportSeconds */
4008 ts.secs = tvb_get_ntohl(tvb, offset);
4010 ti = proto_tree_add_time(pdutree, hf_cflow_min_export_seconds,
4011 tvb, offset, length, &ts);
4014 case 265: /* minFlowStartSeconds */
4015 ts.secs = tvb_get_ntohl(tvb, offset);
4017 ti = proto_tree_add_time(pdutree, hf_cflow_min_flow_start_seconds,
4018 tvb, offset, length, &ts);
4021 case 266: /* opaqueOctets */
4022 ti = proto_tree_add_item(pdutree, hf_cflow_opaque_octets,
4023 tvb, offset, length, ENC_NA);
4026 case 267: /* sessionScope */
4027 ti = proto_tree_add_item(pdutree, hf_cflow_session_scope,
4028 tvb, offset, length, ENC_NA);
4031 case 268: /* maxFlowEndMicroseconds */
4032 ti = proto_tree_add_item(pdutree, hf_cflow_max_flow_end_microseconds,
4033 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4036 case 269: /* maxFlowEndMilliseconds */
4037 ts.secs = (tvb_get_ntoh64(tvb, offset)/1000);
4038 ts.nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) * 1000000;
4039 ti = proto_tree_add_time(pdutree, hf_cflow_max_flow_end_milliseconds,
4040 tvb, offset, length, &ts);
4043 case 270: /* maxFlowEndNanoseconds */
4044 ti = proto_tree_add_item(pdutree, hf_cflow_max_flow_end_nanoseconds,
4045 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4048 case 271: /* minFlowStartMicroseconds */
4049 ti = proto_tree_add_item(pdutree, hf_cflow_min_flow_start_microseconds,
4050 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4053 case 272: /* minFlowStartMilliseconds */
4054 ts.secs = (tvb_get_ntohl(tvb, offset)/1000);
4055 ts.nsecs = (tvb_get_ntohl(tvb, offset)%1000) * 1000000;
4056 ti = proto_tree_add_time(pdutree, hf_cflow_min_flow_start_milliseconds,
4057 tvb, offset, length, &ts);
4060 case 273: /* minFlowStartNanoseconds */
4061 ti = proto_tree_add_item(pdutree, hf_cflow_min_flow_start_nanoseconds,
4062 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4065 case 274: /* collectorCertificate */
4066 ti = proto_tree_add_item(pdutree, hf_cflow_collector_certificate,
4067 tvb, offset, length, ENC_NA);
4070 case 275: /* exporterCertificate */
4071 ti = proto_tree_add_item(pdutree, hf_cflow_exporter_certificate,
4072 tvb, offset, length, ENC_NA);
4075 case 301: /* selectionSequenceId */
4076 ti = proto_tree_add_item(pdutree, hf_cflow_selection_sequence_id,
4077 tvb, offset, length, ENC_BIG_ENDIAN);
4080 case 302: /* selectorId */
4081 ti = proto_tree_add_item(pdutree, hf_cflow_selector_id,
4082 tvb, offset, length, ENC_BIG_ENDIAN);
4085 case 303: /* informationElementId */
4086 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_id,
4087 tvb, offset, length, ENC_BIG_ENDIAN);
4090 case 304: /* selectorAlgorithm */
4091 ti = proto_tree_add_item(pdutree, hf_cflow_selector_algorithm,
4092 tvb, offset, length, ENC_BIG_ENDIAN);
4095 case 305: /* samplingPacketInterval */
4096 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_packet_interval,
4097 tvb, offset, length, ENC_BIG_ENDIAN);
4100 case 306: /* samplingPacketSpace */
4101 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_packet_space,
4102 tvb, offset, length, ENC_BIG_ENDIAN);
4105 case 307: /* samplingTimeInterval */
4106 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_time_interval,
4107 tvb, offset, length, ENC_BIG_ENDIAN);
4110 case 308: /* samplingTimeSpace */
4111 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_time_space,
4112 tvb, offset, length, ENC_BIG_ENDIAN);
4115 case 309: /* samplingSize */
4116 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_size,
4117 tvb, offset, length, ENC_BIG_ENDIAN);
4120 case 310: /* samplingPopulation */
4121 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_population,
4122 tvb, offset, length, ENC_BIG_ENDIAN);
4125 case 311: /* samplingProbability */
4126 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_probability,
4127 tvb, offset, length, ENC_NA);
4130 case 313: /* SECTION_HEADER */
4131 ti = proto_tree_add_item(pdutree, hf_cflow_section_header,
4132 tvb, offset, length, ENC_NA);
4135 case 314: /* SECTION_PAYLOAD */
4136 ti = proto_tree_add_item(pdutree, hf_cflow_section_payload,
4137 tvb, offset, length, ENC_NA);
4140 case 316: /* mplsLabelStackSection */
4141 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_label_stack_section,
4142 tvb, offset, length, ENC_NA);
4145 case 317: /* mplsPayloadPacketSection */
4146 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_payload_packet_section,
4147 tvb, offset, length, ENC_NA);
4150 case 318: /* selectorIdTotalPktsObserved */
4151 ti = proto_tree_add_item(pdutree, hf_cflow_selector_id_total_pkts_observed,
4152 tvb, offset, length, ENC_BIG_ENDIAN);
4155 case 319: /* selectorIdTotalPktsSelected */
4156 ti = proto_tree_add_item(pdutree, hf_cflow_selector_id_total_pkts_selected,
4157 tvb, offset, length, ENC_BIG_ENDIAN);
4160 case 320: /* absoluteError */
4161 ti = proto_tree_add_item(pdutree, hf_cflow_absolute_error,
4162 tvb, offset, length, ENC_NA);
4165 case 321: /* relativeError */
4166 ti = proto_tree_add_item(pdutree, hf_cflow_relative_error,
4167 tvb, offset, length, ENC_NA);
4170 case 322: /* observationTimeSeconds */
4171 ts.secs = tvb_get_ntohl(tvb, offset);
4173 ti = proto_tree_add_time(pdutree, hf_cflow_observation_time_seconds,
4174 tvb, offset, length, &ts);
4177 case 323: /* observationTimeMilliseconds */
4178 ts.secs = (tvb_get_ntoh64(tvb, offset)/1000);
4179 ts.nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) * 1000000;
4180 ti = proto_tree_add_time(pdutree, hf_cflow_observation_time_milliseconds,
4181 tvb, offset, length, &ts);
4184 case 324: /* observationTimeMicroseconds */
4185 ti = proto_tree_add_item(pdutree, hf_cflow_observation_time_microseconds,
4186 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4189 case 325: /* observationTimeNanoseconds */
4190 ti = proto_tree_add_item(pdutree, hf_cflow_observation_time_nanoseconds,
4191 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4194 case 326: /* digestHashValue */
4195 ti = proto_tree_add_item(pdutree, hf_cflow_digest_hash_value,
4196 tvb, offset, length, ENC_BIG_ENDIAN);
4199 case 327: /* hashIPPayloadOffset */
4200 ti = proto_tree_add_item(pdutree, hf_cflow_hash_ippayload_offset,
4201 tvb, offset, length, ENC_BIG_ENDIAN);
4204 case 328: /* hashIPPayloadSize */
4205 ti = proto_tree_add_item(pdutree, hf_cflow_hash_ippayload_size,
4206 tvb, offset, length, ENC_BIG_ENDIAN);
4209 case 329: /* hashOutputRangeMin */
4210 ti = proto_tree_add_item(pdutree, hf_cflow_hash_output_range_min,
4211 tvb, offset, length, ENC_BIG_ENDIAN);
4214 case 330: /* hashOutputRangeMax */
4215 ti = proto_tree_add_item(pdutree, hf_cflow_hash_output_range_max,
4216 tvb, offset, length, ENC_BIG_ENDIAN);
4219 case 331: /* hashSelectedRangeMin */
4220 ti = proto_tree_add_item(pdutree, hf_cflow_hash_selected_range_min,
4221 tvb, offset, length, ENC_BIG_ENDIAN);
4224 case 332: /* hashSelectedRangeMax */
4225 ti = proto_tree_add_item(pdutree, hf_cflow_hash_selected_range_max,
4226 tvb, offset, length, ENC_BIG_ENDIAN);
4229 case 333: /* hashDigestOutput */
4230 ti = proto_tree_add_item(pdutree, hf_cflow_hash_digest_output,
4231 tvb, offset, length, ENC_NA);
4234 case 334: /* hashInitialiserValue */
4235 ti = proto_tree_add_item(pdutree, hf_cflow_hash_initialiser_value,
4236 tvb, offset, length, ENC_BIG_ENDIAN);
4239 case 335: /* selectorName */
4240 ti = proto_tree_add_item(pdutree, hf_cflow_selector_name,
4241 tvb, offset, length, ENC_ASCII|ENC_NA);
4244 case 336: /* upperCILimit */
4245 ti = proto_tree_add_item(pdutree, hf_cflow_upper_cilimit,
4246 tvb, offset, length, ENC_NA);
4249 case 337: /* lowerCILimit */
4250 ti = proto_tree_add_item(pdutree, hf_cflow_lower_cilimit,
4251 tvb, offset, length, ENC_NA);
4254 case 338: /* confidenceLevel */
4255 ti = proto_tree_add_item(pdutree, hf_cflow_confidence_level,
4256 tvb, offset, length, ENC_NA);
4259 case 339: /* informationElementDataType */
4260 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_data_type,
4261 tvb, offset, length, ENC_NA);
4264 case 340: /* informationElementDescription */
4265 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_description,
4266 tvb, offset, length, ENC_ASCII|ENC_NA);
4269 case 341: /* informationElementName */
4270 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_name,
4271 tvb, offset, length, ENC_ASCII|ENC_NA);
4274 case 342: /* informationElementRangeBegin */
4275 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_range_begin,
4276 tvb, offset, length, ENC_BIG_ENDIAN);
4279 case 343: /* informationElementRangeEnd */
4280 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_range_end,
4281 tvb, offset, length, ENC_BIG_ENDIAN);
4284 case 344: /* informationElementSemantics */
4285 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_semantics,
4286 tvb, offset, length, ENC_NA);
4289 case 345: /* informationElementUnits */
4290 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_units,
4291 tvb, offset, length, ENC_BIG_ENDIAN);
4294 case 346: /* privateEnterpriseNumber */
4295 ti = proto_tree_add_item(pdutree, hf_cflow_private_enterprise_number,
4296 tvb, offset, length, ENC_BIG_ENDIAN);
4299 case 37000: /* packets_dropped */
4300 ti = proto_tree_add_item(pdutree, hf_cflow_packets_dropped,
4301 tvb, offset, length, ENC_BIG_ENDIAN);
4303 case 37003: /* byte_rate */
4304 ti = proto_tree_add_item(pdutree, hf_cflow_byte_rate,
4305 tvb, offset, length, ENC_BIG_ENDIAN);
4307 case 37004: /* application_media_bytes */
4308 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_bytes,
4309 tvb, offset, length, ENC_BIG_ENDIAN);
4311 case 37006: /* application_media_byte_rate */
4312 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_byte_rate,
4313 tvb, offset, length, ENC_BIG_ENDIAN);
4315 case 37007: /* application_media_packets */
4316 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_packets,
4317 tvb, offset, length, ENC_BIG_ENDIAN);
4319 case 37009: /* application_media_packet_rate */
4320 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_packet_rate,
4321 tvb, offset, length, ENC_BIG_ENDIAN);
4323 case 37011: /* application_media_event */
4324 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_event,
4325 tvb, offset, length, ENC_BIG_ENDIAN);
4328 case 37012: /* monitor_event */
4329 ti = proto_tree_add_item(pdutree, hf_cflow_monitor_event,
4330 tvb, offset, length, ENC_BIG_ENDIAN);
4333 case 37013: /* timestamp_interval */
4334 ti = proto_tree_add_item(pdutree, hf_cflow_timestamp_interval,
4335 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
4337 case 37014: /* transport_packets_expected */
4338 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_expected,
4339 tvb, offset, length, ENC_BIG_ENDIAN);
4341 case 37016: /* transport_round_trip_time */
4342 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4343 ti = proto_tree_add_item(pdutree, hf_cflow_transport_round_trip_time_string,
4344 tvb, offset, length, ENC_BIG_ENDIAN);
4346 /* value is in microseconds, adjust to nanoseconds*/
4348 ts.nsecs= tvb_get_ntohl(tvb,offset) * 1000;
4349 ti = proto_tree_add_time(pdutree, hf_cflow_transport_round_trip_time,
4350 tvb, offset, length, &ts);
4353 case 37017: /* transport_event_packet_loss */
4354 ti = proto_tree_add_item(pdutree, hf_cflow_transport_event_packet_loss,
4355 tvb, offset, length, ENC_BIG_ENDIAN);
4357 case 37019: /* transport_packets_lost */
4358 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4359 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_lost_string,
4360 tvb, offset, length, ENC_BIG_ENDIAN);
4362 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_lost,
4363 tvb, offset, length, ENC_BIG_ENDIAN);
4366 case 37021: /* transport_packets_lost_rate */
4367 if (tvb_get_ntohl(tvb,offset)== 0xFFFF ) {
4368 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_lost_rate_string,
4369 tvb, offset, length, ENC_BIG_ENDIAN);
4371 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_lost_rate,
4372 tvb, offset, length, ENC_BIG_ENDIAN);
4375 case 37022: /* transport_rtp_ssrc */
4376 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_ssrc,
4377 tvb, offset, length, ENC_BIG_ENDIAN);
4379 case 37023: /* transport_rtp_jitter_mean */
4380 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4381 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_jitter_mean_string,
4382 tvb, offset, length, ENC_BIG_ENDIAN);
4384 /* value is in microseconds, adjust to nanoseconds*/
4386 ts.nsecs= tvb_get_ntohl(tvb,offset) * 1000;
4388 ti = proto_tree_add_time(pdutree, hf_cflow_transport_rtp_jitter_mean,
4389 tvb, offset, length, &ts);
4392 case 37024: /* transport_rtp_jitter_min */
4393 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4394 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_jitter_min_string,
4395 tvb, offset, length, ENC_BIG_ENDIAN);
4397 /* value is in microseconds, adjust to nanoseconds*/
4399 ts.nsecs= tvb_get_ntohl(tvb,offset) * 1000;
4400 ti = proto_tree_add_time(pdutree, hf_cflow_transport_rtp_jitter_min,
4401 tvb, offset, length, &ts);
4404 case 37025: /* transport_rtp_jitter_max */
4405 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4406 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_jitter_max_string,
4407 tvb, offset, length, ENC_BIG_ENDIAN);
4409 /* value is in microseconds, adjust to nanoseconds*/
4411 ts.nsecs= tvb_get_ntohl(tvb,offset) * 1000;
4412 ti = proto_tree_add_time(pdutree, hf_cflow_transport_rtp_jitter_max,
4413 tvb, offset, length, &ts);
4418 /* Ericsson SE NAT Logging */
4419 case 24628: /* natContextId */
4420 ti = proto_tree_add_item(pdutree, hf_cflow_nat_context_id,
4421 tvb, offset, length, ENC_BIG_ENDIAN);
4423 case 24629: /* natContextName */
4424 ti = proto_tree_add_item(pdutree, hf_cflow_nat_context_name,
4425 tvb, offset, length, ENC_UTF_8|ENC_NA);
4427 case 24630: /* natAssignTime */
4428 ts.secs = tvb_get_ntohl(tvb, offset);
4430 ti = proto_tree_add_time(pdutree, hf_cflow_nat_assign_time,
4431 tvb, offset, length, &ts);
4433 case 24631: /* natUnAssignTime */
4434 ts.secs = tvb_get_ntohl(tvb, offset);
4436 ti = proto_tree_add_time(pdutree, hf_cflow_nat_unassign_time,
4437 tvb, offset, length, &ts);
4439 case 24632: /* natInternalAddr */
4440 ti = proto_tree_add_item(pdutree, hf_cflow_nat_int_addr,
4441 tvb, offset, length, ENC_NA);
4443 case 24633: /* natExternalAddr */
4444 ti = proto_tree_add_item(pdutree, hf_cflow_nat_ext_addr,
4445 tvb, offset, length, ENC_NA);
4447 case 24634: /* natExternalPortFirst */
4448 ti = proto_tree_add_item(pdutree, hf_cflow_nat_ext_port_first,
4449 tvb, offset, length, ENC_BIG_ENDIAN);
4451 case 24635: /* natExternalPortLast */
4452 ti = proto_tree_add_item(pdutree, hf_cflow_nat_ext_port_last,
4453 tvb, offset, length, ENC_BIG_ENDIAN);
4456 /* Cisco ASA 5500 Series */
4457 case 33000: /* NF_F_INGRESS_ACL_ID */
4458 proto_tree_add_item(pdutree, hf_cflow_ingress_acl_id,
4459 tvb, offset, length, ENC_NA);
4461 case 33001: /* NF_F_EGRESS_ACL_ID */
4462 proto_tree_add_item(pdutree, hf_cflow_egress_acl_id,
4463 tvb, offset, length, ENC_NA);
4465 case 33002: /* NF_F_FW_EXT_EVENT */
4466 proto_tree_add_item(pdutree, hf_cflow_fw_ext_event,
4467 tvb, offset, length, ENC_BIG_ENDIAN);
4469 case 40000: /* NF_F_USERNAME[_MAX] */
4470 proto_tree_add_item(pdutree, hf_cflow_aaa_username,
4471 tvb, offset, length, ENC_ASCII|ENC_NA);
4474 /* CACE Technologies */
4475 case VENDOR_CACE << 16 | 0: /* caceLocalIPv4Address */
4476 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_ipv4_address,
4477 tvb, offset, length, ENC_NA);
4478 SET_ADDRESS(&local_addr, AT_IPv4, 4, tvb_get_ptr(tvb, offset, 4));
4479 got_flags |= GOT_LOCAL_ADDR;
4482 case VENDOR_CACE << 16 | 1: /* caceRemoteIPv4Address */
4483 ti = proto_tree_add_item(pdutree, hf_pie_cace_remote_ipv4_address,
4484 tvb, offset, length, ENC_NA);
4485 SET_ADDRESS(&remote_addr, AT_IPv4, 4, tvb_get_ptr(tvb, offset, 4));
4486 got_flags |= GOT_REMOTE_ADDR;
4489 case VENDOR_CACE << 16 | 2: /* caceLocalIPv6Address */
4490 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_ipv6_address,
4491 tvb, offset, length, ENC_NA);
4492 SET_ADDRESS(&local_addr, AT_IPv6, 16, tvb_get_ptr(tvb, offset, 16));
4493 got_flags |= GOT_LOCAL_ADDR;
4496 case VENDOR_CACE << 16 | 3: /* caceRemoteIPv6Address */
4497 ti = proto_tree_add_item(pdutree, hf_pie_cace_remote_ipv6_address,
4498 tvb, offset, length, ENC_NA);
4499 SET_ADDRESS(&remote_addr, AT_IPv6, 16, tvb_get_ptr(tvb, offset, 16));
4500 got_flags |= GOT_REMOTE_ADDR;
4503 case VENDOR_CACE << 16 | 4: /* caceLocalTransportPort */
4504 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_port,
4505 tvb, offset, length, ENC_BIG_ENDIAN);
4506 local_port = tvb_get_ntohs(tvb, offset);
4507 got_flags |= GOT_LOCAL_PORT;
4510 case VENDOR_CACE << 16 | 5: /* caceRemoteTransportPort */
4511 ti = proto_tree_add_item(pdutree, hf_pie_cace_remote_port,
4512 tvb, offset, length, ENC_BIG_ENDIAN);
4513 remote_port = tvb_get_ntohs(tvb, offset);
4514 got_flags |= GOT_REMOTE_PORT;
4517 case VENDOR_CACE << 16 | 6: /* caceLocalIPv4id */
4518 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_ipv4_id,
4519 tvb, offset, length, ENC_BIG_ENDIAN);
4520 /*ipv4_id = tvb_get_ntohs(tvb, offset);*/
4521 /*got_flags |= GOT_IPv4_ID;*/
4524 case VENDOR_CACE << 16 | 7: /* caceLocalICMPid */
4525 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_icmp_id,
4526 tvb, offset, length, ENC_BIG_ENDIAN);
4527 /*icmp_id = tvb_get_ntohs(tvb, offset);*/
4528 /*got_flags |= GOT_ICMP_ID;*/
4531 case VENDOR_CACE << 16 | 8: /* caceLocalProcessUserId */
4532 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_uid,
4533 tvb, offset, length, ENC_BIG_ENDIAN);
4534 uid = tvb_get_ntohl(tvb, offset);
4535 got_flags |= GOT_UID;
4538 case VENDOR_CACE << 16 | 9: /* caceLocalProcessId */
4539 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_pid,
4540 tvb, offset, length, ENC_BIG_ENDIAN);
4541 pid = tvb_get_ntohl(tvb, offset);
4542 got_flags |= GOT_PID;
4545 case VENDOR_CACE << 16 | 10: /* caceLocalProcessUserName */
4546 uname_len = tvb_get_guint8(tvb, offset);
4547 uname_str = tvb_format_text(tvb, offset+1, uname_len);
4548 proto_tree_add_item(pdutree, hf_pie_cace_local_username_len,
4549 tvb, offset, 1, ENC_NA);
4550 ti = proto_tree_add_string(pdutree, hf_pie_cace_local_username,
4551 tvb, offset+1, uname_len, uname_str);
4552 length = uname_len + 1;
4553 got_flags |= GOT_USERNAME;
4556 case VENDOR_CACE << 16 | 11: /* caceLocalProcessCommand */
4557 cmd_len = tvb_get_guint8(tvb, offset);
4558 cmd_str = tvb_format_text(tvb, offset+1, cmd_len);
4559 proto_tree_add_item(pdutree, hf_pie_cace_local_cmd_len,
4560 tvb, offset, 1, ENC_NA);
4561 ti = proto_tree_add_string(pdutree, hf_pie_cace_local_cmd,
4562 tvb, offset+1, cmd_len, cmd_str);
4563 length = cmd_len + 1;
4564 got_flags |= GOT_COMMAND;
4568 case (NTOP_BASE + 80): /* FRAGMENTED */
4569 case ((VENDOR_NTOP << 16) | 80): /* FRAGMENTED */
4570 ti = proto_tree_add_item(pdutree, hf_pie_ntop_fragmented,
4571 tvb, offset, length, ENC_BIG_ENDIAN);
4573 case (NTOP_BASE + 81): /* FINGERPRINT */
4574 case ((VENDOR_NTOP << 16) | 81): /* FINGERPRINT */
4575 ti = proto_tree_add_item(pdutree, hf_pie_ntop_fingerprint,
4576 tvb, offset, length, ENC_BIG_ENDIAN);
4578 case (NTOP_BASE + 82): /* CLIENT_NW_DELAY_SEC */
4579 case ((VENDOR_NTOP << 16) | 82): /* CLIENT_NW_DELAY_SEC */
4580 ti = proto_tree_add_item(pdutree, hf_pie_ntop_client_nw_delay_sec,
4581 tvb, offset, length, ENC_BIG_ENDIAN);
4583 case (NTOP_BASE + 83): /* /\* CLIENT_NW_DELAY_USEC *\/ */
4584 case ((VENDOR_NTOP << 16) | 83): /* CLIENT_NW_DELAY_USEC */
4585 ti = proto_tree_add_item(pdutree, hf_pie_ntop_client_nw_delay_usec,
4586 tvb, offset, length, ENC_BIG_ENDIAN);
4588 case (NTOP_BASE + 84): /* SERVER_NW_DELAY_SEC */
4589 case ((VENDOR_NTOP << 16) | 84): /* SERVER_NW_DELAY_SEC */
4590 ti = proto_tree_add_item(pdutree, hf_pie_ntop_server_nw_delay_sec,
4591 tvb, offset, length, ENC_BIG_ENDIAN);
4593 case (NTOP_BASE + 85): /* SERVER_NW_DELAY_USEC */
4594 case ((VENDOR_NTOP << 16) | 85): /* SERVER_NW_DELAY_USEC */
4595 ti = proto_tree_add_item(pdutree, hf_pie_ntop_server_nw_delay_usec,
4596 tvb, offset, length, ENC_BIG_ENDIAN);
4598 case (NTOP_BASE + 86): /* APPL_LATENCY_SEC */
4599 case ((VENDOR_NTOP << 16) | 86): /* APPL_LATENCY_SEC */
4600 ti = proto_tree_add_item(pdutree, hf_pie_ntop_appl_latency_sec,
4601 tvb, offset, length, ENC_BIG_ENDIAN);
4603 case (NTOP_BASE + 87): /* APPL_LATENCY_USEC */
4604 case ((VENDOR_NTOP << 16) | 87): /* APPL_LATENCY_USEC */
4605 ti = proto_tree_add_item(pdutree, hf_pie_ntop_appl_latency_sec,
4606 tvb, offset, length, ENC_BIG_ENDIAN);
4608 case (NTOP_BASE + 98): /* ICMP_FLAGS */
4609 case ((VENDOR_NTOP << 16) | 98): /* ICMP_FLAGS */
4610 /* Cumulative of all flow ICMP types */
4611 ti = proto_tree_add_item(pdutree, hf_pie_ntop_icmp_flags,
4612 tvb, offset, length, ENC_BIG_ENDIAN);
4614 case (NTOP_BASE + 101): /* SRC_IP_COUNTRY */
4615 case ((VENDOR_NTOP << 16) | 101): /* SRC_IP_COUNTRY */
4616 ti = proto_tree_add_item(pdutree, hf_pie_ntop_src_ip_country,
4617 tvb, offset, length, ENC_ASCII|ENC_NA);
4619 case (NTOP_BASE + 102): /* SRC_IP_CITY */
4620 case ((VENDOR_NTOP << 16) | 102): /* SRC_IP_CITY */
4621 ti = proto_tree_add_item(pdutree, hf_pie_ntop_src_ip_city,
4622 tvb, offset, length, ENC_ASCII|ENC_NA);
4624 case (NTOP_BASE + 103): /* DST_IP_COUNTRY */
4625 case ((VENDOR_NTOP << 16) | 103): /* DST_IP_COUNTRY */
4626 ti = proto_tree_add_item(pdutree, hf_pie_ntop_dst_ip_country,
4627 tvb, offset, length, ENC_ASCII|ENC_NA);
4629 case (NTOP_BASE + 104): /* DST_IP_CITY */
4630 case ((VENDOR_NTOP << 16) | 104): /* DST_IP_CITY */
4631 ti = proto_tree_add_item(pdutree, hf_pie_ntop_dst_ip_city,
4632 tvb, offset, length, ENC_ASCII|ENC_NA);
4634 case (NTOP_BASE + 105): /* FLOW_PROTO_PORT */
4635 case ((VENDOR_NTOP << 16) | 105): /* FLOW_PROTO_PORT */
4636 ti = proto_tree_add_item(pdutree, hf_pie_ntop_flow_proto_port,
4637 tvb, offset, length, ENC_BIG_ENDIAN);
4640 case (NTOP_BASE + 106): /* TUNNEL_ID */
4641 case ((VENDOR_NTOP << 16) | 106): /* TUNNEL_ID */
4642 ti = proto_tree_add_item(pdutree, hf_pie_ntop_tunnel_id,
4643 tvb, offset, length, ENC_BIG_ENDIAN);
4645 case (NTOP_BASE + 107): /* LONGEST_FLOW_PKT */
4646 case ((VENDOR_NTOP << 16) | 107): /* LONGEST_FLOW_PKT */
4647 ti = proto_tree_add_item(pdutree, hf_pie_ntop_longest_flow_pkt,
4648 tvb, offset, length, ENC_BIG_ENDIAN);
4650 case (NTOP_BASE + 108): /* SHORTEST_FLOW_PKT */
4651 case ((VENDOR_NTOP << 16) | 108): /* SHORTEST_FLOW_PKT */
4652 ti = proto_tree_add_item(pdutree, hf_pie_ntop_shortest_flow_pkt,
4653 tvb, offset, length, ENC_BIG_ENDIAN);
4655 case (NTOP_BASE + 109): /* RETRANSMITTED_IN_PKTS */
4656 case ((VENDOR_NTOP << 16) | 109): /* RETRANSMITTED_IN_PKTS */
4657 ti = proto_tree_add_item(pdutree, hf_pie_ntop_retransmitted_in_pkts,
4658 tvb, offset, length, ENC_BIG_ENDIAN);
4660 case (NTOP_BASE + 110): /* RETRANSMITTED_OUT_PKTS */
4661 case ((VENDOR_NTOP << 16) | 110): /* RETRANSMITTED_OUT_PKTS */
4662 ti = proto_tree_add_item(pdutree, hf_pie_ntop_retransmitted_out_pkts,
4663 tvb, offset, length, ENC_BIG_ENDIAN);
4665 case (NTOP_BASE + 111): /* OOORDER_IN_PKTS */
4666 case ((VENDOR_NTOP << 16) | 111): /* OOORDER_IN_PKTS */
4667 ti = proto_tree_add_item(pdutree, hf_pie_ntop_ooorder_in_pkts,
4668 tvb, offset, length, ENC_BIG_ENDIAN);
4670 case (NTOP_BASE + 112): /* OOORDER_OUT_PKTS */
4671 case ((VENDOR_NTOP << 16) | 112): /* OOORDER_OUT_PKTS */
4672 ti = proto_tree_add_item(pdutree, hf_pie_ntop_ooorder_out_pkts,
4673 tvb, offset, length, ENC_BIG_ENDIAN);
4675 case (NTOP_BASE + 113): /* UNTUNNELED_PROTOCOL */
4676 case ((VENDOR_NTOP << 16) | 113): /* UNTUNNELED_PROTOCOL */
4677 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_protocol,
4678 tvb, offset, length, ENC_BIG_ENDIAN);
4680 case (NTOP_BASE + 114): /* UNTUNNELED_IPV4_SRC_ADDR */
4681 case ((VENDOR_NTOP << 16) | 114): /* UNTUNNELED_IPV4_SRC_ADDR */
4682 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_ipv4_src_addr,
4683 tvb, offset, length, ENC_BIG_ENDIAN);
4685 case (NTOP_BASE + 115): /* UNTUNNELED_L4_SRC_PORT */
4686 case ((VENDOR_NTOP << 16) | 115): /* UNTUNNELED_L4_SRC_PORT */
4687 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_l4_src_port,
4688 tvb, offset, length, ENC_BIG_ENDIAN);
4690 case (NTOP_BASE + 116): /* UNTUNNELED_IPV4_DST_ADDR */
4691 case ((VENDOR_NTOP << 16) | 116): /* UNTUNNELED_IPV4_DST_ADDR */
4692 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_ipv4_dst_addr,
4693 tvb, offset, length, ENC_BIG_ENDIAN);
4695 case (NTOP_BASE + 117): /* UNTUNNELED_L4_DST_PORT */
4696 case ((VENDOR_NTOP << 16) | 117): /* UNTUNNELED_L4_DST_PORT */
4697 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_l4_dst_port,
4698 tvb, offset, length, ENC_BIG_ENDIAN);
4701 case (NTOP_BASE + 120): /* DUMP_PATH */
4702 case ((VENDOR_NTOP << 16) | 120): /* DUMP_PATH */
4703 ti = proto_tree_add_item(pdutree, hf_pie_ntop_dump_path,
4704 tvb, offset, length, ENC_ASCII|ENC_NA);
4707 case (NTOP_BASE + 130): /* SIP_CALL_ID */
4708 case ((VENDOR_NTOP << 16) | 130): /* SIP_CALL_ID */
4709 gen_str = tvb_format_text(tvb, offset, length);
4710 ti = proto_tree_add_string(pdutree, hf_pie_ntop_sip_call_id,
4711 tvb, offset, length, gen_str);
4713 case (NTOP_BASE + 131): /* SIP_CALLING_PARTY */
4714 case ((VENDOR_NTOP << 16) | 131): /* SIP_CALLING_PARTY */
4715 gen_str = tvb_format_text(tvb, offset, length);
4716 ti = proto_tree_add_string(pdutree, hf_pie_ntop_sip_calling_party,
4717 tvb, offset, length, gen_str);
4719 case (NTOP_BASE + 132): /* SIP_CALLED_PARTY */
4720 case ((VENDOR_NTOP << 16) | 132): /* SIP_CALLED_PARTY */
4721 gen_str = tvb_format_text(tvb, offset, length);
4722 ti = proto_tree_add_string(pdutree, hf_pie_ntop_sip_called_party,
4723 tvb, offset, length, gen_str);
4725 case (NTOP_BASE + 133): /* SIP_RTP_CODECS */
4726 case ((VENDOR_NTOP << 16) | 133): /* SIP_RTP_CODECS */
4727 gen_str = tvb_format_text(tvb, offset, length);
4728 ti = proto_tree_add_string(pdutree, hf_pie_ntop_sip_rtp_codecs,
4729 tvb, offset, length, gen_str);
4731 case (NTOP_BASE + 134): /* SIP_INVITE_TIME */
4732 case ((VENDOR_NTOP << 16) | 134): /* SIP_INVITE_TIME */
4733 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_invite_time,
4734 tvb, offset, length, ENC_BIG_ENDIAN);
4736 case (NTOP_BASE + 135): /* SIP_TRYING_TIME */
4737 case ((VENDOR_NTOP << 16) | 135): /* SIP_TRYING_TIME */
4738 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_trying_time,
4739 tvb, offset, length, ENC_BIG_ENDIAN);
4741 case (NTOP_BASE + 136): /* SIP_RINGING_TIME */
4742 case ((VENDOR_NTOP << 16) | 136): /* SIP_RINGING_TIME */
4743 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_ringing_time,
4744 tvb, offset, length, ENC_BIG_ENDIAN);
4746 case (NTOP_BASE + 137): /* SIP_OK_TIME */
4747 case ((VENDOR_NTOP << 16) | 137): /* SIP_OK_TIME */
4748 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_ok_time,
4749 tvb, offset, length, ENC_BIG_ENDIAN);
4751 case (NTOP_BASE + 138): /* SIP_BYE_TIME */
4752 case ((VENDOR_NTOP << 16) | 138): /* SIP_BYE_TIME */
4753 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_bye_time,
4754 tvb, offset, length, ENC_BIG_ENDIAN);
4756 case (NTOP_BASE + 139): /* SIP_RTP_SRC_IP */
4757 case ((VENDOR_NTOP << 16) | 139): /* SIP_RTP_SRC_IP */
4758 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_rtp_src_ip,
4759 tvb, offset, length, ENC_BIG_ENDIAN);
4761 case (NTOP_BASE + 140): /* SIP_RTP_SRC_PORT */
4762 case ((VENDOR_NTOP << 16) | 140): /* SIP_RTP_SRC_PORT */
4763 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_rtp_src_port,
4764 tvb, offset, length, ENC_BIG_ENDIAN);
4766 case (NTOP_BASE + 141): /* SIP_RTP_DST_IP */
4767 case ((VENDOR_NTOP << 16) | 141): /* SIP_RTP_DST_IP */
4768 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_rtp_dst_ip,
4769 tvb, offset, length, ENC_BIG_ENDIAN);
4771 case (NTOP_BASE + 142): /* SIP_RTP_DST_PORT */
4772 case ((VENDOR_NTOP << 16) | 142): /* SIP_RTP_DST_PORT */
4773 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_rtp_dst_port,
4774 tvb, offset, length, ENC_BIG_ENDIAN);
4776 case (NTOP_BASE + 150): /* RTP_FIRST_SSRC */
4777 case ((VENDOR_NTOP << 16) | 150): /* RTP_FIRST_SSRC */
4778 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_first_ssrc,
4779 tvb, offset, length, ENC_BIG_ENDIAN);
4781 case (NTOP_BASE + 151): /* RTP_FIRST_TS */
4782 case ((VENDOR_NTOP << 16) | 151): /* RTP_FIRST_TS */
4783 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_first_ts,
4784 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
4786 case (NTOP_BASE + 152): /* RTP_LAST_SSRC */
4787 case ((VENDOR_NTOP << 16) | 152): /* RTP_LAST_SSRC */
4788 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_last_ssrc,
4789 tvb, offset, length, ENC_BIG_ENDIAN);
4791 case (NTOP_BASE + 153): /* RTP_LAST_TS */
4792 case ((VENDOR_NTOP << 16) | 153): /* RTP_LAST_TS */
4793 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_last_ts,
4794 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
4796 case (NTOP_BASE + 154): /* RTP_IN_JITTER */
4797 case ((VENDOR_NTOP << 16) | 154): /* RTP_IN_JITTER */
4798 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_in_jitter,
4799 tvb, offset, length, ENC_BIG_ENDIAN);
4801 case (NTOP_BASE + 155): /* RTP_OUT_JITTER */
4802 case ((VENDOR_NTOP << 16) | 155): /* RTP_OUT_JITTER */
4803 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_out_jitter,
4804 tvb, offset, length, ENC_BIG_ENDIAN);
4806 case (NTOP_BASE + 156): /* RTP_IN_PKT_LOST */
4807 case ((VENDOR_NTOP << 16) | 156): /* RTP_IN_PKT_LOST */
4808 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_in_pkt_lost,
4809 tvb, offset, length, ENC_BIG_ENDIAN);
4811 case (NTOP_BASE + 157): /* RTP_OUT_PKT_LOST */
4812 case ((VENDOR_NTOP << 16) | 157): /* RTP_OUT_PKT_LOST */
4813 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_out_pkt_lost,
4814 tvb, offset, length, ENC_BIG_ENDIAN);
4816 case (NTOP_BASE + 158): /* RTP_OUT_PAYLOAD_TYPE */
4817 case ((VENDOR_NTOP << 16) | 158): /* RTP_OUT_PAYLOAD_TYPE */
4818 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_out_payload_type,
4819 tvb, offset, length, ENC_BIG_ENDIAN);
4821 case (NTOP_BASE + 159): /* RTP_IN_MAX_DELTA */
4822 case ((VENDOR_NTOP << 16) | 159): /* RTP_IN_MAX_DELTA */
4823 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_in_max_delta,
4824 tvb, offset, length, ENC_BIG_ENDIAN);
4826 case (NTOP_BASE + 160): /* RTP_OUT_MAX_DELTA */
4827 case ((VENDOR_NTOP << 16) | 160): /* RTP_OUT_MAX_DELTA */
4828 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_out_max_delta,
4829 tvb, offset, length, ENC_BIG_ENDIAN);
4831 case (NTOP_BASE + 168): /* PROC_ID */
4832 case ((VENDOR_NTOP << 16) | 168): /* PROC_ID */
4833 ti = proto_tree_add_item(pdutree, hf_pie_ntop_proc_id,
4834 tvb, offset, length, ENC_BIG_ENDIAN);
4836 case (NTOP_BASE + 169): /* PROC_NAME */
4837 case ((VENDOR_NTOP << 16) | 169): /* PROC_NAME */
4838 ti = proto_tree_add_item(pdutree, hf_pie_ntop_proc_name,
4839 tvb, offset, length, ENC_ASCII|ENC_NA);
4841 case (NTOP_BASE + 180): /* HTTP_URL */
4842 case ((VENDOR_NTOP << 16) | 180): /* HTTP_URL */
4843 gen_str = tvb_format_text(tvb, offset, length);
4844 ti = proto_tree_add_string(pdutree, hf_pie_ntop_http_url,
4845 tvb, offset, length, gen_str);
4847 case (NTOP_BASE + 181): /* HTTP_RET_CODE */
4848 case ((VENDOR_NTOP << 16) | 181): /* HTTP_RET_CODE */
4849 ti = proto_tree_add_item(pdutree, hf_pie_ntop_http_ret_code,
4850 tvb, offset, length, ENC_BIG_ENDIAN);
4854 case (NTOP_BASE + 182): /* HTTP_REFERER */
4855 case ((VENDOR_NTOP << 16) | 182): /* HTTP_REFERER */
4857 case (NTOP_BASE + 183): /* HTTP_UA */
4858 case ((VENDOR_NTOP << 16) | 183): /* HTTP_UA */
4860 case (NTOP_BASE + 184): /* HTTP_MIME */
4861 case ((VENDOR_NTOP << 16) | 184): /* HTTP_MIME */
4864 case (NTOP_BASE + 185): /* SMTP_MAIL_FROM */
4865 case ((VENDOR_NTOP << 16) | 185): /* SMTP_MAIL_FROM */
4866 gen_str = tvb_format_text(tvb, offset, length);
4867 ti = proto_tree_add_string(pdutree, hf_pie_ntop_smtp_mail_from,
4868 tvb, offset, length, gen_str);
4870 case (NTOP_BASE + 186): /* SMTP_RCPT_TO */
4871 case ((VENDOR_NTOP << 16) | 186): /* SMTP_RCPT_TO */
4872 gen_str = tvb_format_text(tvb, offset, length);
4873 ti = proto_tree_add_string(pdutree, hf_pie_ntop_smtp_rcpt_to,
4874 tvb, offset, length, gen_str);
4877 case (NTOP_BASE + 190): /* FLOW_ID */
4878 case ((VENDOR_NTOP << 16) | 190): /* FLOW_ID */
4879 ti = proto_tree_add_item(pdutree, hf_cflow_flow_id,
4880 tvb, offset, length, ENC_BIG_ENDIAN);
4883 case (NTOP_BASE + 195): /* MYSQL_SERVER_VERSION */
4884 case ((VENDOR_NTOP << 16) | 195): /* MYSQL_SERVER_VERSION */
4885 gen_str = tvb_format_text(tvb, offset, length);
4886 ti = proto_tree_add_string(pdutree, hf_pie_ntop_mysql_server_version,
4887 tvb, offset, length, gen_str);
4889 case (NTOP_BASE + 196): /* MYSQL_USERNAME */
4890 case ((VENDOR_NTOP << 16) | 196): /* MYSQL_USERNAME */
4891 gen_str = tvb_format_text(tvb, offset, length);
4892 ti = proto_tree_add_string(pdutree, hf_pie_ntop_mysql_username,
4893 tvb, offset, length, gen_str);
4895 case (NTOP_BASE + 197): /* MYSQL_DB */
4896 case ((VENDOR_NTOP << 16) | 197): /* MYSQL_DB */
4897 gen_str = tvb_format_text(tvb, offset, length);
4898 ti = proto_tree_add_string(pdutree, hf_pie_ntop_mysql_db,
4899 tvb, offset, length, gen_str);
4901 case (NTOP_BASE + 198): /* MYSQL_QUERY */
4902 case ((VENDOR_NTOP << 16) | 198): /* MYSQL_QUERY */
4903 gen_str = tvb_format_text(tvb, offset, length);
4904 ti = proto_tree_add_string(pdutree, hf_pie_ntop_mysql_query,
4905 tvb, offset, length, gen_str);
4907 case (NTOP_BASE + 199): /* MYSQL_RESPONSE */
4908 case ((VENDOR_NTOP << 16) | 199): /* MYSQL_RESPONSE */
4909 ti = proto_tree_add_item(pdutree, hf_pie_ntop_mysql_response,
4910 tvb, offset, length, ENC_BIG_ENDIAN);
4916 /* START Plixer International */
4917 case ((VENDOR_PLIXER << 16) | 100): /* client_ip_v4 */
4918 ti = proto_tree_add_item(pdutree, hf_pie_plixer_client_ip_v4,
4919 tvb, offset, length, ENC_BIG_ENDIAN);
4921 case ((VENDOR_PLIXER << 16) | 101): /* client_hostname */
4922 gen_str = tvb_format_text(tvb, offset, length);
4923 ti = proto_tree_add_string(pdutree, hf_pie_plixer_client_hostname,
4924 tvb, offset, length, gen_str);
4926 case ((VENDOR_PLIXER << 16) | 102): /* partner_name */
4927 gen_str = tvb_format_text(tvb, offset, length);
4928 ti = proto_tree_add_string(pdutree, hf_pie_plixer_partner_name,
4929 tvb, offset, length, gen_str);
4931 case ((VENDOR_PLIXER << 16) | 103): /* server_hostname */
4932 gen_str = tvb_format_text(tvb, offset, length);
4933 ti = proto_tree_add_string(pdutree, hf_pie_plixer_server_hostname,
4934 tvb, offset, length, gen_str);
4936 case ((VENDOR_PLIXER << 16) | 104): /* server_ip_v4 */
4937 ti = proto_tree_add_item(pdutree, hf_pie_plixer_server_ip_v4,
4938 tvb, offset, length, ENC_BIG_ENDIAN);
4940 case ((VENDOR_PLIXER << 16) | 105): /* recipient_address */
4941 gen_str = tvb_format_text(tvb, offset, length);
4942 ti = proto_tree_add_string(pdutree, hf_pie_plixer_recipient_address,
4943 tvb, offset, length, gen_str);
4945 case ((VENDOR_PLIXER << 16) | 106): /* event_id */
4946 ti = proto_tree_add_item(pdutree, hf_pie_plixer_event_id,
4947 tvb, offset, length, ENC_BIG_ENDIAN);
4949 case ((VENDOR_PLIXER << 16) | 107): /* msgid */
4950 gen_str = tvb_format_text(tvb, offset, length);
4951 ti = proto_tree_add_string(pdutree, hf_pie_plixer_msgid,
4952 tvb, offset, length, gen_str);
4954 case ((VENDOR_PLIXER << 16) | 108): /* priority */
4955 ti = proto_tree_add_item(pdutree, hf_pie_plixer_priority,
4956 tvb, offset, length, ENC_BIG_ENDIAN);
4958 case ((VENDOR_PLIXER << 16) | 109): /* recipient_report_status */
4959 ti = proto_tree_add_item(pdutree, hf_pie_plixer_recipient_report_status,
4960 tvb, offset, length, ENC_BIG_ENDIAN);
4962 case ((VENDOR_PLIXER << 16) | 110): /* number_recipients */
4963 ti = proto_tree_add_item(pdutree, hf_pie_plixer_number_recipients,
4964 tvb, offset, length, ENC_BIG_ENDIAN);
4966 case ((VENDOR_PLIXER << 16) | 111): /* origination_time */
4967 ti = proto_tree_add_item(pdutree, hf_pie_plixer_origination_time,
4968 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
4970 case ((VENDOR_PLIXER << 16) | 112): /* encryption */
4971 ti = proto_tree_add_item(pdutree, hf_pie_plixer_encryption,
4972 tvb, offset, length, ENC_BIG_ENDIAN);
4974 case ((VENDOR_PLIXER << 16) | 113): /* service_version */
4975 gen_str = tvb_format_text(tvb, offset, length);
4976 ti = proto_tree_add_string(pdutree, hf_pie_plixer_service_version,
4977 tvb, offset, length, gen_str);
4979 case ((VENDOR_PLIXER << 16) | 114): /* linked_msgid */
4980 gen_str = tvb_format_text(tvb, offset, length);
4981 ti = proto_tree_add_string(pdutree, hf_pie_plixer_linked_msgid,
4982 tvb, offset, length, gen_str);
4984 case ((VENDOR_PLIXER << 16) | 115): /* message_subject */
4985 gen_str = tvb_format_text(tvb, offset, length);
4986 ti = proto_tree_add_string(pdutree, hf_pie_plixer_message_subject,
4987 tvb, offset, length, gen_str);
4989 case ((VENDOR_PLIXER << 16) | 116): /* sender_address */
4990 gen_str = tvb_format_text(tvb, offset, length);
4991 ti = proto_tree_add_string(pdutree, hf_pie_plixer_sender_address,
4992 tvb, offset, length, gen_str);
4994 case ((VENDOR_PLIXER << 16) | 117): /* date_time */
4995 ti = proto_tree_add_item(pdutree, hf_pie_plixer_date_time,
4996 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
4998 /* END Plixer International */
5000 default: /* Unknown Field ID */
5001 if ((hdrinfo->vspec == 9) || (pen == REVPEN)) {
5002 ti = proto_tree_add_bytes_format_value(pdutree, hf_cflow_unknown_field_type,
5003 tvb, offset, length, NULL,
5004 "Type %u: Value (hex bytes): %s",
5006 tvb_bytes_to_str_punct(tvb, offset, length, ' '));
5007 } else { /* v10 PEN */
5008 ti = proto_tree_add_bytes_format_value(pdutree, hf_ipfix_enterprise_private_entry,
5009 tvb, offset, length, NULL,
5010 "(%s) Type %u: Value (hex bytes): %s",
5011 pen_str ? pen_str : "(null)",
5013 tvb_bytes_to_str_punct(tvb, offset, length, ' '));
5017 } /* switch (pen_type) */
5019 if (ti && (vstr_len != 0)) {
5020 /* XXX: ugh: not very pretty: how to show/highlight actual length bytes ?? */
5021 /* YYY: added the length in a tree. Not sure if this is best. */
5022 proto_item_append_text(ti, " (Variable Length)");
5023 PROTO_ITEM_SET_GENERATED(ti);
5024 string_tree = proto_item_add_subtree(ti, ett_str_len);
5025 proto_tree_add_uint(string_tree, hf_string_len_short, tvb,
5026 gen_str_offset-vstr_len, 1, string_len_short);
5027 if (vstr_len == 3) {
5028 proto_tree_add_uint(string_tree, hf_string_len_long, tvb,
5029 gen_str_offset-2, 2, string_len_long);
5036 if (ti && (pen == REVPEN)) {
5037 /* XXX: why showing type ? type not shown if not reverse */
5038 proto_item_append_text(ti, " (Reverse Type %u %s)",
5040 val_to_str_ext_const(masked_type, &v9_v10_template_types_ext,"Unknown"));
5044 } /* for (i=0; i < count; i++) */
5046 /* If only "start" or "end" time, show it here */
5047 /* XXX: length is actually 8 if millisec, microsec, nanosec time */
5048 for (i = 0; i < 2; i++) {
5049 if (!(offset_s[i] && offset_e[i])) {
5051 if (msec_start[i]) {
5052 proto_tree_add_time(pdutree, hf_cflow_timestart, tvb,
5053 offset_s[i], 4, &ts_start[i]);
5055 proto_tree_add_time(pdutree, hf_cflow_abstimestart, tvb,
5056 offset_s[i], 4, &ts_start[i]);
5061 proto_tree_add_time(pdutree, hf_cflow_timeend, tvb,
5062 offset_e[i], 4, &ts_end[i]);
5064 proto_tree_add_time(pdutree, hf_cflow_abstimeend, tvb,
5065 offset_s[i], 4, &ts_start[i]);
5071 /* XXX - These IDs are currently hard-coded in procflow.py. */
5072 if (got_flags == GOT_TCP_UDP && (tplt->id == 256 || tplt->id == 258)) {
5073 add_tcp_process_info(pinfo->fd->num, &local_addr, &remote_addr, local_port, remote_port, uid, pid, uname_str, cmd_str);
5075 if (got_flags == GOT_TCP_UDP && (tplt->id == 257 || tplt->id == 259)) {
5076 add_udp_process_info(pinfo->fd->num, &local_addr, &remote_addr, local_port, remote_port, uid, pid, uname_str, cmd_str);
5079 return (guint) (offset - orig_offset);
5083 /* --- Dissect Template ---*/
5084 /* Template Fields Dissection */
5085 static const int *v9_template_type_hf_list[TF_NUM] = {
5086 &hf_cflow_template_scope_field_type, /* scope */
5087 &hf_cflow_template_field_type}; /* entry */
5088 static const int *v10_template_type_hf_list[TF_NUM_EXT] = {
5089 &hf_cflow_template_ipfix_field_type, /* scope */
5090 &hf_cflow_template_ipfix_field_type,
5091 &hf_cflow_template_plixer_field_type,
5092 &hf_cflow_template_ntop_field_type,
5095 static value_string_ext *v9_template_type_vse_list[TF_NUM] = {
5096 &v9_scope_field_types_ext, /* scope */
5097 &v9_v10_template_types_ext }; /* entry */
5098 static value_string_ext *v10_template_type_vse_list[TF_NUM_EXT] = {
5099 &v9_v10_template_types_ext, /* scope */
5100 &v9_v10_template_types_ext, /* entry */
5101 &v10_template_types_plixer_ext,
5102 &v10_template_types_ntop_ext,
5106 dissect_v9_v10_template_fields(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tplt_tree, int offset,
5108 struct v9_v10_template *tplt,
5109 v9_v10_template_fields_type_t fields_type)
5115 DISSECTOR_ASSERT((fields_type==TF_SCOPES) || (fields_type==TF_ENTRIES));
5117 ver = hdrinfo->vspec;
5118 DISSECTOR_ASSERT((ver==9) || (ver==10));
5120 count = tplt->field_count[fields_type];
5121 for(i=0; i<count; i++) {
5125 const gchar *pen_str;
5126 proto_tree *field_tree;
5127 proto_item *field_item;
5132 type = tvb_get_ntohs(tvb, offset);
5133 length = tvb_get_ntohs(tvb,offset+2); /* XXX: 0 length should not be allowed ? exception: "ScopeSystem" */
5134 if ((ver == 10) && (type & 0x8000)) { /* IPFIX only */
5135 pen = tvb_get_ntohl(tvb,offset+4);
5136 pen_str = val_to_str_ext_const(pen, &sminmpec_values_ext, "(Unknown)");
5139 if (tplt->fields[fields_type] != NULL) {
5140 DISSECTOR_ASSERT (i < count);
5141 tplt->fields[fields_type][i].type = type;
5142 tplt->fields[fields_type][i].length = length;
5143 tplt->fields[fields_type][i].pen = pen;
5144 tplt->fields[fields_type][i].pen_str = pen_str;
5145 if (length != VARIABLE_LENGTH) { /* Don't include "variable length" in the total */
5146 tplt->length += length;
5150 field_item = proto_tree_add_text(tplt_tree, tvb, offset, 4+((pen_str!=NULL)?4:0), "Field (%u/%u)", i+1, count);
5151 field_tree = proto_item_add_subtree(field_item, ett_field);
5152 if (fields_type == TF_SCOPES) {
5153 proto_item_append_text(field_item, " [Scope]");
5156 if (ver == 9) { /* v9 */
5157 proto_tree_add_item(field_tree, *v9_template_type_hf_list[fields_type],
5158 tvb, offset, 2, ENC_BIG_ENDIAN);
5159 proto_item_append_text(field_item, ": %s",
5160 val_to_str_ext(type, v9_template_type_vse_list[fields_type], "Unknown(%d)"));
5162 proto_tree_add_item(field_tree, hf_cflow_template_ipfix_pen_provided,
5163 tvb, offset, 2, ENC_BIG_ENDIAN);
5164 if ( !(type & 0x8000) || (pen == REVPEN)) {
5166 rp_ti = proto_tree_add_item(field_tree, *v10_template_type_hf_list[fields_type],
5167 tvb, offset, 2, ENC_BIG_ENDIAN);
5168 proto_item_append_text(field_item, ": %s",
5169 val_to_str_ext(type&0x7fff, v10_template_type_vse_list[fields_type], "Unknown(%d)"));
5170 if (pen == REVPEN) {
5171 proto_item_append_text(rp_ti, " [Reverse]");
5172 proto_item_append_text(field_item, " [Reverse]");
5175 int fields_type_pen = pen_to_type_hf_list(pen);
5176 if (fields_type_pen != TF_NO_VENDOR_INFO) {
5177 proto_tree_add_item(field_tree, *v10_template_type_hf_list[fields_type_pen],
5178 tvb, offset, 2, ENC_BIG_ENDIAN);
5179 proto_item_append_text(field_item, ": %s",
5180 val_to_str_ext(type&0x7fff, v10_template_type_vse_list[fields_type_pen], "Unknown(%d)"));
5181 } else { /* Private Enterprise */
5183 pen_ti = proto_tree_add_item(field_tree, hf_cflow_template_ipfix_field_type_enterprise,
5184 tvb, offset, 2, ENC_BIG_ENDIAN);
5185 proto_item_append_text(pen_ti, " [pen: %s]", pen_str);
5186 proto_item_append_text(field_item, ": %3u [pen: %s]", type&0x7fff, pen_str);
5193 ti = proto_tree_add_item(field_tree, hf_cflow_template_field_length, tvb,
5194 offset, 2, ENC_BIG_ENDIAN);
5195 if (length == VARIABLE_LENGTH) {
5196 proto_item_append_text(ti, " [i.e.: \"Variable Length\"]");
5200 /* Private Enterprise Number (IPFIX only) */
5201 if ((ver == 10) && (type & 0x8000)) {
5202 proto_tree_add_uint_format_value(field_tree, hf_cflow_template_ipfix_field_pen, tvb, offset, 4,
5203 pen, "%s (%u)", pen_str, pen);
5210 /* Options Template Dissection */
5212 dissect_v9_v10_options_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset, int length,
5213 hdrinfo_t *hdrinfo, guint16 flowset_id)
5218 while (remaining > 3) { /* allow for padding */
5219 struct v9_v10_template *tmplt_cache_p;
5220 struct v9_v10_template tplt;
5221 proto_tree *tplt_tree;
5222 proto_item *tplt_item;
5225 guint16 option_scope_field_count;
5226 guint16 option_field_count;
5229 orig_offset = offset;
5231 id = tvb_get_ntohs(tvb, offset);
5233 tplt_item = proto_tree_add_text(pdutree, tvb, offset, -1, "Options Template (Id = %u)", id);
5234 tplt_tree = proto_item_add_subtree(tplt_item, ett_template);
5236 proto_tree_add_item(tplt_tree, hf_cflow_template_id, tvb, offset, 2, ENC_BIG_ENDIAN);
5239 if (flowset_id == FLOWSET_ID_V9_OPTIONS_TEMPLATE) { /* V9 */
5240 /* Note: v9: field_count = fields_byte_length/4 since each entry is 4 bytes */
5241 /* XXX: validate byte_length is a multiple of 4 ? */
5242 option_scope_field_count = tvb_get_ntohs(tvb, offset)/4;
5243 proto_tree_add_item(tplt_tree,
5244 hf_cflow_option_scope_length,
5245 tvb, offset, 2, ENC_BIG_ENDIAN);
5248 option_field_count = tvb_get_ntohs(tvb, offset)/4;
5249 ti = proto_tree_add_item(tplt_tree,
5250 hf_cflow_option_length,
5251 tvb, offset, 2, ENC_BIG_ENDIAN);
5253 } else { /* IPFIX (V10) */
5254 guint16 option_total_field_count;
5256 option_total_field_count = tvb_get_ntohs(tvb, offset);
5257 proto_tree_add_item(tplt_tree,
5258 hf_cflow_template_ipfix_total_field_count,
5259 tvb, offset, 2, ENC_BIG_ENDIAN);
5262 option_scope_field_count = tvb_get_ntohs(tvb, offset);
5263 ti = proto_tree_add_item(tplt_tree,
5264 hf_cflow_template_ipfix_scope_field_count,
5265 tvb, offset, 2, ENC_BIG_ENDIAN);
5268 option_field_count = option_total_field_count - option_scope_field_count;
5270 if (option_scope_field_count == 0) {
5271 expert_add_info_format(pinfo, ti, PI_MALFORMED, PI_WARN,
5275 if (option_scope_field_count > option_total_field_count) {
5276 expert_add_info_format(pinfo, ti, PI_MALFORMED, PI_WARN,
5277 "More scope fields (%u) than fields (%u)",
5278 option_scope_field_count, option_total_field_count);
5283 proto_item_append_text(tplt_item, " (Scope Count = %u; Data Count = %u)", option_scope_field_count, option_field_count);
5284 proto_item_set_len(tplt_item, 6 +4*(option_scope_field_count+option_field_count));
5286 if (v9template_max_fields &&
5287 (option_field_count > v9template_max_fields)) {
5288 expert_add_info_format(pinfo, ti, PI_UNDECODED, PI_NOTE,
5289 "More options (%u) than we can handle. Maximum value can be adjusted in the protocol preferences.",
5290 option_field_count);
5293 if (v9template_max_fields &&
5294 (option_scope_field_count > v9template_max_fields)) {
5295 expert_add_info_format(pinfo, ti, PI_UNDECODED, PI_NOTE,
5296 "More scopes (%u) than we can handle [template won't be used]. Maximum value can be adjusted in the protocol preferences.",
5297 option_scope_field_count);
5300 /* Cache template */
5301 memset(&tplt, 0, sizeof(tplt));
5304 SE_COPY_ADDRESS(&tplt.source_addr, &hdrinfo->net_src);
5305 tplt.source_id = hdrinfo->src_id;
5307 tplt.field_count[TF_SCOPES] = option_scope_field_count;
5308 tplt.field_count[TF_ENTRIES] = option_field_count;
5309 tplt.template_exists = TRUE;
5311 /* If an entry for this hash already exists (whether or not actually for for this id, ...) */
5312 /* then after the 'do {} while' tplt.fields[TF_SCOPES] and tplt.fields[TF_ENTRIES] will */
5313 /* be NULL (no memory will have been allocated) and thus this template will not be cached */
5314 /* after dissection. */
5315 /* ToDo: expert warning if replacement/collision and new template ignored. */
5316 /* XXX: Is an Options template with only scope fields allowed for V9 ?? */
5318 tmplt_cache_p = v9_v10_template_cache_addr(tplt.id, &tplt.source_addr, tplt.source_id);
5319 if (!pinfo->fd->flags.visited) { /* cache template info only during first pass */
5321 if ((option_scope_field_count == 0) ||
5322 (v9template_max_fields &&
5323 ((option_scope_field_count > v9template_max_fields)
5324 || (option_field_count > v9template_max_fields)))) {
5325 break; /* Don't allow cache of this template */
5327 if (tmplt_cache_p->template_exists) {
5328 /* Entry for this hash already exists; Can be dup or collision. */
5329 /* ToDo: use GHashTable so no collisions. */
5330 /* ToDo: Test for changed template ? */
5331 break; /* Don't allow cache of this template */
5333 tplt.fields[TF_SCOPES] = se_alloc0(option_scope_field_count *sizeof(struct v9_v10_template_entry));
5334 tplt.fields[TF_ENTRIES] = se_alloc0(option_field_count *sizeof(struct v9_v10_template_entry));
5339 offset = dissect_v9_v10_template_fields(tvb, pinfo, tplt_tree, offset,
5340 hdrinfo, &tplt, TF_SCOPES);
5342 offset = dissect_v9_v10_template_fields(tvb, pinfo, tplt_tree, offset,
5343 hdrinfo, &tplt, TF_ENTRIES);
5345 if (tplt.fields[TF_SCOPES] || tplt.fields[TF_ENTRIES]) {
5346 memcpy(tmplt_cache_p, &tplt, sizeof(tplt));
5349 remaining -= offset - orig_offset;
5352 flow_process_textfield(pdutree, tvb, offset, remaining, "[Padding]");
5357 /* Data Template Dissection */
5359 dissect_v9_v10_data_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset, int length,
5360 hdrinfo_t *hdrinfo, guint16 flowset_id _U_)
5365 while (remaining > 3) { /* allow for padding */
5366 struct v9_v10_template *tmplt_cache_p;
5367 struct v9_v10_template tplt;
5368 proto_tree *tplt_tree;
5369 proto_item *tplt_item;
5375 orig_offset = offset;
5376 id = tvb_get_ntohs(tvb, offset);
5377 count = tvb_get_ntohs(tvb, offset + 2);
5379 tplt_item = proto_tree_add_text(pdutree, tvb, offset,
5380 4 + 4 * count /* hdrsiz + count*2*(sizeof guint16)*/,
5381 "Template (Id = %u, Count = %u)", id, count);
5382 tplt_tree = proto_item_add_subtree(tplt_item, ett_template);
5384 proto_tree_add_item(tplt_tree, hf_cflow_template_id, tvb,
5385 offset, 2, ENC_BIG_ENDIAN);
5388 ti = proto_tree_add_item(tplt_tree, hf_cflow_template_field_count,
5389 tvb, offset, 2, ENC_BIG_ENDIAN);
5392 if (v9template_max_fields && (count > v9template_max_fields)) {
5393 expert_add_info_format(pinfo, ti, PI_UNDECODED, PI_NOTE,
5394 "More entries (%u) than we can handle [template won't be used]."
5395 " Maximum value can be adjusted in the protocol preferences.",
5399 /* Cache template */
5400 memset(&tplt, 0, sizeof(tplt));
5403 SE_COPY_ADDRESS(&tplt.source_addr, &hdrinfo->net_src);
5404 tplt.source_id = hdrinfo->src_id;
5405 tplt.field_count[TF_ENTRIES] = count;
5406 tplt.template_exists = TRUE;
5408 /* If an entry for this hash already exists (whether or not actually for for this id, ...) */
5409 /* then after the 'do {} while' tplt.fields[TF_ENTRIES] will be NULL (no memory will have */
5410 /* been allocated) and thus this template will not be cached. */
5411 /* ToDo: expert warning if replacement/collision and new template ignored. */
5413 tmplt_cache_p = v9_v10_template_cache_addr(tplt.id, &tplt.source_addr, tplt.source_id);
5414 if (!pinfo->fd->flags.visited) { /* cache template info only during first pass */
5417 (v9template_max_fields && (count > v9template_max_fields))) {
5418 break; /* Don't allow cache of this template */
5420 if (tmplt_cache_p->template_exists) {
5421 /* Entry for this hash already exists; Can be dup or collision. */
5422 /* ToDo: use GHashTable so no collisions. */
5423 /* ToDo: Test for changed template ? */
5424 break; /* Don't allow cache of this template */
5426 tplt.fields[TF_ENTRIES] = se_alloc0(count * sizeof(struct v9_v10_template_entry));
5430 offset = dissect_v9_v10_template_fields(tvb, pinfo, tplt_tree, offset,
5431 hdrinfo, &tplt, TF_ENTRIES);
5433 if (tplt.fields[TF_ENTRIES]) {
5434 memcpy(tmplt_cache_p, &tplt, sizeof(tplt));
5436 remaining -= offset - orig_offset;
5439 flow_process_textfield(pdutree, tvb, offset, remaining, "[Padding]");
5446 v9_v10_template_hash(guint16 id, const address *net_src, guint32 src_id)
5454 p = (guint8 *)(net_src->data);
5458 switch (net_src->type) {
5470 for (i=0; i < cnt; i++) {
5471 memcpy((guint8 *)&temp, p, 4);
5472 val += GUINT32_TO_LE(temp); /* Use *reverse* of each 4 bytes of IP address when */
5473 /* calculating the hash on both BE and LE machines. */
5474 /* EG: hash of IP address 1.2.3.4 will be 0x04030201 */
5475 /* (Note that we'll get the right result on a LE */
5476 /* machine since the IP address is stored in */
5477 /* network order and GUINT32_TO_LE is a no-op. On */
5478 /* a BE machine GUINT32_TO_LE will swap the bytes. */
5482 val = (val + src_id) % V9_V10_TEMPLATE_CACHE_MAX_ENTRIES;
5488 static struct v9_v10_template *
5489 v9_v10_template_cache_addr(guint16 id, address *net_src, guint32 src_id)
5491 return &v9_v10_template_cache[v9_v10_template_hash(id, net_src, src_id)];
5494 static struct v9_v10_template *
5495 v9_v10_template_get(guint16 id, address *net_src, guint32 src_id)
5497 struct v9_v10_template *tplt;
5499 tplt = v9_v10_template_cache_addr(id, net_src, src_id);
5501 if ((tplt->template_exists != TRUE) ||
5503 !ADDRESSES_EQUAL(&tplt->source_addr, net_src) ||
5504 (tplt->source_id != src_id)) {
5512 * dissect a version 1, 5, or 7 pdu and return the length of the pdu we
5517 dissect_pdu(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *pdutree, int offset, hdrinfo_t *hdrinfo)
5519 proto_item *hidden_item;
5520 int startoffset = offset;
5521 guint32 srcaddr, dstaddr;
5526 memset(&ts, '\0', sizeof(ts));
5529 * memcpy so we can use the values later to calculate a prefix
5531 srcaddr = tvb_get_ipv4(tvb, offset);
5532 proto_tree_add_ipv4(pdutree, hf_cflow_srcaddr, tvb, offset, 4,
5536 dstaddr = tvb_get_ipv4(tvb, offset);
5537 proto_tree_add_ipv4(pdutree, hf_cflow_dstaddr, tvb, offset, 4,
5541 proto_tree_add_item(pdutree, hf_cflow_nexthop, tvb, offset, 4, ENC_NA);
5544 offset = flow_process_ints(pdutree, tvb, offset);
5545 offset = flow_process_sizecount(pdutree, tvb, offset);
5546 offset = flow_process_timeperiod(pdutree, tvb, offset);
5547 offset = flow_process_ports(pdutree, tvb, offset);
5550 * and the similarities end here
5553 ver = hdrinfo->vspec;
5557 flow_process_textfield(pdutree, tvb, offset, 2, "padding");
5559 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
5562 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1,
5565 proto_tree_add_item(pdutree, hf_cflow_tcpflags, tvb, offset++,
5569 flow_process_textfield(pdutree, tvb, offset, 3, "padding");
5572 flow_process_textfield(pdutree, tvb, offset, 4,
5577 flow_process_textfield(pdutree, tvb, offset, 1,
5580 proto_tree_add_item(pdutree, hf_cflow_flags, tvb,
5581 offset++, 1, ENC_NA);
5584 proto_tree_add_item(pdutree, hf_cflow_tcpflags, tvb, offset++,
5587 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
5590 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1,
5593 offset = flow_process_aspair(pdutree, tvb, offset);
5595 mask = tvb_get_guint8(tvb, offset);
5596 proto_tree_add_text(pdutree, tvb, offset, 1,
5597 "SrcMask: %u (prefix: %s/%u)",
5598 mask, getprefix(&srcaddr, mask),
5599 mask != 0 ? mask : 32);
5600 hidden_item = proto_tree_add_uint(pdutree, hf_cflow_srcmask, tvb,
5602 PROTO_ITEM_SET_HIDDEN(hidden_item);
5604 mask = tvb_get_guint8(tvb, offset);
5605 proto_tree_add_text(pdutree, tvb, offset, 1,
5606 "DstMask: %u (prefix: %s/%u)",
5607 mask, getprefix(&dstaddr, mask),
5608 mask != 0 ? mask : 32);
5609 hidden_item = proto_tree_add_uint(pdutree, hf_cflow_dstmask, tvb,
5611 PROTO_ITEM_SET_HIDDEN(hidden_item);
5614 flow_process_textfield(pdutree, tvb, offset, 2, "padding");
5617 proto_tree_add_item(pdutree, hf_cflow_routersc, tvb,
5623 return (offset - startoffset);
5626 static const gchar *
5627 getprefix(const guint32 *addr, int prefix)
5631 gprefix = *addr & g_htonl((0xffffffff << (32 - prefix)));
5633 return (ip_to_str((const guint8 *)&gprefix));
5636 /* Called whenever a pref is changed, a new capture is loaded, & etc */
5638 netflow_reinit(void)
5640 /* Clear out the template cache. */
5641 memset(v9_v10_template_cache, 0, sizeof v9_v10_template_cache);
5645 proto_register_netflow(void)
5647 static hf_register_info hf[] = {
5652 {"Version", "cflow.version",
5653 FT_UINT16, BASE_DEC, NULL, 0x0,
5654 "NetFlow Version", HFILL}
5657 {"Length", "cflow.len",
5658 FT_UINT16, BASE_DEC, NULL, 0x0,
5659 "Length of PDUs", HFILL}
5662 {"Count", "cflow.count",
5663 FT_UINT16, BASE_DEC, NULL, 0x0,
5664 "Count of PDUs", HFILL}
5666 {&hf_cflow_sysuptime,
5667 {"SysUptime", "cflow.sysuptime",
5668 FT_UINT32, BASE_DEC, NULL, 0x0,
5669 "Time since router booted (in milliseconds)", HFILL}
5671 {&hf_cflow_exporttime,
5672 {"ExportTime", "cflow.exporttime",
5673 FT_UINT32, BASE_DEC, NULL, 0x0,
5674 "Time when the flow has been exported", HFILL}
5676 {&hf_cflow_timestamp,
5677 {"Timestamp", "cflow.timestamp",
5678 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
5679 "Current seconds since epoch", HFILL}
5681 {&hf_cflow_unix_secs,
5682 {"CurrentSecs", "cflow.unix_secs",
5683 FT_UINT32, BASE_DEC, NULL, 0x0,
5684 "Current seconds since epoch", HFILL}
5686 {&hf_cflow_unix_nsecs,
5687 {"CurrentNSecs", "cflow.unix_nsecs",
5688 FT_UINT32, BASE_DEC, NULL, 0x0,
5689 "Residual nanoseconds since epoch", HFILL}
5691 {&hf_cflow_samplingmode,
5692 {"SamplingMode", "cflow.samplingmode",
5693 FT_UINT16, BASE_DEC, VALS(v5_sampling_mode), 0xC000,
5694 "Sampling Mode of exporter", HFILL}
5696 {&hf_cflow_samplerate,
5697 {"SampleRate", "cflow.samplerate",
5698 FT_UINT16, BASE_DEC, NULL, 0x3FFF,
5699 "Sample Frequency of exporter", HFILL}
5703 * end version-agnostic header
5704 * version-specific flow header
5706 {&hf_cflow_sequence,
5707 {"FlowSequence", "cflow.sequence",
5708 FT_UINT32, BASE_DEC, NULL, 0x0,
5709 "Sequence number of flows seen", HFILL}
5711 {&hf_cflow_engine_type,
5712 {"EngineType", "cflow.engine_type",
5713 FT_UINT8, BASE_DEC, VALS(engine_type), 0x0,
5714 "Flow switching engine type", HFILL}
5716 {&hf_cflow_engine_id,
5717 {"EngineId", "cflow.engine_id",
5718 FT_UINT8, BASE_DEC, NULL, 0x0,
5719 "Slot number of switching engine", HFILL}
5721 {&hf_cflow_source_id,
5722 {"SourceId", "cflow.source_id",
5723 FT_UINT32, BASE_DEC, NULL, 0x0,
5724 "Identifier for export device", HFILL}
5726 {&hf_cflow_aggmethod,
5727 {"AggMethod", "cflow.aggmethod",
5728 FT_UINT8, BASE_DEC|BASE_EXT_STRING, &v8_agg_ext, 0x0,
5729 "CFlow V8 Aggregation Method", HFILL}
5731 {&hf_cflow_aggversion,
5732 {"AggVersion", "cflow.aggversion",
5733 FT_UINT8, BASE_DEC, NULL, 0x0,
5734 "CFlow V8 Aggregation Version", HFILL}
5737 * end version specific header storage
5742 {&hf_cflow_flowset_id,
5743 {"FlowSet Id", "cflow.flowset_id",
5744 FT_UINT16, BASE_RANGE_STRING | BASE_DEC, RVALS(rs_flowset_ids), 0x0,
5747 {&hf_cflow_flowset_length,
5748 {"FlowSet Length", "cflow.flowset_length",
5749 FT_UINT16, BASE_DEC, NULL, 0x0,
5752 {&hf_cflow_template_id,
5753 {"Template Id", "cflow.template_id",
5754 FT_UINT16, BASE_DEC, NULL, 0x0,
5757 {&hf_cflow_template_field_count,
5758 {"Field Count", "cflow.template_field_count",
5759 FT_UINT16, BASE_DEC, NULL, 0x0,
5760 "Template field count", HFILL}
5762 {&hf_cflow_template_field_type,
5763 {"Type", "cflow.template_field_type",
5764 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v9_v10_template_types_ext, 0x0,
5765 "Template field type", HFILL}
5767 {&hf_cflow_template_field_length,
5768 {"Length", "cflow.template_field_length",
5769 FT_UINT16, BASE_DEC, NULL, 0x0,
5770 "Template field length", HFILL}
5774 {&hf_cflow_option_scope_length,
5775 {"Option Scope Length", "cflow.option_scope_length",
5776 FT_UINT16, BASE_DEC, NULL, 0x0,
5779 {&hf_cflow_option_length,
5780 {"Option Length", "cflow.option_length",
5781 FT_UINT16, BASE_DEC, NULL, 0x0,
5784 {&hf_cflow_template_scope_field_type,
5785 {"Scope Type", "cflow.scope_field_type",
5786 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v9_scope_field_types_ext, 0x0,
5787 "Scope field type", HFILL}
5789 {&hf_cflow_icmp_type,
5790 {"ICMP Type", "cflow.icmp_type",
5791 FT_UINT8, BASE_DEC, NULL, 0x0,
5794 {&hf_cflow_igmp_type,
5795 {"IGMP Type", "cflow.igmp_type",
5796 FT_UINT8, BASE_DEC, NULL, 0x0,
5799 {&hf_cflow_sampling_interval,
5800 {"Sampling interval", "cflow.sampling_interval",
5801 FT_UINT32, BASE_DEC, NULL, 0x0,
5804 {&hf_cflow_sampling_algorithm,
5805 {"Sampling algorithm", "cflow.sampling_algorithm",
5806 FT_UINT8, BASE_DEC, VALS(v5_sampling_mode), 0x0,
5809 {&hf_cflow_flow_active_timeout,
5810 {"Flow active timeout", "cflow.flow_active_timeout",
5811 FT_UINT16, BASE_DEC, NULL, 0x0,
5814 {&hf_cflow_flow_inactive_timeout,
5815 {"Flow inactive timeout", "cflow.flow_inactive_timeout",
5816 FT_UINT16, BASE_DEC, NULL, 0x0,
5821 * begin pdu content storage
5824 {"SrcAddr", "cflow.srcaddr",
5825 FT_IPv4, BASE_NONE, NULL, 0x0,
5826 "Flow Source Address (IPv4)", HFILL}
5828 {&hf_cflow_srcaddr_v6,
5829 {"SrcAddr", "cflow.srcaddrv6",
5830 FT_IPv6, BASE_NONE, NULL, 0x0,
5831 "Flow Source Address (IPv6)", HFILL}
5834 {"SrcNet", "cflow.srcnet",
5835 FT_IPv4, BASE_NONE, NULL, 0x0,
5836 "Flow Source Network", HFILL}
5839 {"DstAddr", "cflow.dstaddr",
5840 FT_IPv4, BASE_NONE, NULL, 0x0,
5841 "Flow Destination Address (IPv4)", HFILL}
5843 {&hf_cflow_dstaddr_v6,
5844 {"DstAddr", "cflow.dstaddrv6",
5845 FT_IPv6, BASE_NONE, NULL, 0x0,
5846 "Flow Destination Address (IPv6)", HFILL}
5849 {"DstNet", "cflow.dstnet",
5850 FT_IPv4, BASE_NONE, NULL, 0x0,
5851 "Flow Destination Network", HFILL}
5854 {"NextHop", "cflow.nexthop",
5855 FT_IPv4, BASE_NONE, NULL, 0x0,
5856 "Router nexthop (IPv4)", HFILL}
5858 {&hf_cflow_nexthop_v6,
5859 {"NextHop", "cflow.nexthopv6",
5860 FT_IPv6, BASE_NONE, NULL, 0x0,
5861 "Router nexthop (IPv6)", HFILL}
5863 {&hf_cflow_bgpnexthop,
5864 {"BGPNextHop", "cflow.bgpnexthop",
5865 FT_IPv4, BASE_NONE, NULL, 0x0,
5866 "BGP Router Nexthop (IPv4)", HFILL}
5868 {&hf_cflow_bgpnexthop_v6,
5869 {"BGPNextHop", "cflow.bgpnexthopv6",
5870 FT_IPv6, BASE_NONE, NULL, 0x0,
5871 "BGP Router Nexthop (IPv6)", HFILL}
5873 {&hf_cflow_inputint,
5874 {"InputInt", "cflow.inputint",
5875 FT_UINT16, BASE_DEC, NULL, 0x0,
5876 "Flow Input Interface", HFILL}
5878 {&hf_cflow_outputint,
5879 {"OutputInt", "cflow.outputint",
5880 FT_UINT16, BASE_DEC, NULL, 0x0,
5881 "Flow Output Interface", HFILL}
5884 {"Flows", "cflow.flows",
5885 FT_UINT32, BASE_DEC, NULL, 0x0,
5886 "Flows Aggregated in PDU", HFILL}
5889 {"Flows", "cflow.flows64",
5890 FT_UINT64, BASE_DEC, NULL, 0x0,
5891 "Flows Aggregated in PDU", HFILL}
5894 {"Packets", "cflow.packets",
5895 FT_UINT32, BASE_DEC, NULL, 0x0,
5896 "Count of packets", HFILL}
5898 {&hf_cflow_packets64,
5899 {"Packets", "cflow.packets64",
5900 FT_UINT64, BASE_DEC, NULL, 0x0,
5901 "Count of packets", HFILL}
5904 {"Octets", "cflow.octets",
5905 FT_UINT32, BASE_DEC, NULL, 0x0,
5906 "Count of bytes", HFILL}
5908 {&hf_cflow_octets64,
5909 {"Octets", "cflow.octets64",
5910 FT_UINT64, BASE_DEC, NULL, 0x0,
5911 "Count of bytes", HFILL}
5913 {&hf_cflow_length_min,
5914 {"MinLength", "cflow.length_min",
5915 FT_UINT16, BASE_DEC, NULL, 0x0,
5916 "Packet Length Min", HFILL}
5918 {&hf_cflow_length_max,
5919 {"MaxLength", "cflow.length_max",
5920 FT_UINT16, BASE_DEC, NULL, 0x0,
5921 "Packet Length Max", HFILL}
5923 {&hf_cflow_timedelta,
5924 {"Duration", "cflow.timedelta",
5925 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
5926 "Duration of flow sample (end - start)", HFILL}
5928 {&hf_cflow_timestart,
5929 {"StartTime", "cflow.timestart",
5930 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
5931 "Uptime at start of flow", HFILL}
5934 {"EndTime", "cflow.timeend",
5935 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
5936 "Uptime at end of flow", HFILL}
5939 {"SrcPort", "cflow.srcport",
5940 FT_UINT16, BASE_DEC, NULL, 0x0,
5941 "Flow Source Port", HFILL}
5944 {"DstPort", "cflow.dstport",
5945 FT_UINT16, BASE_DEC, NULL, 0x0,
5946 "Flow Destination Port", HFILL}
5949 {"Protocol", "cflow.protocol",
5950 FT_UINT8, BASE_DEC, NULL, 0x0,
5951 "IP Protocol", HFILL}
5954 {"IP ToS", "cflow.tos",
5955 FT_UINT8, BASE_HEX, NULL, 0x0,
5956 "IP Type of Service", HFILL}
5959 {"Export Flags", "cflow.flags",
5960 FT_UINT8, BASE_HEX, NULL, 0x0,
5961 "CFlow Flags", HFILL}
5963 {&hf_cflow_tcpflags,
5964 {"TCP Flags", "cflow.tcpflags",
5965 FT_UINT8, BASE_HEX, NULL, 0x0,
5969 {"SrcAS", "cflow.srcas",
5970 FT_UINT16, BASE_DEC, NULL, 0x0,
5974 {"DstAS", "cflow.dstas",
5975 FT_UINT16, BASE_DEC, NULL, 0x0,
5976 "Destination AS", HFILL}
5979 {"SrcMask", "cflow.srcmask",
5980 FT_UINT8, BASE_DEC, NULL, 0x0,
5981 "Source Prefix Mask", HFILL}
5983 {&hf_cflow_srcmask_v6,
5984 {"SrcMask", "cflow.srcmaskv6",
5985 FT_UINT8, BASE_DEC, NULL, 0x0,
5986 "IPv6 Source Prefix Mask", HFILL}
5989 {"DstMask", "cflow.dstmask",
5990 FT_UINT8, BASE_DEC, NULL, 0x0,
5991 "Destination Prefix Mask", HFILL}
5993 {&hf_cflow_dstmask_v6,
5994 {"DstMask", "cflow.dstmaskv6",
5995 FT_UINT8, BASE_DEC, NULL, 0x0,
5996 "IPv6 Destination Prefix Mask", HFILL}
5998 {&hf_cflow_routersc,
5999 {"Router Shortcut", "cflow.routersc",
6000 FT_IPv4, BASE_NONE, NULL, 0x0,
6001 "Router shortcut by switch", HFILL}
6003 {&hf_cflow_mulpackets,
6004 {"MulticastPackets", "cflow.mulpackets",
6005 FT_UINT32, BASE_DEC, NULL, 0x0,
6006 "Count of multicast packets", HFILL}
6008 {&hf_cflow_muloctets,
6009 {"MulticastOctets", "cflow.muloctets",
6010 FT_UINT32, BASE_DEC, NULL, 0x0,
6011 "Count of multicast octets", HFILL}
6013 {&hf_cflow_octets_exp,
6014 {"OctetsExp", "cflow.octetsexp",
6015 FT_UINT32, BASE_DEC, NULL, 0x0,
6016 "Octets exported", HFILL}
6018 {&hf_cflow_octets_exp64,
6019 {"OctetsExp", "cflow.octetsexp64",
6020 FT_UINT64, BASE_DEC, NULL, 0x0,
6021 "Octets exported", HFILL}
6023 {&hf_cflow_packets_exp,
6024 {"PacketsExp", "cflow.packetsexp",
6025 FT_UINT32, BASE_DEC, NULL, 0x0,
6026 "Packets exported", HFILL}
6028 {&hf_cflow_packets_exp64,
6029 {"PacketsExp", "cflow.packetsexp64",
6030 FT_UINT64, BASE_DEC, NULL, 0x0,
6031 "Packets exported", HFILL}
6033 {&hf_cflow_flows_exp,
6034 {"FlowsExp", "cflow.flowsexp",
6035 FT_UINT32, BASE_DEC, NULL, 0x0,
6036 "Flows exported", HFILL}
6038 {&hf_cflow_flows_exp64,
6039 {"FlowsExp", "cflow.flowsexp64",
6040 FT_UINT64, BASE_DEC, NULL, 0x0,
6041 "Flows exported", HFILL}
6043 {&hf_cflow_srcprefix,
6044 {"SrcPrefix", "cflow.srcprefix",
6045 FT_IPv4, BASE_NONE, NULL, 0x0,
6046 "Flow Source Prefix", HFILL}
6048 {&hf_cflow_dstprefix,
6049 {"DstPrefix", "cflow.dstprefix",
6050 FT_IPv4, BASE_NONE, NULL, 0x0,
6051 "Flow Destination Prefix", HFILL}
6053 {&hf_cflow_mpls_top_label_type,
6054 {"TopLabelType", "cflow.toplabeltype",
6055 FT_UINT8, BASE_DEC, VALS(special_mpls_top_label_type), 0x0,
6056 "Top MPLS label Type", HFILL}
6058 {&hf_cflow_mpls_pe_addr,
6059 {"TopLabelAddr", "cflow.toplabeladdr",
6060 FT_IPv4, BASE_NONE, NULL, 0x0,
6061 "Top MPLS label PE address", HFILL}
6063 {&hf_cflow_sampler_id,
6064 {"SamplerID", "cflow.sampler_id",
6065 FT_UINT8, BASE_DEC, NULL, 0x0,
6066 "Flow Sampler ID", HFILL}
6068 {&hf_cflow_sampler_mode,
6069 {"SamplerMode", "cflow.sampler_mode",
6070 FT_UINT8, BASE_DEC, VALS(v9_sampler_mode), 0x0,
6071 "Flow Sampler Mode", HFILL}
6073 {&hf_cflow_sampler_random_interval,
6074 {"SamplerRandomInterval", "cflow.sampler_random_interval",
6075 FT_UINT32, BASE_DEC, NULL, 0x0,
6076 "Flow Sampler Random Interval", HFILL}
6078 {&hf_cflow_flow_class,
6079 {"FlowClass", "cflow.flow_class",
6080 FT_UINT8, BASE_DEC, NULL, 0x0,
6081 "Flow Class", HFILL}
6083 {&hf_cflow_ttl_minimum,
6084 {"MinTTL", "cflow.ttl_min",
6085 FT_UINT8, BASE_DEC, NULL, 0x0,
6086 "TTL minimum", HFILL}
6088 {&hf_cflow_ttl_maximum,
6089 {"MaxTTL", "cflow.ttl_max",
6090 FT_UINT8, BASE_DEC, NULL, 0x0,
6091 "TTL maximum", HFILL}
6094 {"IPv4Ident", "cflow.ipv4_ident",
6095 FT_UINT16, BASE_DEC, NULL, 0x0,
6096 "IPv4 Identifier", HFILL}
6098 {&hf_cflow_ip_version,
6099 {"IPVersion", "cflow.ip_version",
6100 FT_BYTES, BASE_NONE, NULL, 0x0,
6101 "IP Version", HFILL}
6103 {&hf_cflow_direction,
6104 {"Direction", "cflow.direction",
6105 FT_UINT8, BASE_DEC, VALS(v9_direction), 0x0,
6109 {"IfName", "cflow.if_name",
6110 FT_STRINGZ/*FT_BYTES*/, BASE_NONE, NULL, 0x0,
6111 "SNMP Interface Name", HFILL}
6113 {&hf_cflow_if_descr,
6114 {"IfDescr", "cflow.if_descr",
6115 FT_STRINGZ/*FT_BYTES*/, BASE_NONE, NULL, 0x0,
6116 "SNMP Interface Description", HFILL}
6118 {&hf_cflow_sampler_name,
6119 {"SamplerName", "cflow.sampler_name",
6120 FT_STRINGZ/*FT_BYTES*/, BASE_NONE, NULL, 0x0,
6121 "Sampler Name", HFILL}
6123 {&hf_cflow_forwarding_status,
6124 {"ForwdStat", "cflow.forwarding_status",
6125 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status), 0xC0,
6126 "Forwarding Status", HFILL}
6128 {&hf_cflow_forwarding_status_unknown_code,
6129 {"ForwdCode", "cflow.forwarding_status_unknown_code",
6130 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status_unknown_code), 0x3F,
6133 {&hf_cflow_forwarding_status_forward_code,
6134 {"ForwdCode", "cflow.forwarding_status_foreward_code",
6135 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status_forward_code), 0x3F,
6138 {&hf_cflow_forwarding_status_drop_code,
6139 {"ForwdCode", "cflow.forwarding_status_drop_code",
6140 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status_drop_code), 0x3F,
6143 {&hf_cflow_forwarding_status_consume_code,
6144 {"ForwdCode", "cflow.forwarding_status_consume_code",
6145 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status_consume_code), 0x3F,
6148 {&hf_cflow_nbar_appl_desc,
6149 {"ApplicationDesc", "cflow.appl_desc",
6150 FT_STRINGZ, BASE_NONE, NULL, 0x0,
6151 "Application Desc (NBAR)", HFILL}
6153 {&hf_cflow_nbar_appl_id,
6154 {"ApplicationID", "cflow.appl_id",
6155 FT_UINT32, BASE_CUSTOM, nbar_fmt_id, 0x0,
6156 "Application ID (NBAR)", HFILL}
6158 {&hf_cflow_nbar_appl_name,
6159 {"ApplicationName", "cflow.appl_name",
6160 FT_STRINGZ, BASE_NONE, NULL, 0x0,
6161 "Application Name (NBAR)", HFILL}
6163 {&hf_cflow_peer_srcas,
6164 {"PeerSrcAS", "cflow.peer_srcas",
6165 FT_UINT16, BASE_DEC, NULL, 0x0,
6166 "Peer Source AS", HFILL}
6168 {&hf_cflow_peer_dstas,
6169 {"PeerDstAS", "cflow.peer_dstas",
6170 FT_UINT16, BASE_DEC, NULL, 0x0,
6171 "Peer Destination AS", HFILL}
6173 {&hf_cflow_flow_exporter,
6174 {"FlowExporter", "cflow.flow_exporter",
6175 FT_BYTES/*FT_IPv4*/, BASE_NONE, NULL, 0x0,
6178 {&hf_cflow_icmp_ipv4_type,
6179 {"IPv4 ICMP Type", "cflow.icmp_ipv4_type",
6180 FT_UINT8, BASE_DEC, NULL, 0x0,
6183 {&hf_cflow_icmp_ipv4_code,
6184 {"IPv4 ICMP Code", "cflow.icmp_ipv4_code",
6185 FT_UINT8, BASE_DEC, NULL, 0x0,
6188 {&hf_cflow_icmp_ipv6_type,
6189 {"IPv6 ICMP Type", "cflow.icmp_ipv6_type",
6190 FT_UINT8, BASE_DEC, NULL, 0x0,
6193 {&hf_cflow_icmp_ipv6_code,
6194 {"IPv6 ICMP Code", "cflow.icmp_ipv6_code",
6195 FT_UINT8, BASE_DEC, NULL, 0x0,
6198 {&hf_cflow_tcp_window_size,
6199 {"TCP Windows Size", "cflow.tcp_windows_size",
6200 FT_UINT16, BASE_DEC, NULL, 0x0,
6203 {&hf_cflow_ipv4_total_length,
6204 {"IPV4 Total Length", "cflow.ipv4_total_length",
6205 FT_UINT16, BASE_DEC, NULL, 0x0,
6209 {"IP TTL", "cflow.ip_ttl",
6210 FT_UINT8, BASE_DEC, NULL, 0x0,
6211 "IP time to live", HFILL}
6214 {"IP TOS", "cflow.ip_tos",
6215 FT_UINT8, BASE_DEC, NULL, 0x0,
6216 "IP type of service", HFILL}
6219 {"DSCP", "cflow.ip_dscp",
6220 FT_UINT8, BASE_DEC, NULL, 0x0,
6223 {&hf_cflow_octets_squared64,
6224 {"OctetsSquared", "cflow.octets_squared",
6225 FT_UINT64, BASE_DEC, NULL, 0x0,
6228 {&hf_cflow_udp_length,
6229 {"UDP Length", "cflow.udp_length",
6230 FT_UINT16, BASE_DEC, NULL, 0x0,
6233 {&hf_cflow_is_multicast,
6234 {"IsMulticast", "cflow.is_multicast",
6235 FT_UINT8, BASE_DEC, NULL, 0x0,
6238 {&hf_cflow_ip_header_words,
6239 {"IPHeaderLen", "cflow.ip_header_words",
6240 FT_UINT8, BASE_DEC, NULL, 0x0,
6243 {&hf_cflow_option_map,
6244 {"OptionMap", "cflow.option_map",
6245 FT_BYTES, BASE_NONE, NULL, 0x0,
6248 {&hf_cflow_section_header,
6249 {"SectionHeader", "cflow.section_header",
6250 FT_BYTES, BASE_NONE, NULL, 0x0,
6251 "Header of Packet", HFILL}
6253 {&hf_cflow_section_payload,
6254 {"SectionPayload", "cflow.section_payload",
6255 FT_BYTES, BASE_NONE, NULL, 0x0,
6256 "Payload of Packet", HFILL}
6258 /* IPFIX Information Elements */
6259 {&hf_cflow_post_octets,
6260 {"Post Octets", "cflow.post_octets",
6261 FT_UINT32, BASE_DEC, NULL, 0x0,
6262 "Count of post bytes", HFILL}
6264 {&hf_cflow_post_octets64,
6265 {"Post Octets", "cflow.post_octets64",
6266 FT_UINT64, BASE_DEC, NULL, 0x0,
6267 "Count of post bytes", HFILL}
6269 {&hf_cflow_post_packets,
6270 {"Post Packets", "cflow.post_packets",
6271 FT_UINT32, BASE_DEC, NULL, 0x0,
6272 "Count of post packets", HFILL}
6274 {&hf_cflow_post_packets64,
6275 {"Post Packets", "cflow.post_packets64",
6276 FT_UINT64, BASE_DEC, NULL, 0x0,
6277 "Count of post packets", HFILL}
6279 {&hf_cflow_ipv6_flowlabel,
6280 {"ipv6FlowLabel", "cflow.ipv6flowlabel",
6281 FT_UINT32, BASE_DEC, NULL, 0x0,
6282 "IPv6 Flow Label", HFILL}
6284 {&hf_cflow_ipv6_flowlabel24,
6285 {"ipv6FlowLabel", "cflow.ipv6flowlabel24",
6286 FT_UINT32, BASE_DEC, NULL, 0x0,
6287 "IPv6 Flow Label", HFILL}
6289 {&hf_cflow_post_tos,
6290 {"Post IP ToS", "cflow.post_tos",
6291 FT_UINT8, BASE_HEX, NULL, 0x0,
6292 "Post IP Type of Service", HFILL}
6295 {"Source Mac Address", "cflow.srcmac",
6296 FT_ETHER, BASE_NONE, NULL, 0x0,
6299 {&hf_cflow_post_dstmac,
6300 {"Post Destination Mac Address", "cflow.post_dstmac",
6301 FT_ETHER, BASE_NONE, NULL, 0x0,
6305 {"Vlan Id", "cflow.vlanid",
6306 FT_UINT16, BASE_DEC, NULL, 0x0,
6309 {&hf_cflow_post_vlanid,
6310 {"Post Vlan Id", "cflow.post_vlanid",
6311 FT_UINT16, BASE_DEC, NULL, 0x0,
6314 {&hf_cflow_ipv6_exthdr,
6315 {"IPv6 Extension Headers", "cflow.ipv6_exthdr",
6316 FT_UINT32, BASE_HEX, NULL, 0x0,
6320 {"Destination Mac Address", "cflow.dstmac",
6321 FT_ETHER, BASE_NONE, NULL, 0x0,
6324 {&hf_cflow_post_srcmac,
6325 {"Post Source Mac Address", "cflow.post_srcmac",
6326 FT_ETHER, BASE_NONE, NULL, 0x0,
6329 {&hf_cflow_permanent_packets,
6330 {"Permanent Packets", "cflow.permanent_packets",
6331 FT_UINT32, BASE_DEC, NULL, 0x0,
6332 "Running Count of packets for permanent flows", HFILL}
6334 {&hf_cflow_permanent_packets64,
6335 {"Permanent Packets", "cflow.permanent_packets64",
6336 FT_UINT64, BASE_DEC, NULL, 0x0,
6337 "Running Count of packets for permanent flows", HFILL}
6339 {&hf_cflow_permanent_octets,
6340 {"Permanent Octets", "cflow.permanent_octets",
6341 FT_UINT32, BASE_DEC, NULL, 0x0,
6342 "Running Count of bytes for permanent flows", HFILL}
6344 {&hf_cflow_permanent_octets64,
6345 {"Permanent Octets", "cflow.permanent_octets64",
6346 FT_UINT64, BASE_DEC, NULL, 0x0,
6347 "Running Count of bytes for permanent flows", HFILL}
6349 {&hf_cflow_fragment_offset,
6350 {"Fragment Offset", "cflow.fragment_offset",
6351 FT_UINT16, BASE_DEC, NULL, 0x0,
6354 {&hf_cflow_mpls_vpn_rd,
6355 {"MPLS VPN RD", "cflow.mpls_vpn_rd",
6356 FT_BYTES, BASE_NONE, NULL, 0x0,
6357 "MPLS VPN Route Distinguisher", HFILL}
6359 {&hf_cflow_mpls_top_label_prefix_length,
6360 {"Mpls Top Label Prefix Length", "cflow.mpls_top_label_prefix_length",
6361 FT_UINT8, BASE_DEC, NULL, 0x0,
6364 {&hf_cflow_post_ip_diff_serv_code_point,
6365 {"Post Ip Diff Serv Code Point", "cflow.post_ip_diff_serv_code_point",
6366 FT_UINT8, BASE_DEC, NULL, 0x0,
6369 {&hf_cflow_multicast_replication_factor,
6370 {"Multicast Replication Factor", "cflow.multicast_replication_factor",
6371 FT_BYTES, BASE_NONE, NULL, 0x0,
6374 {&hf_cflow_exporter_addr,
6375 {"ExporterAddr", "cflow.exporter_addr",
6376 FT_IPv4, BASE_NONE, NULL, 0x0,
6377 "Flow Exporter Address", HFILL}
6379 {&hf_cflow_exporter_addr_v6,
6380 {"ExporterAddr", "cflow.exporter_addr_v6",
6381 FT_IPv6, BASE_NONE, NULL, 0x0,
6382 "Flow Exporter Address", HFILL}
6384 {&hf_cflow_drop_octets,
6385 {"Dropped Octets", "cflow.drop_octets",
6386 FT_UINT32, BASE_DEC, NULL, 0x0,
6387 "Count of dropped bytes", HFILL}
6389 {&hf_cflow_drop_octets64,
6390 {"Dropped Octets", "cflow.drop_octets64",
6391 FT_UINT64, BASE_DEC, NULL, 0x0,
6392 "Count of dropped bytes", HFILL}
6394 {&hf_cflow_drop_packets,
6395 {"Dropped Packets", "cflow.drop_packets",
6396 FT_UINT32, BASE_DEC, NULL, 0x0,
6397 "Count of dropped packets", HFILL}
6399 {&hf_cflow_drop_packets64,
6400 {"Dropped Packets", "cflow.drop_packets64",
6401 FT_UINT64, BASE_DEC, NULL, 0x0,
6402 "Count of dropped packets", HFILL}
6404 {&hf_cflow_drop_total_octets,
6405 {"Dropped Total Octets", "cflow.drop_total_octets",
6406 FT_UINT32, BASE_DEC, NULL, 0x0,
6407 "Count of total dropped bytes", HFILL}
6409 {&hf_cflow_drop_total_octets64,
6410 {"Dropped Total Octets", "cflow.drop_total_octets64",
6411 FT_UINT64, BASE_DEC, NULL, 0x0,
6412 "Count of total dropped bytes", HFILL}
6414 {&hf_cflow_drop_total_packets,
6415 {"Dropped Total Packets", "cflow.drop_total_packets",
6416 FT_UINT32, BASE_DEC, NULL, 0x0,
6417 "Count of total dropped packets", HFILL}
6419 {&hf_cflow_drop_total_packets64,
6420 {"Dropped Total Packets", "cflow.drop_total_packets64",
6421 FT_UINT64, BASE_DEC, NULL, 0x0,
6422 "Count of total dropped packets", HFILL}
6424 {&hf_cflow_flow_end_reason,
6425 {"Flow End Reason", "cflow.flow_end_reason",
6426 FT_UINT8, BASE_DEC, VALS(v9_flow_end_reason), 0x0,
6429 {&hf_cflow_common_properties_id,
6430 {"Common Properties Id", "cflow.common_properties_id",
6431 FT_UINT64, BASE_DEC, NULL, 0x0,
6434 {&hf_cflow_observation_point_id,
6435 {"Observation Point Id", "cflow.observation_point_id",
6436 FT_UINT32, BASE_DEC, NULL, 0x0,
6439 {&hf_cflow_mpls_pe_addr_v6,
6440 {"TopLabelAddr V6", "cflow.toplabeladdr_v6",
6441 FT_IPv6, BASE_NONE, NULL, 0x0,
6442 "Top MPLS label PE address IPv6", HFILL}
6445 {"Port Id", "cflow.port_id",
6446 FT_UINT32, BASE_DEC, NULL, 0x0,
6450 {"Metering Process Id", "cflow.mp_id",
6451 FT_UINT32, BASE_DEC, NULL, 0x0,
6454 {&hf_cflow_wlan_channel_id,
6455 {"Wireless LAN Channel Id", "cflow.wlan_channel_id",
6456 FT_UINT8, BASE_DEC, NULL, 0x0,
6459 {&hf_cflow_wlan_ssid,
6460 {"Wireless LAN SSId", "cflow.wlan_ssid",
6461 FT_STRING, BASE_NONE, NULL, 0x0,
6465 {"Flow Id", "cflow.flow_id",
6466 FT_UINT64, BASE_DEC, NULL, 0x0,
6470 {"Observation Domain Id", "cflow.od_id",
6471 FT_UINT32, BASE_DEC, NULL, 0x0,
6472 "Identifier of an Observation Domain that is locally unique to an Exporting Process", HFILL}
6474 {&hf_cflow_sys_init_time,
6475 {"System Init Time", "cflow.sys_init_time",
6476 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6479 {&hf_cflow_abstimestart,
6480 {"StartTime", "cflow.abstimestart",
6481 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6482 "Uptime at start of flow", HFILL}
6484 {&hf_cflow_abstimeend,
6485 {"EndTime", "cflow.abstimeend",
6486 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6487 "Uptime at end of flow", HFILL}
6489 {&hf_cflow_dstnet_v6,
6490 {"DstNet", "cflow.dstnetv6",
6491 FT_IPv6, BASE_NONE, NULL, 0x0,
6492 "Flow Destination Network (IPv6)", HFILL}
6494 {&hf_cflow_srcnet_v6,
6495 {"SrcNet", "cflow.srcnetv6",
6496 FT_IPv6, BASE_NONE, NULL, 0x0,
6497 "Flow Source Network (IPv6)", HFILL}
6499 {&hf_cflow_ignore_packets,
6500 {"Ignored Packets", "cflow.ignore_packets",
6501 FT_UINT32, BASE_DEC, NULL, 0x0,
6502 "Count of ignored packets", HFILL}
6504 {&hf_cflow_ignore_packets64,
6505 {"Ignored Packets", "cflow.ignore_packets64",
6506 FT_UINT64, BASE_DEC, NULL, 0x0,
6507 "Count of ignored packets", HFILL}
6509 {&hf_cflow_ignore_octets,
6510 {"Ignored Octets", "cflow.ignore_octets",
6511 FT_UINT32, BASE_DEC, NULL, 0x0,
6512 "Count of ignored octets", HFILL}
6514 {&hf_cflow_ignore_octets64,
6515 {"Ignored Octets", "cflow.ignore_octets64",
6516 FT_UINT64, BASE_DEC, NULL, 0x0,
6517 "Count of ignored octets", HFILL}
6519 {&hf_cflow_notsent_flows,
6520 {"Not Sent Flows", "cflow.notsent_flows",
6521 FT_UINT32, BASE_DEC, NULL, 0x0,
6522 "Count of not sent flows", HFILL}
6524 {&hf_cflow_notsent_flows64,
6525 {"Not Sent Flows", "cflow.notsent_flows64",
6526 FT_UINT64, BASE_DEC, NULL, 0x0,
6527 "Count of not sent flows", HFILL}
6529 {&hf_cflow_notsent_packets,
6530 {"Not Sent Packets", "cflow.notsent_packets",
6531 FT_UINT32, BASE_DEC, NULL, 0x0,
6532 "Count of not sent packets", HFILL}
6534 {&hf_cflow_notsent_packets64,
6535 {"Not Sent Packets", "cflow.notsent_packets64",
6536 FT_UINT64, BASE_DEC, NULL, 0x0,
6537 "Count of not sent packets", HFILL}
6539 {&hf_cflow_notsent_octets,
6540 {"Not Sent Octets", "cflow.notsent_octets",
6541 FT_UINT32, BASE_DEC, NULL, 0x0,
6542 "Count of not sent octets", HFILL}
6544 {&hf_cflow_notsent_octets64,
6545 {"Not Sent Octets", "cflow.notsent_octets64",
6546 FT_UINT64, BASE_DEC, NULL, 0x0,
6547 "Count of not sent octets", HFILL}
6549 {&hf_cflow_post_total_octets,
6550 {"Post Total Octets", "cflow.post_total_octets",
6551 FT_UINT32, BASE_DEC, NULL, 0x0,
6552 "Count of post total octets", HFILL}
6554 {&hf_cflow_post_total_octets64,
6555 {"Post Total Octets", "cflow.post_total_octets64",
6556 FT_UINT64, BASE_DEC, NULL, 0x0,
6557 "Count of post total octets", HFILL}
6559 {&hf_cflow_post_total_packets,
6560 {"Post Total Packets", "cflow.post_total_packets",
6561 FT_UINT32, BASE_DEC, NULL, 0x0,
6562 "Count of post total packets", HFILL}
6564 {&hf_cflow_post_total_packets64,
6565 {"Post Total Packets", "cflow.post_total_packets64",
6566 FT_UINT64, BASE_DEC, NULL, 0x0,
6567 "Count of post total packets", HFILL}
6570 {"floKeyIndicator", "cflow.post_key",
6571 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
6572 "Flow Key Indicator", HFILL}
6574 {&hf_cflow_post_total_mulpackets,
6575 {"Post Total Multicast Packets", "cflow.post_total_mulpackets",
6576 FT_UINT32, BASE_DEC, NULL, 0x0,
6577 "Count of post total multicast packets", HFILL}
6579 {&hf_cflow_post_total_mulpackets64,
6580 {"Post Total Multicast Packets", "cflow.post_total_mulpackets64",
6581 FT_UINT64, BASE_DEC, NULL, 0x0,
6582 "Count of post total multicast packets", HFILL}
6584 {&hf_cflow_post_total_muloctets,
6585 {"Post Total Multicast Octets", "cflow.post_total_muloctets",
6586 FT_UINT32, BASE_DEC, NULL, 0x0,
6587 "Count of post total multicast octets", HFILL}
6589 {&hf_cflow_post_total_muloctets64,
6590 {"Post Total Multicast Octets", "cflow.post_total_muloctets64",
6591 FT_UINT64, BASE_DEC, NULL, 0x0,
6592 "Count of post total multicast octets", HFILL}
6594 {&hf_cflow_tcp_seq_num,
6595 {"TCP Sequence Number", "cflow.tcp_seq_num",
6596 FT_UINT32, BASE_DEC, NULL, 0x0,
6599 {&hf_cflow_tcp_ack_num,
6600 {"TCP Acknowledgement Number", "cflow.tcp_ack_num",
6601 FT_UINT32, BASE_DEC, NULL, 0x0,
6604 {&hf_cflow_tcp_urg_ptr,
6605 {"TCP Urgent Pointer", "cflow.tcp_urg_ptr",
6606 FT_UINT32, BASE_DEC, NULL, 0x0,
6609 {&hf_cflow_tcp_header_length,
6610 {"TCP Header Length", "cflow.tcp_header_length",
6611 FT_UINT8, BASE_DEC, NULL, 0x0,
6614 {&hf_cflow_ip_header_length,
6615 {"IP Header Length", "cflow.ip_header_length",
6616 FT_UINT8, BASE_DEC, NULL, 0x0,
6619 {&hf_cflow_ipv6_payload_length,
6620 {"IPv6 Payload Length", "cflow.ipv6_payload_length",
6621 FT_UINT16, BASE_DEC, NULL, 0x0,
6624 {&hf_cflow_ipv6_next_hdr,
6625 {"IPv6 Next Header", "cflow.ipv6_next_hdr",
6626 FT_UINT8, BASE_DEC, NULL, 0x0,
6629 {&hf_cflow_ip_precedence,
6630 {"IP Precedence", "cflow.ip_precedence",
6631 FT_UINT8, BASE_DEC, NULL, 0x0,
6634 {&hf_cflow_ip_fragment_flags,
6635 {"IP Fragment Flags", "cflow.ip_fragment_flags",
6636 FT_UINT8, BASE_HEX, NULL, 0x0,
6639 {&hf_cflow_mpls_top_label_ttl,
6640 {"MPLS Top Label TTL", "cflow.mpls_top_label_ttl",
6641 FT_UINT8, BASE_DEC, NULL, 0x0,
6642 "MPLS top label time to live", HFILL}
6644 {&hf_cflow_mpls_label_length,
6645 {"MPLS Label Stack Length", "cflow.mpls_label_length",
6646 FT_UINT32, BASE_DEC, NULL, 0x0,
6647 "The length of the MPLS label stac", HFILL}
6649 {&hf_cflow_mpls_label_depth,
6650 {"MPLS Label Stack Depth", "cflow.mpls_label_depth",
6651 FT_UINT32, BASE_DEC, NULL, 0x0,
6652 "The number of labels in the MPLS label stack", HFILL}
6654 {&hf_cflow_ip_payload_length,
6655 {"IP Payload Length", "cflow.ip_payload_length",
6656 FT_UINT32, BASE_DEC, NULL, 0x0,
6659 {&hf_cflow_mpls_top_label_exp,
6660 {"MPLS Top Label Exp", "cflow.mpls_top_label_exp",
6661 FT_UINT8, BASE_OCT, NULL, 0x0,
6664 {&hf_cflow_tcp_option_map,
6665 {"TCP OptionMap", "cflow.tcp_option_map",
6666 FT_BYTES, BASE_NONE, NULL, 0x0,
6667 "TCP Option Map", HFILL}
6669 {&hf_cflow_collector_addr,
6670 {"CollectorAddr", "cflow.collector_addr",
6671 FT_IPv4, BASE_NONE, NULL, 0x0,
6672 "Flow Collector Address (IPv4)", HFILL}
6674 {&hf_cflow_collector_addr_v6,
6675 {"CollectorAddr", "cflow.collector_addr_v6",
6676 FT_IPv6, BASE_NONE, NULL, 0x0,
6677 "Flow Collector Address (IPv6)", HFILL}
6679 {&hf_cflow_export_interface,
6680 {"ExportInterface", "cflow.export_interface",
6681 FT_UINT32, BASE_DEC, NULL, 0x0,
6684 {&hf_cflow_export_protocol_version,
6685 {"ExportProtocolVersion", "cflow.export_protocol_version",
6686 FT_UINT8, BASE_DEC, NULL, 0x0,
6689 {&hf_cflow_export_prot,
6690 {"ExportTransportProtocol", "cflow.exporter_protocol",
6691 FT_UINT8, BASE_DEC, NULL, 0x0,
6692 "Transport Protocol used by the Exporting Process", HFILL}
6694 {&hf_cflow_collector_port,
6695 {"CollectorPort", "cflow.collector_port",
6696 FT_UINT16, BASE_DEC, NULL, 0x0,
6697 "Flow Collector Port", HFILL}
6699 {&hf_cflow_exporter_port,
6700 {"ExporterPort", "cflow.exporter_port",
6701 FT_UINT16, BASE_DEC, NULL, 0x0,
6702 "Flow Exporter Port", HFILL}
6704 {&hf_cflow_total_tcp_syn,
6705 {"Total TCP syn", "cflow.total_tcp_syn",
6706 FT_UINT64, BASE_DEC, NULL, 0x0,
6707 "Count of total TCP syn", HFILL}
6709 {&hf_cflow_total_tcp_fin,
6710 {"Total TCP fin", "cflow.total_tcp_fin",
6711 FT_UINT64, BASE_DEC, NULL, 0x0,
6712 "Count of total TCP fin", HFILL}
6714 {&hf_cflow_total_tcp_rst,
6715 {"Total TCP rst", "cflow.total_tcp_rst",
6716 FT_UINT64, BASE_DEC, NULL, 0x0,
6717 "Count of total TCP rst", HFILL}
6719 {&hf_cflow_total_tcp_psh,
6720 {"Total TCP psh", "cflow.total_tcp_psh",
6721 FT_UINT64, BASE_DEC, NULL, 0x0,
6722 "Count of total TCP psh", HFILL}
6724 {&hf_cflow_total_tcp_ack,
6725 {"Total TCP ack", "cflow.total_tcp_ack",
6726 FT_UINT64, BASE_DEC, NULL, 0x0,
6727 "Count of total TCP ack", HFILL}
6729 {&hf_cflow_total_tcp_urg,
6730 {"Total TCP urg", "cflow.total_tcp_urg",
6731 FT_UINT64, BASE_DEC, NULL, 0x0,
6732 "Count of total TCP urg", HFILL}
6734 {&hf_cflow_ip_total_length,
6735 {"IP Total Length", "cflow.ip_total_length",
6736 FT_UINT64, BASE_DEC, NULL, 0x0,
6739 {&hf_cflow_post_natsource_ipv4_address,
6740 {"Post NAT Source IPv4 Address", "cflow.post_natsource_ipv4_address",
6741 FT_IPv4, BASE_NONE, NULL, 0x0,
6744 {&hf_cflow_post_natdestination_ipv4_address,
6745 {"Post NAT Destination IPv4 Address", "cflow.post_natdestination_ipv4_address",
6746 FT_IPv4, BASE_NONE, NULL, 0x0,
6749 {&hf_cflow_post_naptsource_transport_port,
6750 {"Post NAPT Source Transport Port", "cflow.post_naptsource_transport_port",
6751 FT_UINT16, BASE_DEC, NULL, 0x0,
6754 {&hf_cflow_post_naptdestination_transport_port,
6755 {"Post NAPT Destination Transport Port", "cflow.post_naptdestination_transport_port",
6756 FT_UINT16, BASE_DEC, NULL, 0x0,
6759 {&hf_cflow_nat_originating_address_realm,
6760 {"Nat Originating Address Realm", "cflow.nat_originating_address_realm",
6761 FT_UINT8, BASE_DEC, NULL, 0x0,
6764 {&hf_cflow_nat_event,
6765 {"Nat Event", "cflow.nat_event",
6766 FT_UINT8, BASE_DEC, NULL, 0x0,
6769 {&hf_cflow_initiator_octets,
6770 {"Initiator Octets", "cflow.initiator_octets",
6771 FT_UINT64, BASE_DEC, NULL, 0x0,
6774 {&hf_cflow_responder_octets,
6775 {"Responder Octets", "cflow.responder_octets",
6776 FT_UINT64, BASE_DEC, NULL, 0x0,
6779 {&hf_cflow_firewall_event,
6780 {"Firewall Event", "cflow.firewall_event",
6781 FT_UINT8, BASE_DEC, VALS(v9_firewall_event), 0x0,
6784 {&hf_cflow_ingress_vrfid,
6785 {"Ingress VRFID", "cflow.ingress_vrfid",
6786 FT_UINT32, BASE_DEC, NULL, 0x0,
6789 {&hf_cflow_egress_vrfid,
6790 {"Egress VRFID", "cflow.egress_vrfid",
6791 FT_UINT32, BASE_DEC, NULL, 0x0,
6795 {"VRFname", "cflow.vrfname",
6796 FT_STRING, BASE_NONE, NULL, 0x0,
6799 {&hf_cflow_post_mpls_top_label_exp,
6800 {"Post Mpls Top Label Exp", "cflow.post_mpls_top_label_exp",
6801 FT_UINT8, BASE_DEC, NULL, 0x0,
6804 {&hf_cflow_tcp_window_scale,
6805 {"Tcp Window Scale", "cflow.tcp_window_scale",
6806 FT_UINT16, BASE_DEC, NULL, 0x0,
6809 {&hf_cflow_biflow_direction,
6810 {"Biflow Direction", "cflow.biflow_direction",
6811 FT_UINT8, BASE_DEC, VALS(v9_biflow_direction), 0x0,
6814 {&hf_cflow_ethernet_header_length,
6815 {"Ethernet Header Length", "cflow.ethernet_header_length",
6816 FT_UINT8, BASE_DEC, NULL, 0x0,
6819 {&hf_cflow_ethernet_payload_length,
6820 {"Ethernet Payload Length", "cflow.ethernet_payload_length",
6821 FT_UINT16, BASE_DEC, NULL, 0x0,
6824 {&hf_cflow_ethernet_total_length,
6825 {"Ethernet Total Length", "cflow.ethernet_total_length",
6826 FT_UINT16, BASE_DEC, NULL, 0x0,
6829 {&hf_cflow_dot1q_vlan_id,
6830 {"Dot1q Vlan Id", "cflow.dot1q_vlan_id",
6831 FT_UINT16, BASE_DEC, NULL, 0x0,
6834 {&hf_cflow_dot1q_priority,
6835 {"Dot1q Priority", "cflow.dot1q_priority",
6836 FT_UINT8, BASE_DEC, NULL, 0x0,
6839 {&hf_cflow_dot1q_customer_vlan_id,
6840 {"Dot1q Customer Vlan Id", "cflow.dot1q_customer_vlan_id",
6841 FT_UINT16, BASE_DEC, NULL, 0x0,
6844 {&hf_cflow_dot1q_customer_priority,
6845 {"Dot1q Customer Priority", "cflow.dot1q_customer_priority",
6846 FT_UINT8, BASE_DEC, NULL, 0x0,
6849 {&hf_cflow_metro_evc_id,
6850 {"Metro Evc Id", "cflow.metro_evc_id",
6851 FT_STRING, BASE_NONE, NULL, 0x0,
6854 {&hf_cflow_metro_evc_type,
6855 {"Metro Evc Type", "cflow.metro_evc_type",
6856 FT_UINT8, BASE_DEC, NULL, 0x0,
6859 {&hf_cflow_pseudo_wire_id,
6860 {"Pseudo Wire Id", "cflow.pseudo_wire_id",
6861 FT_UINT32, BASE_DEC, NULL, 0x0,
6864 {&hf_cflow_pseudo_wire_type,
6865 {"Pseudo Wire Type", "cflow.pseudo_wire_type",
6866 FT_UINT16, BASE_DEC, NULL, 0x0,
6869 {&hf_cflow_pseudo_wire_control_word,
6870 {"Pseudo Wire Control Word", "cflow.pseudo_wire_control_word",
6871 FT_UINT32, BASE_DEC, NULL, 0x0,
6874 {&hf_cflow_ingress_physical_interface,
6875 {"Ingress Physical Interface", "cflow.ingress_physical_interface",
6876 FT_UINT32, BASE_DEC, NULL, 0x0,
6879 {&hf_cflow_egress_physical_interface,
6880 {"Egress Physical Interface", "cflow.egress_physical_interface",
6881 FT_UINT32, BASE_DEC, NULL, 0x0,
6884 {&hf_cflow_post_dot1q_vlan_id,
6885 {"Post Dot1q Vlan Id", "cflow.post_dot1q_vlan_id",
6886 FT_UINT16, BASE_DEC, NULL, 0x0,
6889 {&hf_cflow_post_dot1q_customer_vlan_id,
6890 {"Post Dot1q Customer Vlan Id", "cflow.post_dot1q_customer_vlan_id",
6891 FT_UINT16, BASE_DEC, NULL, 0x0,
6894 {&hf_cflow_ethernet_type,
6895 {"Ethernet Type", "cflow.ethernet_type",
6896 FT_UINT16, BASE_DEC, NULL, 0x0,
6899 {&hf_cflow_post_ip_precedence,
6900 {"Post Ip Precedence", "cflow.post_ip_precedence",
6901 FT_UINT8, BASE_DEC, NULL, 0x0,
6904 {&hf_cflow_collection_time_milliseconds,
6905 {"Collection Time Milliseconds", "cflow.collection_time_milliseconds",
6906 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6909 {&hf_cflow_export_sctp_stream_id,
6910 {"Export Sctp Stream Id", "cflow.export_sctp_stream_id",
6911 FT_UINT16, BASE_DEC, NULL, 0x0,
6914 {&hf_cflow_max_export_seconds,
6915 {"Max Export Seconds", "cflow.max_export_seconds",
6916 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6919 {&hf_cflow_max_flow_end_seconds,
6920 {"Max Flow End Seconds", "cflow.max_flow_end_seconds",
6921 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6924 {&hf_cflow_message_md5_checksum,
6925 {"Message MD5 Checksum", "cflow.message_md5_checksum",
6926 FT_BYTES, BASE_NONE, NULL, 0x0,
6929 {&hf_cflow_message_scope,
6930 {"Message Scope", "cflow.message_scope",
6931 FT_UINT8, BASE_DEC, NULL, 0x0,
6934 {&hf_cflow_min_export_seconds,
6935 {"Min Export Seconds", "cflow.min_export_seconds",
6936 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6939 {&hf_cflow_min_flow_start_seconds,
6940 {"Min Flow Start Seconds", "cflow.min_flow_start_seconds",
6941 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6944 {&hf_cflow_opaque_octets,
6945 {"Opaque Octets", "cflow.opaque_octets",
6946 FT_BYTES, BASE_NONE, NULL, 0x0,
6949 {&hf_cflow_session_scope,
6950 {"Session Scope", "cflow.session_scope",
6951 FT_UINT8, BASE_DEC, NULL, 0x0,
6954 {&hf_cflow_max_flow_end_microseconds,
6955 {"Max Flow End Microseconds", "cflow.max_flow_end_microseconds",
6956 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
6959 {&hf_cflow_max_flow_end_milliseconds,
6960 {"Max Flow End Milliseconds", "cflow.max_flow_end_milliseconds",
6961 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6964 {&hf_cflow_max_flow_end_nanoseconds,
6965 {"Max Flow End Nanoseconds", "cflow.max_flow_end_nanoseconds",
6966 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
6969 {&hf_cflow_min_flow_start_microseconds,
6970 {"Min Flow Start Microseconds", "cflow.min_flow_start_microseconds",
6971 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
6974 {&hf_cflow_min_flow_start_milliseconds,
6975 {"Min Flow Start Milliseconds", "cflow.min_flow_start_milliseconds",
6976 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6979 {&hf_cflow_min_flow_start_nanoseconds,
6980 {"Min Flow Start Nanoseconds", "cflow.min_flow_start_nanoseconds",
6981 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
6984 {&hf_cflow_collector_certificate,
6985 {"Collector Certificate", "cflow.collector_certificate",
6986 FT_BYTES, BASE_NONE, NULL, 0x0,
6989 {&hf_cflow_exporter_certificate,
6990 {"Exporter Certificate", "cflow.exporter_certificate",
6991 FT_BYTES, BASE_NONE, NULL, 0x0,
6994 {&hf_cflow_selection_sequence_id,
6995 {"Selection Sequence Id", "cflow.selection_sequence_id",
6996 FT_UINT64, BASE_DEC, NULL, 0x0,
6999 {&hf_cflow_selector_id,
7000 {"Selector Id", "cflow.selector_id",
7001 FT_UINT16, BASE_DEC, NULL, 0x0,
7004 {&hf_cflow_information_element_id,
7005 {"Information Element Id", "cflow.information_element_id",
7006 FT_UINT16, BASE_DEC, NULL, 0x0,
7009 {&hf_cflow_selector_algorithm,
7010 {"Selector Algorithm", "cflow.selector_algorithm",
7011 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &selector_algorithm_ext, 0x0,
7014 {&hf_cflow_sampling_packet_interval,
7015 {"Sampling Packet Interval", "cflow.sampling_packet_interval",
7016 FT_UINT32, BASE_DEC, NULL, 0x0,
7019 {&hf_cflow_sampling_packet_space,
7020 {"Sampling Packet Space", "cflow.sampling_packet_space",
7021 FT_UINT32, BASE_DEC, NULL, 0x0,
7024 {&hf_cflow_sampling_time_interval,
7025 {"Sampling Time Interval", "cflow.sampling_time_interval",
7026 FT_UINT32, BASE_DEC, NULL, 0x0,
7029 {&hf_cflow_sampling_time_space,
7030 {"Sampling Time Space", "cflow.sampling_time_space",
7031 FT_UINT32, BASE_DEC, NULL, 0x0,
7034 {&hf_cflow_sampling_size,
7035 {"Sampling Size", "cflow.sampling_size",
7036 FT_UINT32, BASE_DEC, NULL, 0x0,
7039 {&hf_cflow_sampling_population,
7040 {"Sampling Population", "cflow.sampling_population",
7041 FT_UINT32, BASE_DEC, NULL, 0x0,
7044 {&hf_cflow_sampling_probability,
7045 {"Sampling Probability", "cflow.sampling_probability",
7046 FT_FLOAT, BASE_NONE, NULL, 0x0,
7049 {&hf_cflow_mpls_label_stack_section,
7050 {"Mpls Label Stack Section", "cflow.mpls_label_stack_section",
7051 FT_BYTES, BASE_NONE, NULL, 0x0,
7054 {&hf_cflow_mpls_payload_packet_section,
7055 {"Mpls Payload Packet Section", "cflow.mpls_payload_packet_section",
7056 FT_BYTES, BASE_NONE, NULL, 0x0,
7059 {&hf_cflow_selector_id_total_pkts_observed,
7060 {"Selector Id Total Pkts Observed", "cflow.selector_id_total_pkts_observed",
7061 FT_UINT64, BASE_DEC, NULL, 0x0,
7064 {&hf_cflow_selector_id_total_pkts_selected,
7065 {"Selector Id Total Pkts Selected", "cflow.selector_id_total_pkts_selected",
7066 FT_UINT64, BASE_DEC, NULL, 0x0,
7069 {&hf_cflow_absolute_error,
7070 {"Absolute Error", "cflow.absolute_error",
7071 FT_FLOAT, BASE_NONE, NULL, 0x0,
7074 {&hf_cflow_relative_error,
7075 {"Relative Error", "cflow.relative_error",
7076 FT_FLOAT, BASE_NONE, NULL, 0x0,
7079 {&hf_cflow_observation_time_seconds,
7080 {"Observation Time Seconds", "cflow.observation_time_seconds",
7081 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7084 {&hf_cflow_observation_time_milliseconds,
7085 {"Observation Time Milliseconds", "cflow.observation_time_milliseconds",
7086 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7089 {&hf_cflow_observation_time_microseconds,
7090 {"Observation Time Microseconds", "cflow.observation_time_microseconds",
7091 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
7094 {&hf_cflow_observation_time_nanoseconds,
7095 {"Observation Time Nanoseconds", "cflow.observation_time_nanoseconds",
7096 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
7099 {&hf_cflow_digest_hash_value,
7100 {"Digest Hash Value", "cflow.digest_hash_value",
7101 FT_UINT64, BASE_DEC, NULL, 0x0,
7104 {&hf_cflow_hash_ippayload_offset,
7105 {"Hash IPPayload Offset", "cflow.hash_ippayload_offset",
7106 FT_UINT64, BASE_DEC, NULL, 0x0,
7109 {&hf_cflow_hash_ippayload_size,
7110 {"Hash IPPayload Size", "cflow.hash_ippayload_size",
7111 FT_UINT64, BASE_DEC, NULL, 0x0,
7114 {&hf_cflow_hash_output_range_min,
7115 {"Hash Output Range Min", "cflow.hash_output_range_min",
7116 FT_UINT64, BASE_DEC, NULL, 0x0,
7119 {&hf_cflow_hash_output_range_max,
7120 {"Hash Output Range Max", "cflow.hash_output_range_max",
7121 FT_UINT64, BASE_DEC, NULL, 0x0,
7124 {&hf_cflow_hash_selected_range_min,
7125 {"Hash Selected Range Min", "cflow.hash_selected_range_min",
7126 FT_UINT64, BASE_DEC, NULL, 0x0,
7129 {&hf_cflow_hash_selected_range_max,
7130 {"Hash Selected Range Max", "cflow.hash_selected_range_max",
7131 FT_UINT64, BASE_DEC, NULL, 0x0,
7134 {&hf_cflow_hash_digest_output,
7135 {"Hash Digest Output", "cflow.hash_digest_output",
7136 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
7139 {&hf_cflow_hash_initialiser_value,
7140 {"Hash Initialiser Value", "cflow.hash_initialiser_value",
7141 FT_UINT64, BASE_DEC, NULL, 0x0,
7144 {&hf_cflow_selector_name,
7145 {"Selector Name", "cflow.selector_name",
7146 FT_STRING, BASE_NONE, NULL, 0x0,
7149 {&hf_cflow_upper_cilimit,
7150 {"Upper CILimit", "cflow.upper_cilimit",
7151 FT_FLOAT, BASE_NONE, NULL, 0x0,
7154 {&hf_cflow_lower_cilimit,
7155 {"Lower CILimit", "cflow.lower_cilimit",
7156 FT_FLOAT, BASE_NONE, NULL, 0x0,
7159 {&hf_cflow_confidence_level,
7160 {"Confidence Level", "cflow.confidence_level",
7161 FT_FLOAT, BASE_NONE, NULL, 0x0,
7164 {&hf_cflow_information_element_data_type,
7165 {"Information Element Data Type", "cflow.information_element_data_type",
7166 FT_UINT8, BASE_DEC, NULL, 0x0,
7169 {&hf_cflow_information_element_description,
7170 {"Information Element Description", "cflow.information_element_description",
7171 FT_STRING, BASE_NONE, NULL, 0x0,
7174 {&hf_cflow_information_element_name,
7175 {"Information Element Name", "cflow.information_element_name",
7176 FT_STRING, BASE_NONE, NULL, 0x0,
7179 {&hf_cflow_information_element_range_begin,
7180 {"Information Element Range Begin", "cflow.information_element_range_begin",
7181 FT_UINT64, BASE_DEC, NULL, 0x0,
7184 {&hf_cflow_information_element_range_end,
7185 {"Information Element Range End", "cflow.information_element_range_end",
7186 FT_UINT64, BASE_DEC, NULL, 0x0,
7189 {&hf_cflow_information_element_semantics,
7190 {"Information Element Semantics", "cflow.information_element_semantics",
7191 FT_UINT8, BASE_DEC, NULL, 0x0,
7194 {&hf_cflow_information_element_units,
7195 {"Information Element Units", "cflow.information_element_units",
7196 FT_UINT16, BASE_DEC, NULL, 0x0,
7199 {&hf_cflow_private_enterprise_number,
7200 {"Private Enterprise Number", "cflow.private_enterprise_number",
7201 FT_UINT32, BASE_DEC, NULL, 0x0,
7205 * end pdu content storage
7207 {&hf_cflow_scope_system,
7208 {"ScopeSystem", "cflow.scope_system",
7209 FT_BYTES, BASE_NONE, NULL, 0x0,
7210 "Option Scope System", HFILL}
7212 {&hf_cflow_scope_interface,
7213 {"ScopeInterface", "cflow.scope_interface",
7214 FT_UINT32, BASE_DEC, NULL, 0x0,
7215 "Option Scope Interface", HFILL}
7217 {&hf_cflow_scope_linecard,
7218 {"ScopeLinecard", "cflow.scope_linecard",
7219 FT_BYTES, BASE_NONE, NULL, 0x0,
7220 "Option Scope Linecard", HFILL}
7222 {&hf_cflow_scope_cache,
7223 {"ScopeCache", "cflow.scope_cache",
7224 FT_BYTES, BASE_NONE, NULL, 0x0,
7225 "Option Scope Cache", HFILL}
7227 {&hf_cflow_scope_template,
7228 {"ScopeTemplate", "cflow.scope_template",
7229 FT_BYTES, BASE_NONE, NULL, 0x0,
7230 "Option Scope Template", HFILL}
7234 {&hf_cflow_unknown_field_type,
7235 {"Unknown Field Type", "cflow.unknown_field_type",
7236 FT_BYTES, BASE_NONE, NULL, 0x0,
7239 {&hf_cflow_template_ipfix_total_field_count,
7240 {"Total Field Count", "cflow.template_ipfix_total_field_count",
7241 FT_UINT16, BASE_DEC, NULL, 0x0,
7242 "IPFIX Options Template Total Field Count", HFILL}
7244 {&hf_cflow_template_ipfix_scope_field_count,
7245 {"Scope Field Count", "cflow.template_ipfix_scope_field_count",
7246 FT_UINT16, BASE_DEC, NULL, 0x0,
7247 "IPFIX Options Template Scope Field Count", HFILL}
7249 {&hf_cflow_template_ipfix_pen_provided,
7250 {"Pen provided", "cflow.template_ipfix_pen_provided",
7251 FT_BOOLEAN, 16, TFS(&tfs_yes_no), 0x8000,
7252 "Is Template Enterprise Specific", HFILL}
7254 {&hf_cflow_template_ipfix_field_type,
7255 {"Type", "cflow.template_ipfix_field_type",
7256 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v9_v10_template_types_ext, 0x7FFF,
7257 "Template field type", HFILL}
7259 {&hf_cflow_template_plixer_field_type,
7260 {"Type", "cflow.template_plixer_field_type",
7261 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v10_template_types_plixer_ext, 0x7FFF,
7262 "Template field type", HFILL}
7264 {&hf_cflow_template_ntop_field_type,
7265 {"Type", "cflow.template_ntop_field_type",
7266 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v10_template_types_ntop_ext, 0x7FFF,
7267 "Template field type", HFILL}
7269 {&hf_cflow_template_ipfix_field_type_enterprise,
7270 {"Type", "cflow.template_ipfix_field_type_enterprise",
7271 FT_UINT16, BASE_DEC, NULL, 0x7FFF,
7272 "Template field type", HFILL}
7274 {&hf_cflow_template_ipfix_field_pen,
7276 "cflow.template_ipfix_field_pen",
7277 FT_UINT32, BASE_DEC, NULL, 0x0,
7278 "IPFIX Private Enterprise Number", HFILL}
7280 {&hf_cflow_packets_dropped,
7282 "cflow.packets_dropped",
7283 FT_UINT32, BASE_DEC, NULL, 0x0,
7286 {&hf_cflow_byte_rate,
7289 FT_UINT32, BASE_DEC, NULL, 0x0,
7292 {&hf_cflow_application_media_bytes,
7294 "cflow.application_media_bytes",
7295 FT_UINT32, BASE_DEC, NULL, 0x0,
7298 {&hf_cflow_application_media_byte_rate,
7300 "cflow.media_byte_rate",
7301 FT_UINT32, BASE_DEC, NULL, 0x0,
7304 {&hf_cflow_application_media_packets,
7306 "cflow.application_media_packets",
7307 FT_UINT32, BASE_DEC, NULL, 0x0,
7310 {&hf_cflow_application_media_packet_rate,
7311 {"Media Packet Rate",
7312 "cflow.media_packet_rate",
7313 FT_UINT32, BASE_DEC, NULL, 0x0,
7316 {&hf_cflow_application_media_event,
7318 "cflow.application_media_event",
7319 FT_UINT8, BASE_DEC, NULL, 0x0,
7322 {&hf_cflow_monitor_event,
7324 "cflow.monitor_event",
7325 FT_UINT8, BASE_DEC, NULL, 0x0,
7328 {&hf_cflow_timestamp_interval,
7329 {"Timestamp Interval",
7330 "cflow.timestamp_interval",
7331 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7334 {&hf_cflow_transport_packets_expected,
7335 {"Transport Packets Expected",
7336 "cflow.transport_packets_expected",
7337 FT_UINT32, BASE_DEC, NULL, 0x0,
7340 {&hf_cflow_transport_round_trip_time_string,
7341 {"Transport Round-Trip-Time",
7342 "cflow.transport_rtt",
7343 FT_UINT32, BASE_DEC, VALS(performance_monitor_specials), 0x0,
7346 {&hf_cflow_transport_round_trip_time,
7347 {"Transport Round-Trip-Time",
7348 "cflow.transport_rtt",
7349 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
7352 {&hf_cflow_transport_event_packet_loss,
7353 {"Transport Packet Loss Events",
7354 "cflow.transport_packet_loss_event",
7355 FT_UINT32, BASE_DEC, NULL, 0x0,
7358 {&hf_cflow_transport_packets_lost,
7359 {"Transport Packets Lost",
7360 "cflow.transport_packets_lost",
7361 FT_UINT32, BASE_DEC, NULL, 0x0,
7364 {&hf_cflow_transport_packets_lost_string,
7365 {"Transport Packets Lost",
7366 "cflow.transport_packets_lost",
7367 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7370 {&hf_cflow_transport_packets_lost_rate,
7371 {"Transport Packet Loss Rate",
7372 "cflow.transport_packet_loss_rate",
7373 FT_UINT32, BASE_DEC, NULL, 0x0,
7376 {&hf_cflow_transport_packets_lost_rate_string,
7377 {"Transport Packet Loss Rate",
7378 "cflow.transport_packet_loss_rate",
7379 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials) , 0x0,
7382 {&hf_cflow_transport_rtp_ssrc,
7384 "cflow.transport_rtp_ssrc",
7385 FT_UINT32, BASE_DEC, NULL, 0x0,
7388 {&hf_cflow_transport_rtp_jitter_mean,
7390 "cflow.transport_jitter_mean",
7391 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
7394 {&hf_cflow_transport_rtp_jitter_mean_string,
7396 "cflow.transport_jitter_mean",
7397 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7400 {&hf_cflow_transport_rtp_jitter_min,
7402 "cflow.transport_jitter_min",
7403 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
7406 {&hf_cflow_transport_rtp_jitter_min_string,
7408 "cflow.transport_jitter_min",
7409 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7412 {&hf_cflow_transport_rtp_jitter_max,
7414 "cflow.transport_jitter_max",
7415 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
7418 {&hf_cflow_transport_rtp_jitter_max_string,
7420 "cflow.transport_jitter_max",
7421 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7424 /* Ericsson SE NAT Logging */
7425 {&hf_cflow_nat_context_id,
7426 {"NAT Context ID", "cflow.nat_context_id",
7427 FT_UINT32, BASE_DEC, NULL, 0x0,
7428 "Internal context ID", HFILL}
7430 {&hf_cflow_nat_context_name,
7431 {"NAT Context Name", "cflow.nat_context_name",
7432 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7433 "Zero terminated context Name", HFILL}
7435 {&hf_cflow_nat_assign_time,
7436 {"NAT Assign Time", "cflow.nat_assign_time",
7437 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7438 "Seconds of UNIX timestamp for assign", HFILL}
7440 {&hf_cflow_nat_unassign_time,
7441 {"NAT Unassign Time", "cflow.nat_unassign_time",
7442 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7443 "Seconds of UNIX timestamp for unassign", HFILL}
7445 {&hf_cflow_nat_int_addr,
7446 {"Internal IPv4 address", "cflow.nat_int_addr",
7447 FT_IPv4, BASE_NONE, NULL, 0x0,
7450 {&hf_cflow_nat_ext_addr,
7451 {"External IPv4 address", "cflow.nat_ext_addr",
7452 FT_IPv4, BASE_NONE, NULL, 0x0,
7455 {&hf_cflow_nat_ext_port_first,
7456 {"NAT port start", "cflow.nat_ext_port_first",
7457 FT_UINT16, BASE_DEC, NULL, 0x0,
7458 "External L4 port start", HFILL}
7460 {&hf_cflow_nat_ext_port_last,
7461 {"NAT port end", "cflow.nat_ext_port_last",
7462 FT_UINT16, BASE_DEC, NULL, 0x0,
7463 "External L4 port end", HFILL}
7465 /* Cisco ASA 5500 Series */
7466 {&hf_cflow_ingress_acl_id,
7467 {"Ingress ACL ID", "cflow.ingress_acl_id",
7468 FT_BYTES, BASE_NONE, NULL, 0x0,
7471 {&hf_cflow_egress_acl_id,
7472 {"Egress ACL ID", "cflow.egress_acl_id",
7473 FT_BYTES, BASE_NONE, NULL, 0x0,
7476 {&hf_cflow_fw_ext_event,
7477 {"Extended firewall event code", "cflow.fw_ext_event",
7478 FT_UINT16, BASE_DEC, VALS(v9_extended_firewall_event), 0x0,
7481 {&hf_cflow_aaa_username,
7482 {"AAA username", "cflow.aaa_username",
7483 FT_STRING, BASE_NONE, NULL, 0x0,
7487 {&hf_ipfix_enterprise_private_entry,
7488 {"Enterprise Private entry", "cflow.enterprise_private_entry",
7489 FT_BYTES, BASE_NONE, NULL, 0x0,
7492 /* Private Information Elements */
7494 /* CACE Technologies, 32622 / 0 */
7495 {&hf_pie_cace_local_ipv4_address,
7496 {"Local IPv4 Address", "cflow.pie.cace.localaddr4",
7497 FT_IPv4, BASE_NONE, NULL, 0x0,
7498 "Local IPv4 Address (caceLocalIPv4Address)", HFILL}
7500 /* CACE Technologies, 32622 / 1 */
7501 {&hf_pie_cace_remote_ipv4_address,
7502 {"Remote IPv4 Address", "cflow.pie.cace.remoteaddr4",
7503 FT_IPv4, BASE_NONE, NULL, 0x0,
7504 "Remote IPv4 Address (caceRemoteIPv4Address)", HFILL}
7506 /* CACE Technologies, 32622 / 2 */
7507 {&hf_pie_cace_local_ipv6_address,
7508 {"Local IPv6 Address", "cflow.pie.cace.localaddr6",
7509 FT_IPv6, BASE_NONE, NULL, 0x0,
7510 "Local IPv6 Address (caceLocalIPv6Address)", HFILL}
7512 /* CACE Technologies, 32622 / 3 */
7513 {&hf_pie_cace_remote_ipv6_address,
7514 {"Remote IPv6 Address", "cflow.pie.cace.remoteaddr6",
7515 FT_IPv6, BASE_NONE, NULL, 0x0,
7516 "Remote IPv6 Address (caceRemoteIPv6Address)", HFILL}
7518 /* CACE Technologies, 32622 / 4 */
7519 {&hf_pie_cace_local_port,
7520 {"Local Port", "cflow.pie.cace.localport",
7521 FT_UINT16, BASE_DEC, NULL, 0x0,
7522 "Local Transport Port (caceLocalTransportPort)", HFILL}
7524 /* CACE Technologies, 32622 / 5 */
7525 {&hf_pie_cace_remote_port,
7526 {"Remote Port", "cflow.pie.cace.remoteport",
7527 FT_UINT16, BASE_DEC, NULL, 0x0,
7528 "Remote Transport Port (caceRemoteTransportPort)", HFILL}
7530 /* CACE Technologies, 32622 / 6 */
7531 {&hf_pie_cace_local_ipv4_id,
7532 {"Local IPv4 ID", "cflow.pie.cace.localip4id",
7533 FT_UINT16, BASE_DEC, NULL, 0x0,
7534 "The IPv4 identification header field from a locally-originated packet (caceLocalIPv4id)", HFILL}
7536 /* CACE Technologies, 32622 / 7 */
7537 {&hf_pie_cace_local_icmp_id,
7538 {"Local ICMP ID", "cflow.pie.cace.localicmpid",
7539 FT_UINT16, BASE_DEC, NULL, 0x0,
7540 "The ICMP identification header field from a locally-originated ICMPv4 or ICMPv6 echo request (caceLocalICMPid)", HFILL}
7542 /* CACE Technologies, 32622 / 8 */
7543 {&hf_pie_cace_local_uid,
7544 {"Local User ID", "cflow.pie.cace.localuid",
7545 FT_UINT32, BASE_DEC, NULL, 0x0,
7546 "Local User ID (caceLocalProcessUserId)", HFILL}
7548 /* CACE Technologies, 32622 / 9 */
7549 {&hf_pie_cace_local_pid,
7550 {"Local Process ID", "cflow.pie.cace.localpid",
7551 FT_UINT32, BASE_DEC, NULL, 0x0,
7552 "Local Process ID (caceLocalProcessId)", HFILL}
7554 /* CACE Technologies, 32622 / 10 */
7555 {&hf_pie_cace_local_username_len,
7556 {"Local Username Length", "cflow.pie.cace.localusernamelen",
7557 FT_UINT8, BASE_DEC, NULL, 0x0,
7558 "Local User Name Length (caceLocalProcessUserName)", HFILL}
7560 /* CACE Technologies, 32622 / 10 */
7561 {&hf_pie_cace_local_username,
7562 {"Local User Name", "cflow.pie.cace.localusername",
7563 FT_STRING, BASE_NONE, NULL, 0x0,
7564 "Local User Name (caceLocalProcessUserName)", HFILL}
7566 /* CACE Technologies, 32622 / 11 */
7567 {&hf_pie_cace_local_cmd_len,
7568 {"Local Command Length", "cflow.pie.cace.localcmdlen",
7569 FT_UINT8, BASE_DEC, NULL, 0x0,
7570 "Local Command Length (caceLocalProcessCommand)", HFILL}
7572 /* CACE Technologies, 32622 / 11 */
7573 {&hf_pie_cace_local_cmd,
7574 {"Local Command", "cflow.pie.cace.localcmd",
7575 FT_STRING, BASE_NONE, NULL, 0x0,
7576 "Local Command (caceLocalProcessCommand)", HFILL}
7578 /* ntop, 35632 / 80 */
7579 {&hf_pie_ntop_fragmented,
7580 {"Fragmented","cflow.pie.ntop.fragmented",
7581 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
7584 /* ntop, 35632 / 81 */
7585 {&hf_pie_ntop_fingerprint,
7586 {"Fingerprint","cflow.pie.ntop.fingerprint",
7587 FT_UINT32, BASE_DEC, NULL, 0x0,
7590 /* ntop, 35632 / 82 */
7591 {&hf_pie_ntop_client_nw_delay_sec,
7592 {"Client_nw_delay_sec","cflow.pie.ntop.client_nw_delay_sec",
7593 FT_UINT32, BASE_DEC, NULL, 0x0,
7596 /* ntop, 35632 / 83 */
7597 {&hf_pie_ntop_client_nw_delay_usec,
7598 {"Client_nw_delay_usec","cflow.pie.ntop.client_nw_delay_usec",
7599 FT_UINT32, BASE_DEC, NULL, 0x0,
7602 /* ntop, 35632 / 84 */
7603 {&hf_pie_ntop_server_nw_delay_sec,
7604 {"Server_nw_delay_sec","cflow.pie.ntop.server_nw_delay_sec",
7605 FT_UINT32, BASE_DEC, NULL, 0x0,
7608 /* ntop, 35632 / 85 */
7609 {&hf_pie_ntop_server_nw_delay_usec,
7610 {"Server_nw_delay_usec","cflow.pie.ntop.server_nw_delay_usec",
7611 FT_UINT32, BASE_DEC, NULL, 0x0,
7614 /* ntop, 35632 / 86 */
7615 {&hf_pie_ntop_appl_latency_sec,
7616 {"Appl_latency_sec","cflow.pie.ntop.appl_latency_sec",
7617 FT_UINT32, BASE_DEC, NULL, 0x0,
7620 /* ntop, 35632 / 98 */
7621 {&hf_pie_ntop_icmp_flags,
7622 {"Icmp_flags","cflow.pie.ntop.icmp_flags",
7623 FT_UINT16, BASE_DEC, NULL, 0x0,
7626 /* ntop, 35632 / 101 */
7627 {&hf_pie_ntop_src_ip_country,
7628 {"Src_ip_country","cflow.pie.ntop.src_ip_country",
7629 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7632 /* ntop, 35632 / 102 */
7633 {&hf_pie_ntop_src_ip_city,
7634 {"Src_ip_city","cflow.pie.ntop.src_ip_city",
7635 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7638 /* ntop, 35632 / 103 */
7639 {&hf_pie_ntop_dst_ip_country,
7640 {"Dst_ip_country","cflow.pie.ntop.dst_ip_country",
7641 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7644 /* ntop, 35632 / 104 */
7645 {&hf_pie_ntop_dst_ip_city,
7646 {"Dst_ip_city","cflow.pie.ntop.dst_ip_city",
7647 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7650 /* ntop, 35632 / 105 */
7651 {&hf_pie_ntop_flow_proto_port,
7652 {"Flow_proto_port","cflow.pie.ntop.flow_proto_port",
7653 FT_UINT16, BASE_DEC, NULL, 0x0,
7656 /* ntop, 35632 / 106 */
7657 {&hf_pie_ntop_tunnel_id,
7658 {"Tunnel_id","cflow.pie.ntop.tunnel_id",
7659 FT_UINT32, BASE_DEC, NULL, 0x0,
7662 /* ntop, 35632 / 107 */
7663 {&hf_pie_ntop_longest_flow_pkt,
7664 {"Longest_flow_pkt","cflow.pie.ntop.longest_flow_pkt",
7665 FT_UINT32, BASE_DEC, NULL, 0x0,
7668 /* ntop, 35632 / 108 */
7669 {&hf_pie_ntop_shortest_flow_pkt,
7670 {"Shortest_flow_pkt","cflow.pie.ntop.shortest_flow_pkt",
7671 FT_UINT32, BASE_DEC, NULL, 0x0,
7674 /* ntop, 35632 / 109 */
7675 {&hf_pie_ntop_retransmitted_in_pkts,
7676 {"Retransmitted_in_pkts","cflow.pie.ntop.retransmitted_in_pkts",
7677 FT_UINT32, BASE_DEC, NULL, 0x0,
7680 /* ntop, 35632 / 110 */
7681 {&hf_pie_ntop_retransmitted_out_pkts,
7682 {"Retransmitted_out_pkts","cflow.pie.ntop.retransmitted_out_pkts",
7683 FT_UINT32, BASE_DEC, NULL, 0x0,
7686 /* ntop, 35632 / 111 */
7687 {&hf_pie_ntop_ooorder_in_pkts,
7688 {"Ooorder_in_pkts","cflow.pie.ntop.ooorder_in_pkts",
7689 FT_UINT32, BASE_DEC, NULL, 0x0,
7692 /* ntop, 35632 / 112 */
7693 {&hf_pie_ntop_ooorder_out_pkts,
7694 {"Ooorder_out_pkts","cflow.pie.ntop.ooorder_out_pkts",
7695 FT_UINT32, BASE_DEC, NULL, 0x0,
7698 /* ntop, 35632 / 113 */
7699 {&hf_pie_ntop_untunneled_protocol,
7700 {"Untunneled_protocol","cflow.pie.ntop.untunneled_protocol",
7701 FT_UINT8, BASE_DEC, NULL, 0x0,
7704 /* ntop, 35632 / 114 */
7705 {&hf_pie_ntop_untunneled_ipv4_src_addr,
7706 {"Untunneled_ipv4_src_addr","cflow.pie.ntop.untunneled_ipv4_src_addr",
7707 FT_IPv4, BASE_NONE, NULL, 0x0,
7710 /* ntop, 35632 / 115 */
7711 {&hf_pie_ntop_untunneled_l4_src_port,
7712 {"Untunneled_l4_src_port","cflow.pie.ntop.untunneled_l4_src_port",
7713 FT_UINT16, BASE_DEC, NULL, 0x0,
7716 /* ntop, 35632 / 116 */
7717 {&hf_pie_ntop_untunneled_ipv4_dst_addr,
7718 {"Untunneled_ipv4_dst_addr","cflow.pie.ntop.untunneled_ipv4_dst_addr",
7719 FT_IPv4, BASE_NONE, NULL, 0x0,
7722 /* ntop, 35632 / 117 */
7723 {&hf_pie_ntop_untunneled_l4_dst_port,
7724 {"Untunneled_l4_dst_port","cflow.pie.ntop.untunneled_l4_dst_port",
7725 FT_UINT16, BASE_DEC, NULL, 0x0,
7729 /* ntop, 35632 / 110 */
7730 {&hf_pie_ntop_dump_path,
7731 {"Dump_path","cflow.pie.ntop.dump_path",
7732 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7735 /* ntop, 35632 / 130 */
7736 {&hf_pie_ntop_sip_call_id,
7737 {"Sip_call_id","cflow.pie.ntop.sip_call_id",
7738 FT_STRING, BASE_NONE, NULL, 0x0,
7741 /* ntop, 35632 / 131 */
7742 {&hf_pie_ntop_sip_calling_party,
7743 {"Sip_calling_party","cflow.pie.ntop.sip_calling_party",
7744 FT_STRING, BASE_NONE, NULL, 0x0,
7747 /* ntop, 35632 / 132 */
7748 {&hf_pie_ntop_sip_called_party,
7749 {"Sip_called_party","cflow.pie.ntop.sip_called_party",
7750 FT_STRING, BASE_NONE, NULL, 0x0,
7753 /* ntop, 35632 / 133 */
7754 {&hf_pie_ntop_sip_rtp_codecs,
7755 {"Sip_rtp_codecs","cflow.pie.ntop.sip_rtp_codecs",
7756 FT_STRING, BASE_NONE, NULL, 0x0,
7759 /* ntop, 35632 / 134 */
7760 {&hf_pie_ntop_sip_invite_time,
7761 {"Sip_invite_time","cflow.pie.ntop.sip_invite_time",
7762 FT_UINT32, BASE_DEC, NULL, 0x0,
7765 /* ntop, 35632 / 135 */
7766 {&hf_pie_ntop_sip_trying_time,
7767 {"Sip_trying_time","cflow.pie.ntop.sip_trying_time",
7768 FT_UINT32, BASE_DEC, NULL, 0x0,
7771 /* ntop, 35632 / 136 */
7772 {&hf_pie_ntop_sip_ringing_time,
7773 {"Sip_ringing_time","cflow.pie.ntop.sip_ringing_time",
7774 FT_UINT32, BASE_DEC, NULL, 0x0,
7777 /* ntop, 35632 / 137 */
7778 {&hf_pie_ntop_sip_ok_time,
7779 {"Sip_ok_time","cflow.pie.ntop.sip_ok_time",
7780 FT_UINT32, BASE_DEC, NULL, 0x0,
7783 /* ntop, 35632 / 138 */
7784 {&hf_pie_ntop_sip_bye_time,
7785 {"Sip_bye_time","cflow.pie.ntop.sip_bye_time",
7786 FT_UINT32, BASE_DEC, NULL, 0x0,
7789 /* ntop, 35632 / 139 */
7790 {&hf_pie_ntop_sip_rtp_src_ip,
7791 {"Sip_rtp_src_ip","cflow.pie.ntop.sip_rtp_src_ip",
7792 FT_IPv4, BASE_NONE, NULL, 0x0,
7795 /* ntop, 35632 / 140 */
7796 {&hf_pie_ntop_sip_rtp_src_port,
7797 {"Sip_rtp_src_port","cflow.pie.ntop.sip_rtp_src_port",
7798 FT_UINT16, BASE_DEC, NULL, 0x0,
7801 /* ntop, 35632 / 141 */
7802 {&hf_pie_ntop_sip_rtp_dst_ip,
7803 {"Sip_rtp_dst_ip","cflow.pie.ntop.sip_rtp_dst_ip",
7804 FT_IPv4, BASE_NONE, NULL, 0x0,
7807 /* ntop, 35632 / 142 */
7808 {&hf_pie_ntop_sip_rtp_dst_port,
7809 {"Sip_rtp_dst_port","cflow.pie.ntop.sip_rtp_dst_port",
7810 FT_UINT16, BASE_DEC, NULL, 0x0,
7813 /* ntop, 35632 / 150 */
7814 {&hf_pie_ntop_rtp_first_ssrc,
7815 {"Rtp_first_ssrc","cflow.pie.ntop.rtp_first_ssrc",
7816 FT_UINT32, BASE_DEC, NULL, 0x0,
7819 /* ntop, 35632 / 151 */
7820 {&hf_pie_ntop_rtp_first_ts,
7821 {"Rtp_first_ts","cflow.pie.ntop.rtp_first_ts",
7822 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7825 /* ntop, 35632 / 152 */
7826 {&hf_pie_ntop_rtp_last_ssrc,
7827 {"Rtp_last_ssrc","cflow.pie.ntop.rtp_last_ssrc",
7828 FT_UINT32, BASE_DEC, NULL, 0x0,
7831 /* ntop, 35632 / 153 */
7832 {&hf_pie_ntop_rtp_last_ts,
7833 {"Rtp_last_ts","cflow.pie.ntop.rtp_last_ts",
7834 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7837 /* ntop, 35632 / 154 */
7838 {&hf_pie_ntop_rtp_in_jitter,
7839 {"Rtp_in_jitter","cflow.pie.ntop.rtp_in_jitter",
7840 FT_UINT32, BASE_DEC, NULL, 0x0,
7843 /* ntop, 35632 / 155 */
7844 {&hf_pie_ntop_rtp_out_jitter,
7845 {"Rtp_out_jitter","cflow.pie.ntop.rtp_out_jitter",
7846 FT_UINT32, BASE_DEC, NULL, 0x0,
7849 /* ntop, 35632 / 156 */
7850 {&hf_pie_ntop_rtp_in_pkt_lost,
7851 {"Rtp_in_pkt_lost","cflow.pie.ntop.rtp_in_pkt_lost",
7852 FT_UINT32, BASE_DEC, NULL, 0x0,
7855 /* ntop, 35632 / 157 */
7856 {&hf_pie_ntop_rtp_out_pkt_lost,
7857 {"Rtp_out_pkt_lost","cflow.pie.ntop.rtp_out_pkt_lost",
7858 FT_UINT32, BASE_DEC, NULL, 0x0,
7861 /* ntop, 35632 / 158 */
7862 {&hf_pie_ntop_rtp_out_payload_type,
7863 {"Rtp_out_payload_type","cflow.pie.ntop.rtp_out_payload_type",
7864 FT_UINT32, BASE_DEC, NULL, 0x0,
7867 /* ntop, 35632 / 159 */
7868 {&hf_pie_ntop_rtp_in_max_delta,
7869 {"Rtp_in_max_delta","cflow.pie.ntop.rtp_in_max_delta",
7870 FT_UINT32, BASE_DEC, NULL, 0x0,
7873 /* ntop, 35632 / 160 */
7874 {&hf_pie_ntop_rtp_out_max_delta,
7875 {"Rtp_out_max_delta","cflow.pie.ntop.rtp_out_max_delta",
7876 FT_UINT32, BASE_DEC, NULL, 0x0,
7879 /* ntop, 35632 / 168 */
7880 {&hf_pie_ntop_proc_id,
7881 {"Proc_id","cflow.pie.ntop.proc_id",
7882 FT_UINT32, BASE_DEC, NULL, 0x0,
7885 /* ntop, 35632 / 169 */
7886 {&hf_pie_ntop_proc_name,
7887 {"Proc_name","cflow.pie.ntop.proc_name",
7888 FT_STRING, BASE_NONE, NULL, 0x0,
7891 /* ntop, 35632 / 180 */
7892 {&hf_pie_ntop_http_url,
7893 {"Http_url","cflow.pie.ntop.http_url",
7894 FT_STRING, BASE_NONE, NULL, 0x0,
7897 /* ntop, 35632 / 181 */
7898 {&hf_pie_ntop_http_ret_code,
7899 {"Http_ret_code","cflow.pie.ntop.http_ret_code",
7900 FT_UINT16, BASE_DEC, NULL, 0x0,
7903 /* ntop, 35632 / 185 */
7904 {&hf_pie_ntop_smtp_mail_from,
7905 {"Smtp_mail_from","cflow.pie.ntop.smtp_mail_from",
7906 FT_STRING, BASE_NONE, NULL, 0x0,
7909 /* ntop, 35632 / 186 */
7910 {&hf_pie_ntop_smtp_rcpt_to,
7911 {"Smtp_rcpt_to","cflow.pie.ntop.smtp_rcpt_to",
7912 FT_STRING, BASE_NONE, NULL, 0x0,
7915 /* ntop, 35632 / 195 */
7916 {&hf_pie_ntop_mysql_server_version,
7917 {"Mysql_server_version","cflow.pie.ntop.mysql_server_version",
7918 FT_STRING, BASE_NONE, NULL, 0x0,
7921 /* ntop, 35632 / 196 */
7922 {&hf_pie_ntop_mysql_username,
7923 {"Mysql_username","cflow.pie.ntop.mysql_username",
7924 FT_STRING, BASE_NONE, NULL, 0x0,
7927 /* ntop, 35632 / 197 */
7928 {&hf_pie_ntop_mysql_db,
7929 {"Mysql_db","cflow.pie.ntop.mysql_db",
7930 FT_STRING, BASE_NONE, NULL, 0x0,
7933 /* ntop, 35632 / 198 */
7934 {&hf_pie_ntop_mysql_query,
7935 {"Mysql_query","cflow.pie.ntop.mysql_query",
7936 FT_STRING, BASE_NONE, NULL, 0x0,
7939 /* ntop, 35632 / 199 */
7940 {&hf_pie_ntop_mysql_response,
7941 {"Mysql_response","cflow.pie.ntop.mysql_response",
7942 FT_UINT16, BASE_DEC, NULL, 0x0,
7946 /* plixer, 13745 / 100 */
7947 {&hf_pie_plixer_client_ip_v4,
7948 {"client_ip_v4","cflow.pie.plixer.client.ip_v4",
7949 FT_IPv4, BASE_NONE, NULL, 0x0,
7952 {&hf_pie_plixer_client_hostname,
7953 /* plixer, 13745 / 101 */
7954 {"client_hostname","cflow.pie.plixer.client_hostname",
7955 FT_STRING, BASE_NONE, NULL, 0x0,
7958 /* plixer, 13745 / 102 */
7959 {&hf_pie_plixer_partner_name,
7960 {"Partner_name","cflow.pie.plixer.partner_name",
7961 FT_STRING, BASE_NONE, NULL, 0x0,
7964 /* plixer, 13745 / 103 */
7965 {&hf_pie_plixer_server_hostname,
7966 {"Server_hostname","cflow.pie.plixer.server_hostname",
7967 FT_STRING, BASE_NONE, NULL, 0x0,
7970 /* plixer, 13745 / 104 */
7971 {&hf_pie_plixer_server_ip_v4,
7972 {"Server_ip_v4","cflow.pie.plixer.server_ip_v4",
7973 FT_IPv4, BASE_NONE, NULL, 0x0,
7976 /* plixer, 13745 / 105 */
7977 {&hf_pie_plixer_recipient_address,
7978 {"Recipient_address","cflow.pie.plixer.recipient_address",
7979 FT_STRING, BASE_NONE, NULL, 0x0,
7982 /* plixer, 13745 / 106 */
7983 {&hf_pie_plixer_event_id,
7984 {"Event_id","cflow.pie.plixer.event_id",
7985 FT_UINT32, BASE_DEC, NULL, 0x0,
7988 /* plixer, 13745 / 107 */
7989 {&hf_pie_plixer_msgid,
7990 {"Msgid","cflow.pie.plixer.msgid",
7991 FT_STRING, BASE_NONE, NULL, 0x0,
7994 /* plixer, 13745 / 108 */
7995 {&hf_pie_plixer_priority,
7996 {"Priority","cflow.pie.plixer_priority",
7997 FT_UINT32, BASE_DEC, NULL, 0x0,
8000 /* plixer, 13745 / 109 */
8001 {&hf_pie_plixer_recipient_report_status,
8002 {"Recipient_report_status","cflow.pie.plixer.recipient_report_status",
8003 FT_UINT32, BASE_DEC, NULL, 0x0,
8006 /* plixer, 13745 / 110 */
8007 {&hf_pie_plixer_number_recipients,
8008 {"Number_recipients","cflow.pie.plixer.number_recipients",
8009 FT_UINT32, BASE_DEC, NULL, 0x0,
8012 /* plixer, 13745 / 111 */
8013 {&hf_pie_plixer_origination_time,
8014 {"Origination_time","cflow.pie.plixer.origination_time",
8015 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
8018 /* plixer, 13745 / 112 */
8019 {&hf_pie_plixer_encryption,
8020 {"Cncryption","cflow.pie.plixer.encryption",
8021 FT_UINT32, BASE_DEC, NULL, 0x0,
8024 /* plixer, 13745 / 113 */
8025 {&hf_pie_plixer_service_version,
8026 {"Service_version","cflow.pie.plixer.service_version",
8027 FT_STRING, BASE_NONE, NULL, 0x0,
8030 /* plixer, 13745 / 114 */
8031 {&hf_pie_plixer_linked_msgid,
8032 {"Linked_msgid","cflow.pie.plixer.linked_msgid",
8033 FT_STRING, BASE_NONE, NULL, 0x0,
8036 /* plixer, 13745 / 115 */
8037 {&hf_pie_plixer_message_subject,
8038 {"Message_subject","cflow.pie.plixer.message_subject",
8039 FT_STRING, BASE_NONE, NULL, 0x0,
8042 /* plixer, 13745 / 116 */
8043 {&hf_pie_plixer_sender_address,
8044 {"Sender_address","cflow.pie.plixer.sender_address",
8045 FT_STRING, BASE_NONE, NULL, 0x0,
8048 /* plixer, 13745 / 117 */
8049 {&hf_pie_plixer_date_time,
8050 {"Date_time","cflow.pie.plixer.date_time",
8051 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
8055 {&hf_string_len_short,
8056 {"String_len_short","cflow.string_len_short",
8057 FT_UINT8, BASE_DEC, NULL, 0x0,
8060 {&hf_string_len_long,
8061 {"String_len_short","cflow.string_len_long",
8062 FT_UINT8, BASE_DEC, NULL, 0x0,
8068 static gint *ett[] = {
8080 module_t *netflow_module;
8082 proto_netflow = proto_register_protocol("Cisco NetFlow/IPFIX", "CFLOW",
8085 proto_register_field_array(proto_netflow, hf, array_length(hf));
8086 proto_register_subtree_array(ett, array_length(ett));
8088 /* Register our configuration options for NetFlow */
8089 netflow_module = prefs_register_protocol(proto_netflow,
8090 proto_reg_handoff_netflow);
8092 /* Set default Netflow port(s) */
8093 range_convert_str(&global_netflow_ports,NETFLOW_UDP_PORTS,
8095 range_convert_str(&global_ipfix_ports, IPFIX_UDP_PORTS,
8098 prefs_register_obsolete_preference(netflow_module, "udp.port");
8100 prefs_register_range_preference(netflow_module, "netflow.ports",
8101 "NetFlow UDP Port(s)",
8102 "Set the port(s) for NetFlow messages"
8103 " (default: " NETFLOW_UDP_PORTS ")",
8104 &global_netflow_ports, MAX_UDP_PORT);
8106 prefs_register_range_preference(netflow_module, "ipfix.ports",
8107 "IPFIX UDP/TCP/SCTP Port(s)",
8108 "Set the port(s) for IPFIX messages"
8109 " (default: " IPFIX_UDP_PORTS ")",
8110 &global_ipfix_ports, MAX_UDP_PORT);
8112 prefs_register_uint_preference(netflow_module, "max_template_fields",
8113 "Maximum number of fields allowed in a template",
8114 "Set the number of fields allowed in a template. "
8115 "Use 0 (zero) for unlimited. "
8116 " (default: " STRINGIFY(V9TEMPLATE_MAX_FIELDS_DEF) ")",
8117 10, &v9template_max_fields);
8119 register_init_routine(&netflow_reinit);
8124 * protocol/port association
8127 netflow_delete_callback(guint32 port)
8130 dissector_delete_uint("udp.port", port, netflow_handle);
8135 netflow_add_callback(guint32 port)
8138 dissector_add_uint("udp.port", port, netflow_handle);
8143 ipfix_delete_callback(guint32 port)
8146 dissector_delete_uint("udp.port", port, netflow_handle);
8147 dissector_delete_uint("tcp.port", port, netflow_handle);
8148 dissector_delete_uint("sctp.port", port, netflow_handle);
8153 ipfix_add_callback(guint32 port)
8156 dissector_add_uint("udp.port", port, netflow_handle);
8157 dissector_add_uint("tcp.port", port, netflow_handle);
8158 dissector_add_uint("sctp.port", port, netflow_handle);
8163 proto_reg_handoff_netflow(void)
8165 static gboolean netflow_prefs_initialized = FALSE;
8166 static range_t *netflow_ports;
8167 static range_t *ipfix_ports;
8169 if (!netflow_prefs_initialized) {
8170 netflow_handle = new_create_dissector_handle(dissect_netflow, proto_netflow);
8171 netflow_prefs_initialized = TRUE;
8172 dissector_add_uint("wtap_encap", WTAP_ENCAP_RAW_IPFIX, netflow_handle);
8174 range_foreach(netflow_ports, netflow_delete_callback);
8175 g_free(netflow_ports);
8176 range_foreach(ipfix_ports, ipfix_delete_callback);
8177 g_free(ipfix_ports);
8180 netflow_ports = range_copy(global_netflow_ports);
8181 ipfix_ports = range_copy(global_ipfix_ports);
8183 range_foreach(netflow_ports, netflow_add_callback);
8184 range_foreach(ipfix_ports, ipfix_add_callback);
8194 * indent-tabs-mode: t
8197 * ex: set shiftwidth=8 tabstop=8 noexpandtab:
8198 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / obnox / wireshark / wip.git / blob