Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Patch submitted for IPFIX file format support

From: Hadriel Kaplan <HKaplan () acmepacket com>
Date: Tue, 21 Sep 2010 22:40:06 -0400

Agree - updated/replacement diff patch has been attached to the bug, which now does a 2-level-deep sanity checking, for 
multiple records in the file before calling it good, with an environment variable for changing the number of records to 
check. (based on ERF model)
Thanks for the tip!

-hadriel 

On Sep 21, 2010, at 1:42 PM, Jeff Morriss wrote:


Hadriel Kaplan wrote:

Howdy,
I've submitted bug 5242 with an attached patch diff for supporting the IPFIX file format, per RFC 5655.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5242

The one open issue/question I have regards a heuristic for determining if it's the right file type.  Unfortunately, 
the IPFIX file format has no magic sequence, and is literally just the IPFIX/Netflow_v10 messages in a file.  Right 
now, the open routine just checks if the first byte is the right version number, i.e. that the first two bytes of 
the file are 0x000A.  That's good enough to separate it from ascii files, obviously, but will probably collide with 
other binary file formats.  So... should I have the open routine also try to parse the messages further, or parse 
multiple messages? or should I just leave it as is?


That sounds like the heuristic is too weak.  We've had big problems 
before with file type heuristics being too weak and thus Wireshark 
thinking it can open any type of file--only to abort out later on when 
something goes wrong.

I believe the ERF wiretap module checks to ensure that some number of 
packets are 'sane'--that might be a good approach.  (The ERF module also 
allows the user to tune the behavior via the ERF_RECORDS_TO_CHECK 
environment variable.)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: