[Nfdump-discuss] Implementation of overflow correction of SysUptime counter in netflow_v*.c

[Daan v. d. S. <d.a...@st...>]

Hi,

In both netflow_v5_v7.c and netflow_v9.c is an error in handling an overflow 
of the SysUptime counter. However I can't test this it at the moment, because 
I don't have any packet in which there is an overflow of SysUptime, but going 
through the c-code I think it is wrong (unless I'm missing something 
obvious).

This is the part where the header gets read: 
v5_header->SysUptime     = ntohl(v5_header->SysUptime);
v5_header->unix_secs     = ntohl(v5_header->unix_secs);
v5_header->unix_nsecs    = ntohl(v5_header->unix_nsecs);

/* calculate boot time in msec */
boot_time  = ((uint64_t)(v5_header->unix_secs)*1000 +
  ((uint64_t(v5_header->unix_nsecs) / 1000000) ) - 
    (uint64_t)(v5_header->SysUptime);

And here where the overflow correction takes place, when a flow record is 
processed:
// Time issues
First = ntohl(v5_record->First);
Last = ntohl(v5_record->Last);
if ( First > Last )
/* Last in msec, in case of msec overflow, between start and end */
	end_time = 0x100000000LL + Last + boot_time;
else
	end_time = (uint64_t)Last + boot_time;

/* start time in msecs */
start_time = (uint64_t)First + boot_time;

This is going wrong, because when SysUptime overflows Last is indead smaller 
than First, but so will be SysUptime in the NetFlow header. So the unix 
timestamp in the header is matched to the SysUptime value in the header. So 
the end-time was allready correct and the start-time should be corrceted. 
This way the flow will be exported as it were 50 days in the future.

Another option when the correction goes wrong is for example if both First and 
Last are just before the overflow value (2^32), but the value of SysUptime in 
the NetFlow header is overflown we again get the wrong value calculated. 
Since now both the start_time and the end_time need to be corrected.

I'm assuming that the SysUptime in the NetFlow header is always after Last (in 
time, not neccesary in value). If I understood the netflow documentation 
correctly this is always the case, since sysuptime header is the value of the 
SysUptime counter at the moment the packet is sent. 

I hope it is clear, but I strongly belief that the overflow is not correctly 
implemented. But please correct me if I'm wrong.

Daan