[Nfdump-discuss] Implementation of overflow correction of SysUptime counter in netflow_v*.c
netflow collecting and processing tools
Brought to you by:
phaag
From: Daan v. d. S. <d.a...@st...> - 2008-06-27 15:58:36
|
Hi, In both netflow_v5_v7.c and netflow_v9.c is an error in handling an overflow of the SysUptime counter. However I can't test this it at the moment, because I don't have any packet in which there is an overflow of SysUptime, but going through the c-code I think it is wrong (unless I'm missing something obvious). This is the part where the header gets read: v5_header->SysUptime = ntohl(v5_header->SysUptime); v5_header->unix_secs = ntohl(v5_header->unix_secs); v5_header->unix_nsecs = ntohl(v5_header->unix_nsecs); /* calculate boot time in msec */ boot_time = ((uint64_t)(v5_header->unix_secs)*1000 + ((uint64_t(v5_header->unix_nsecs) / 1000000) ) - (uint64_t)(v5_header->SysUptime); And here where the overflow correction takes place, when a flow record is processed: // Time issues First = ntohl(v5_record->First); Last = ntohl(v5_record->Last); if ( First > Last ) /* Last in msec, in case of msec overflow, between start and end */ end_time = 0x100000000LL + Last + boot_time; else end_time = (uint64_t)Last + boot_time; /* start time in msecs */ start_time = (uint64_t)First + boot_time; This is going wrong, because when SysUptime overflows Last is indead smaller than First, but so will be SysUptime in the NetFlow header. So the unix timestamp in the header is matched to the SysUptime value in the header. So the end-time was allready correct and the start-time should be corrceted. This way the flow will be exported as it were 50 days in the future. Another option when the correction goes wrong is for example if both First and Last are just before the overflow value (2^32), but the value of SysUptime in the NetFlow header is overflown we again get the wrong value calculated. Since now both the start_time and the end_time need to be corrected. I'm assuming that the SysUptime in the NetFlow header is always after Last (in time, not neccesary in value). If I understood the netflow documentation correctly this is always the case, since sysuptime header is the value of the SysUptime counter at the moment the packet is sent. I hope it is clear, but I strongly belief that the overflow is not correctly implemented. But please correct me if I'm wrong. Daan |