search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MSWSP: fix dissect_mswsp_smb()
[wireshark-wip.git] / epan / dissectors / packet-netflow.c
blob9abfbb6c5f678e9fa9064eb599527e61afb29b36
1 /*
2 ** packet-netflow.c
3 **
4 ** $Id$
5 **
6 ** (c) 2002 bill fumerola <fumerola@yahoo-inc.com>
7 ** (C) 2005-06 Luca Deri <deri@ntop.org>
8 **
9 ** All rights reserved.
10 **
11 ** Wireshark - Network traffic analyzer
12 ** By Gerald Combs <gerald@wireshark.org>
13 ** Copyright 1998 Gerald Combs
14 **
15 ** This program is free software; you can redistribute it and/or
16 ** modify it under the terms of the GNU General Public License
17 ** as published by the Free Software Foundation; either version 2
18 ** of the License, or (at your option) any later version.
19 **
20 ** This program is distributed in the hope that it will be useful,
21 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
22 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 ** GNU General Public License for more details.
24 **
25 ** You should have received a copy of the GNU General Public License
26 ** along with this program; if not, write to the Free Software
27 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 *****************************************************************************
29 **
30 ** Previous NetFlow dissector written by Matthew Smart <smart@monkey.org>
31 ** NetFlow v9 support added by same.
32 **
33 ** NetFlow v9 patches by Luca Deri <deri@ntop.org>
34 **
35 ** See
36 **
37 ** http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm
38 ** http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html
39 **
40 ** Cisco ASA5500 Series
41 ** http://www.cisco.com/en/US/docs/security/asa/asa83/netflow/netflow.html
42 **
43 ** for NetFlow v9 information.
44 ** ( http://www.ietf.org/rfc/rfc3954.txt ?)
45 ** http://www.ietf.org/rfc/rfc5101.txt
46 ** http://www.ietf.org/rfc/rfc5102.txt
47 ** http://www.ietf.org/rfc/rfc5103.txt
48 ** http://www.iana.org/assignments/ipfix/ipfix.xml
49 ** http://www.iana.org/assignments/psamp-parameters/psamp-parameters.xml
50 ** for IPFIX
51 **
52 *****************************************************************************
53 **
54 ** this code was written from the following documentation:
55 **
56 ** http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_6/iug/format.pdf
57 ** http://www.caida.org/tools/measurement/cflowd/configuration/configuration-9.html
58 **
59 ** some documentation is more accurate then others. in some cases, live data and
60 ** information contained in responses from vendors were also used. some fields
61 ** are dissected as vendor specific fields.
62 **
63 ** See also
64 **
65 ** http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.html
66 **
67 *****************************************************************************
68 ** NetFlow forwarding status and template fixes
69 ** by Aamer Akhter <aakhter@cisco.com>
70 ** Copyright 2010, cisco Systems, Inc.
71 **
72 ** $Yahoo: //depot/fumerola/packet-netflow/packet-netflow.c#14 $
73 **
74 *****************************************************************************
75 **
76 **
77 */
78
79 /*
80 * ToDo: [11/23/2011: WMeier]
81 *
82 * 1. (See the various XXX comments)
83 * 2. Template processing:
84 * a. Verify that template with same src_addr, ... ,ID is actually identical to that previously seen ?
85 * Handle changes ? Don't use template to dissect data packets previous to the packet with the templates.
86 * Essentially; need to keep the packet number containing the first copy of the template.
87 * b. Review use of lengths from template when dissecting fields in a data flow: not really OK ?
88 * The proto_tree_add_item() calls in dissect_v9_v10_pdu_data() use:
89 * - "lengths" as specified in the previously seen template for the flow;
90 * - a hardwired Wireshark "field-type" (FT_UINT8, etc) in the hf[]array entries.
91 * Since many/most netfow/ipfix field-types have a specified fixed size (int32, ether addr, etc),
92 * and since the code in dissect_v9_v10_pdu_data() "knows" these sizes, "DISSECTOR_BUG" errors
93 * will occur if the "known" length and the length as gotten from the template don't match.
94 * Consider: validate length fields when processing templates ?
95 * Don't cache template if errors in particular fields of template (eg: v10: pen == 0) ?
96 *
97 *
98 */
99
100 /*
101 * November 2010: acferen: Add ntop nProbe and Plixer Mailinizer extensions
102 *
103 * nProbe changes are for nprobe >= 5.5.6. Earlier nprobe versions
104 * "supported" some of the same fields, but they used element IDs that
105 * collide with standard IDs. Because of this versions prior to 5.5.6
106 * using IDs above 80 (nprobe extensions) cannot be decoded correctly.
107 *
108 * nprobe supports extensions in v9 and IPFIX. IPFIX is done in the
109 * standard way. See the NTOP_BASE for handling v9 with no collisions
110 * (maybe).
111 *
112 * Plixer changes are just new field definitions. (IPFIX only)
113 *
114 * extended core code to allow naming vendor extensions.
115 *
116 * Put the length for variable length strings in a tree under the
117 * decoded string. Wonder if this might be overkill. Could probably
118 * just format the "(Variable length)" string to include the actual
119 * length.
120 *
121 * Did some minor cleanup.
122 *
123 * Note for WMeier... Added YYY comments with some XXX comments.
124 */
125
126 #include "config.h"
127
128 #include <epan/packet.h>
129 #include <epan/wmem/wmem.h>
130 #include <epan/prefs.h>
131 #include <epan/sminmpec.h>
132 #include <epan/dissectors/packet-tcp.h>
133 #include <epan/dissectors/packet-udp.h>
134 #include "packet-ntp.h"
135 #include <epan/expert.h>
136
137
138 #if 0
139 #define ipfix_debug0(str) g_warning(str)
140 #define ipfix_debug1(str,p1) g_warning(str,p1)
141 #define ipfix_debug2(str,p1,p2) g_warning(str,p1,p2)
142 #define ipfix_debug3(str,p1,p2,p3) g_warning(str,p1,p2,p3)
143 #else
144 #define ipfix_debug0(str)
145 #define ipfix_debug1(str,p1)
146 #define ipfix_debug2(str,p1,p2)
147 #define ipfix_debug3(str,p1,p2,p3)
148 #endif
149
150
151 /* 4739 is IPFIX.
152 2055 and 9996 are common defaults for Netflow
153 */
154 #define NETFLOW_UDP_PORTS "2055,9996"
155 #define IPFIX_UDP_PORTS "4739"
156 #define REVPEN 29305
157 static dissector_handle_t netflow_handle;
158
159 /* If you want sort of safely to send enterprise specific element IDs
160 using v9 you need to stake a claim in the wilds with the high bit
161 set. Still no naming authority, but at least it will never collide
162 with valid IPFIX */
163 #define NTOP_BASE 57472u /* nprobe >= 5.5.6 */
164
165 /*
166 * global_netflow_ports : holds the configured range of ports for netflow
167 */
168 static range_t *global_netflow_ports = NULL;
169 /*
170 * global_ipfix_ports : holds the configured range of ports for IPFIX
171 */
172 static range_t *global_ipfix_ports = NULL;
173
174 /*
175 * Flowset (template) ID's
176 */
177 #define FLOWSET_ID_V9_DATA_TEMPLATE 0
178 #define FLOWSET_ID_V9_OPTIONS_TEMPLATE 1
179 #define FLOWSET_ID_V10_DATA_TEMPLATE 2
180 #define FLOWSET_ID_V10_OPTIONS_TEMPLATE 3
181 #define FLOWSET_ID_RESERVED_MIN 4
182 #define FLOWSET_ID_RESERVED_MAX 255
183 #define FLOWSET_ID_DATA_MIN 256
184 #define FLOWSET_ID_DATA_MAX 65535
185
186 static const range_string rs_flowset_ids[] = {
187 { FLOWSET_ID_V9_DATA_TEMPLATE , FLOWSET_ID_V9_DATA_TEMPLATE , "Data Template (V9)" },
188 { FLOWSET_ID_V9_OPTIONS_TEMPLATE , FLOWSET_ID_V9_OPTIONS_TEMPLATE , "Options Template(V9)" },
189 { FLOWSET_ID_V10_DATA_TEMPLATE , FLOWSET_ID_V10_DATA_TEMPLATE , "Data Template (V10 [IPFIX])" },
190 { FLOWSET_ID_V10_OPTIONS_TEMPLATE, FLOWSET_ID_V10_OPTIONS_TEMPLATE, "Options Template (V10 [IPFIX])" },
191 { FLOWSET_ID_RESERVED_MIN , FLOWSET_ID_RESERVED_MAX , "(Reserved)" },
192 { FLOWSET_ID_DATA_MIN , FLOWSET_ID_DATA_MAX , "(Data)" },
193 { 0, 0, NULL }
194 };
195
196 /*
197 * pdu identifiers & sizes
198 */
199
200 #define V1PDU_SIZE (4 * 12)
201 #define V5PDU_SIZE (4 * 12)
202 #define V7PDU_SIZE (4 * 13)
203 #define V8PDU_AS_SIZE (4 * 7)
204 #define V8PDU_PROTO_SIZE (4 * 7)
205 #define V8PDU_SPREFIX_SIZE (4 * 8)
206 #define V8PDU_DPREFIX_SIZE (4 * 8)
207 #define V8PDU_MATRIX_SIZE (4 * 10)
208 #define V8PDU_DESTONLY_SIZE (4 * 8)
209 #define V8PDU_SRCDEST_SIZE (4 * 10)
210 #define V8PDU_FULL_SIZE (4 * 11)
211 #define V8PDU_TOSAS_SIZE (V8PDU_AS_SIZE + 4)
212 #define V8PDU_TOSPROTOPORT_SIZE (V8PDU_PROTO_SIZE + 4)
213 #define V8PDU_TOSSRCPREFIX_SIZE (V8PDU_SPREFIX_SIZE)
214 #define V8PDU_TOSDSTPREFIX_SIZE (V8PDU_DPREFIX_SIZE)
215 #define V8PDU_TOSMATRIX_SIZE (V8PDU_MATRIX_SIZE)
216 #define V8PDU_PREPORTPROTOCOL_SIZE (4 * 10)
217
218 #define VARIABLE_LENGTH 65535
219
220 static const value_string v5_sampling_mode[] = {
221 {0, "No sampling mode configured"},
222 {1, "Packet Interval sampling mode configured"},
223 {2, "Random sampling mode configured"},
224 {0, NULL}
225 };
226
227 enum {
228 V8PDU_NO_METHOD = 0,
229 V8PDU_AS_METHOD,
230 V8PDU_PROTO_METHOD,
231 V8PDU_SPREFIX_METHOD,
232 V8PDU_DPREFIX_METHOD,
233 V8PDU_MATRIX_METHOD,
234 V8PDU_DESTONLY_METHOD,
235 V8PDU_SRCDEST_METHOD,
236 V8PDU_FULL_METHOD,
237 V8PDU_TOSAS_METHOD,
238 V8PDU_TOSPROTOPORT_METHOD,
239 V8PDU_TOSSRCPREFIX_METHOD,
240 V8PDU_TOSDSTPREFIX_METHOD,
241 V8PDU_TOSMATRIX_METHOD,
242 V8PDU_PREPORTPROTOCOL_METHOD
243 };
244
245 static const value_string v8_agg[] = {
246 {V8PDU_AS_METHOD, "V8 AS aggregation"},
247 {V8PDU_PROTO_METHOD, "V8 Proto/Port aggregation"},
248 {V8PDU_SPREFIX_METHOD, "V8 Source Prefix aggregation"},
249 {V8PDU_DPREFIX_METHOD, "V8 Destination Prefix aggregation"},
250 {V8PDU_MATRIX_METHOD, "V8 Network Matrix aggregation"},
251 {V8PDU_DESTONLY_METHOD, "V8 Destination aggregation (Cisco Catalyst)"},
252 {V8PDU_SRCDEST_METHOD, "V8 Src/Dest aggregation (Cisco Catalyst)"},
253 {V8PDU_FULL_METHOD, "V8 Full aggregation (Cisco Catalyst)"},
254 {V8PDU_TOSAS_METHOD, "V8 TOS+AS aggregation"},
255 {V8PDU_TOSPROTOPORT_METHOD, "V8 TOS+Protocol aggregation"},
256 {V8PDU_TOSSRCPREFIX_METHOD, "V8 TOS+Source Prefix aggregation"},
257 {V8PDU_TOSDSTPREFIX_METHOD, "V8 TOS+Destination Prefix aggregation"},
258 {V8PDU_TOSMATRIX_METHOD, "V8 TOS+Prefix Matrix aggregation"},
259 {V8PDU_PREPORTPROTOCOL_METHOD, "V8 Port+Protocol aggregation"},
260 {0, NULL}
261 };
262 static value_string_ext v8_agg_ext = VALUE_STRING_EXT_INIT(v8_agg);
263
264
265 /* Max number of entries/scopes per template */
266 /* Space is allocated dynamically so there isn't really a need to
267 bound this except to cap possible memory use. Unfortunately if
268 this value is too low we can't decode any template with more than
269 v9_tmplt_max_fields fields in it. The best compromise seems
270 to be to make v9_tmplt_max_fields a user preference.
271 A value of 0 will be unlimited.
272 */
273 #define V9_TMPLT_MAX_FIELDS_DEF 60
274 static guint v9_tmplt_max_fields = V9_TMPLT_MAX_FIELDS_DEF;
275
276 typedef struct _v9_v10_tmplt_entry {
277 guint16 type;
278 guint16 length;
279 guint32 pen;
280 const gchar *pen_str;
281 } v9_v10_tmplt_entry_t;
282
283 typedef enum {
284 TF_SCOPES=0,
285 TF_ENTRIES,
286 /* START IPFIX VENDOR FIELDS */
287 TF_PLIXER,
288 TF_NTOP,
289 TF_NO_VENDOR_INFO
290 } v9_v10_tmplt_fields_type_t;
291 #define TF_NUM 2
292 #define TF_NUM_EXT 5 /* includes vendor fields */
293
294 typedef struct _v9_v10_tmplt {
295 address src_addr;
296 guint32 src_port;
297 address dst_addr;
298 guint32 dst_port;
299 guint32 src_id;
300 guint16 tmplt_id;
301 guint length;
302 guint16 field_count[TF_NUM]; /* 0:scopes; 1:entries */
303 v9_v10_tmplt_entry_t *fields_p[TF_NUM_EXT]; /* 0:scopes; 1:entries; n:vendor_entries */
304 } v9_v10_tmplt_t;
305
306
307 GHashTable *v9_v10_tmplt_table = NULL;
308
309
310 static const value_string v9_v10_template_types[] = {
311 { 1, "BYTES" },
312 { 2, "PKTS" },
313 { 3, "FLOWS" },
314 { 4, "PROTOCOL" },
315 { 5, "IP_TOS" },
316 { 6, "TCP_FLAGS" },
317 { 7, "L4_SRC_PORT" },
318 { 8, "IP_SRC_ADDR" },
319 { 9, "SRC_MASK" },
320 { 10, "INPUT_SNMP" },
321 { 11, "L4_DST_PORT" },
322 { 12, "IP_DST_ADDR" },
323 { 13, "DST_MASK" },
324 { 14, "OUTPUT_SNMP" },
325 { 15, "IP_NEXT_HOP" },
326 { 16, "SRC_AS" },
327 { 17, "DST_AS" },
328 { 18, "BGP_NEXT_HOP" },
329 { 19, "MUL_DPKTS" },
330 { 20, "MUL_DOCTETS" },
331 { 21, "LAST_SWITCHED" },
332 { 22, "FIRST_SWITCHED" },
333 { 23, "OUT_BYTES" },
334 { 24, "OUT_PKTS" },
335 { 25, "IP LENGTH MINIMUM" },
336 { 26, "IP LENGTH MAXIMUM" },
337 { 27, "IPV6_SRC_ADDR" },
338 { 28, "IPV6_DST_ADDR" },
339 { 29, "IPV6_SRC_MASK" },
340 { 30, "IPV6_DST_MASK" },
341 { 31, "FLOW_LABEL" },
342 { 32, "ICMP_TYPE" },
343 { 33, "IGMP_TYPE" },
344 { 34, "SAMPLING_INTERVAL" },
345 { 35, "SAMPLING_ALGORITHM" },
346 { 36, "FLOW_ACTIVE_TIMEOUT" },
347 { 37, "FLOW_INACTIVE_TIMEOUT" },
348 { 38, "ENGINE_TYPE" },
349 { 39, "ENGINE_ID" },
350 { 40, "TOTAL_BYTES_EXP" },
351 { 41, "TOTAL_PKTS_EXP" },
352 { 42, "TOTAL_FLOWS_EXP" },
353 { 44, "IP_SRC_PREFIX" },
354 { 45, "IP_DST_PREFIX" },
355 { 46, "MPLS_TOP_LABEL_TYPE" },
356 { 47, "MPLS_TOP_LABEL_ADDR" },
357 { 48, "FLOW_SAMPLER_ID" },
358 { 49, "FLOW_SAMPLER_MODE" },
359 { 50, "FLOW_SAMPLER_RANDOM_INTERVAL" },
360 { 51, "FLOW_CLASS" },
361 { 52, "IP TTL MINIMUM" },
362 { 53, "IP TTL MAXIMUM" },
363 { 54, "IPv4 ID" },
364 { 55, "DST_TOS" },
365 { 56, "SRC_MAC" },
366 { 57, "DST_MAC" },
367 { 58, "SRC_VLAN" },
368 { 59, "DST_VLAN" },
369 { 60, "IP_PROTOCOL_VERSION" },
370 { 61, "DIRECTION" },
371 { 62, "IPV6_NEXT_HOP" },
372 { 63, "BGP_IPV6_NEXT_HOP" },
373 { 64, "IPV6_OPTION_HEADERS" },
374 { 70, "MPLS_LABEL_1" },
375 { 71, "MPLS_LABEL_2" },
376 { 72, "MPLS_LABEL_3" },
377 { 73, "MPLS_LABEL_4" },
378 { 74, "MPLS_LABEL_5" },
379 { 75, "MPLS_LABEL_6" },
380 { 76, "MPLS_LABEL_7" },
381 { 77, "MPLS_LABEL_8" },
382 { 78, "MPLS_LABEL_9" },
383 { 79, "MPLS_LABEL_10" },
384 { 80, "DESTINATION_MAC" },
385 { 81, "SOURCE_MAC" },
386 { 82, "IF_NAME" },
387 { 83, "IF_DESC" },
388 { 84, "SAMPLER_NAME" },
389 { 85, "BYTES_TOTAL" },
390 { 86, "PACKETS_TOTAL" },
391 { 88, "FRAGMENT_OFFSET" },
392 { 89, "FORWARDING_STATUS" },
393 { 90, "VPN_ROUTE_DISTINGUISHER" },
394 { 91, "mplsTopLabelPrefixLength" },
395 { 92, "SRC_TRAFFIC_INDEX" },
396 { 93, "DST_TRAFFIC_INDEX" },
397 { 94, "APPLICATION_DESC" },
398 { 95, "APPLICATION_ID" },
399 { 96, "APPLICATION_NAME" },
400 { 98, "postIpDiffServCodePoint" },
401 { 99, "multicastReplicationFactor" },
402 { 128, "DST_AS_PEER" },
403 { 129, "SRC_AS_PEER" },
404 { 130, "exporterIPv4Address" },
405 { 131, "exporterIPv6Address" },
406 { 132, "DROPPED_BYTES" },
407 { 133, "DROPPED_PACKETS" },
408 { 134, "DROPPED_BYTES_TOTAL" },
409 { 135, "DROPPED_PACKETS_TOTAL" },
410 { 136, "flowEndReason" },
411 { 137, "commonPropertiesId" },
412 { 138, "observationPointId" },
413 { 139, "icmpTypeCodeIPv6" },
414 { 140, "MPLS_TOP_LABEL_IPv6_ADDRESS" },
415 { 141, "lineCardId" },
416 { 142, "portId" },
417 { 143, "meteringProcessId" },
418 { 144, "FLOW_EXPORTER" },
419 { 145, "templateId" },
420 { 146, "wlanChannelId" },
421 { 147, "wlanSSID" },
422 { 148, "flowId" },
423 { 149, "observationDomainId" },
424 { 150, "flowStartSeconds" },
425 { 151, "flowEndSeconds" },
426 { 152, "flowStartMilliseconds" },
427 { 153, "flowEndMilliseconds" },
428 { 154, "flowStartMicroseconds" },
429 { 155, "flowEndMicroseconds" },
430 { 156, "flowStartNanoseconds" },
431 { 157, "flowEndNanoseconds" },
432 { 158, "flowStartDeltaMicroseconds" },
433 { 159, "flowEndDeltaMicroseconds" },
434 { 160, "systemInitTimeMilliseconds" },
435 { 161, "flowDurationMilliseconds" },
436 { 162, "flowDurationMicroseconds" },
437 { 163, "observedFlowTotalCount" },
438 { 164, "ignoredPacketTotalCount" },
439 { 165, "ignoredOctetTotalCount" },
440 { 166, "notSentFlowTotalCount" },
441 { 167, "notSentPacketTotalCount" },
442 { 168, "notSentOctetTotalCount" },
443 { 169, "destinationIPv6Prefix" },
444 { 170, "sourceIPv6Prefix" },
445 { 171, "postOctetTotalCount" },
446 { 172, "postPacketTotalCount" },
447 { 173, "flowKeyIndicator" },
448 { 174, "postMCastPacketTotalCount" },
449 { 175, "postMCastOctetTotalCount" },
450 { 176, "ICMP_IPv4_TYPE" },
451 { 177, "ICMP_IPv4_CODE" },
452 { 178, "ICMP_IPv6_TYPE" },
453 { 179, "ICMP_IPv6_CODE" },
454 { 180, "UDP_SRC_PORT" },
455 { 181, "UDP_DST_PORT" },
456 { 182, "TCP_SRC_PORT" },
457 { 183, "TCP_DST_PORT" },
458 { 184, "TCP_SEQ_NUM" },
459 { 185, "TCP_ACK_NUM" },
460 { 186, "TCP_WINDOW_SIZE" },
461 { 187, "TCP_URGENT_PTR" },
462 { 188, "TCP_HEADER_LEN" },
463 { 189, "IP_HEADER_LEN" },
464 { 190, "IP_TOTAL_LEN" },
465 { 191, "payloadLengthIPv6" },
466 { 192, "IP_TTL" },
467 { 193, "nextHeaderIPv6" },
468 { 194, "IP_TOS" },
469 { 195, "IP_DSCP" },
470 { 196, "IP_PRECEDENCE" },
471 { 197, "IP_FRAGMENT_FLAGS" },
472 { 198, "BYTES_SQUARED" },
473 { 199, "BYTES_SQUARED_PERMANENT" },
474 { 200, "MPLS_TOP_LABEL_TTL" },
475 { 201, "MPLS_LABEL_STACK_OCTETS" },
476 { 202, "MPLS_LABEL_STACK_DEPTH" },
477 { 203, "MPLS_TOP_LABEL_EXP" },
478 { 204, "IP_PAYLOAD_LENGTH" },
479 { 205, "UDP_LENGTH" },
480 { 206, "IS_MULTICAST" },
481 { 207, "IP_HEADER_WORDS" },
482 { 208, "IP_OPTION_MAP" },
483 { 209, "TCP_OPTION_MAP" },
484 { 210, "paddingOctets" },
485 { 211, "collectorIPv4Address" },
486 { 212, "collectorIPv6Address" },
487 { 213, "collectorInterface" },
488 { 214, "collectorProtocolVersion" },
489 { 215, "collectorTransportProtocol" },
490 { 216, "collectorTransportPort" },
491 { 217, "exporterTransportPort" },
492 { 218, "tcpSynTotalCount" },
493 { 219, "tcpFinTotalCount" },
494 { 220, "tcpRstTotalCount" },
495 { 221, "tcpPshTotalCount" },
496 { 222, "tcpAckTotalCount" },
497 { 223, "tcpUrgTotalCount" },
498 { 224, "ipTotalLength" },
499 { 225, "postNATSourceIPv4Address" },
500 { 226, "postNATDestinationIPv4Address" },
501 { 227, "postNAPTSourceTransportPort" },
502 { 228, "postNAPTDestinationTransportPort" },
503 { 229, "natOriginatingAddressRealm" },
504 { 230, "natEvent" },
505 { 231, "initiatorOctets" },
506 { 232, "responderOctets" },
507 { 233, "firewallEvent" },
508 { 234, "ingressVRFID" },
509 { 235, "egressVRFID" },
510 { 236, "VRFname" },
511 { 237, "postMplsTopLabelExp" },
512 { 238, "tcpWindowScale" },
513 { 239, "biflowDirection" },
514 { 240, "ethernetHeaderLength" },
515 { 241, "ethernetPayloadLength" },
516 { 242, "ethernetTotalLength" },
517 { 243, "dot1qVlanId" },
518 { 244, "dot1qPriority" },
519 { 245, "dot1qCustomerVlanId" },
520 { 246, "dot1qCustomerPriority" },
521 { 247, "metroEvcId" },
522 { 248, "metroEvcType" },
523 { 249, "pseudoWireId" },
524 { 250, "pseudoWireType" },
525 { 251, "pseudoWireControlWord" },
526 { 252, "ingressPhysicalInterface" },
527 { 253, "egressPhysicalInterface" },
528 { 254, "postDot1qVlanId" },
529 { 255, "postDot1qCustomerVlanId" },
530 { 256, "ethernetType" },
531 { 257, "postIpPrecedence" },
532 { 258, "collectionTimeMilliseconds" },
533 { 259, "exportSctpStreamId" },
534 { 260, "maxExportSeconds" },
535 { 261, "maxFlowEndSeconds" },
536 { 262, "messageMD5Checksum" },
537 { 263, "messageScope" },
538 { 264, "minExportSeconds" },
539 { 265, "minFlowStartSeconds" },
540 { 266, "opaqueOctets" },
541 { 267, "sessionScope" },
542 { 268, "maxFlowEndMicroseconds" },
543 { 269, "maxFlowEndMilliseconds" },
544 { 270, "maxFlowEndNanoseconds" },
545 { 271, "minFlowStartMicroseconds" },
546 { 272, "minFlowStartMilliseconds" },
547 { 273, "minFlowStartNanoseconds" },
548 { 274, "collectorCertificate" },
549 { 275, "exporterCertificate" },
550 { 301, "selectionSequenceId" },
551 { 302, "selectorId" },
552 { 303, "informationElementId" },
553 { 304, "selectorAlgorithm" },
554 { 305, "samplingPacketInterval" },
555 { 306, "samplingPacketSpace" },
556 { 307, "samplingTimeInterval" },
557 { 308, "samplingTimeSpace" },
558 { 309, "samplingSize" },
559 { 310, "samplingPopulation" },
560 { 311, "samplingProbability" },
561 { 313, "IP_SECTION HEADER" },
562 { 314, "IP_SECTION PAYLOAD" },
563 { 316, "mplsLabelStackSection" },
564 { 317, "mplsPayloadPacketSection" },
565 { 318, "selectorIdTotalPktsObserved" },
566 { 319, "selectorIdTotalPktsSelected" },
567 { 320, "absoluteError" },
568 { 321, "relativeError" },
569 { 322, "observationTimeSeconds" },
570 { 323, "observationTimeMilliseconds" },
571 { 324, "observationTimeMicroseconds" },
572 { 325, "observationTimeNanoseconds" },
573 { 326, "digestHashValue" },
574 { 327, "hashIPPayloadOffset" },
575 { 328, "hashIPPayloadSize" },
576 { 329, "hashOutputRangeMin" },
577 { 330, "hashOutputRangeMax" },
578 { 331, "hashSelectedRangeMin" },
579 { 332, "hashSelectedRangeMax" },
580 { 333, "hashDigestOutput" },
581 { 334, "hashInitialiserValue" },
582 { 335, "selectorName" },
583 { 336, "upperCILimit" },
584 { 337, "lowerCILimit" },
585 { 338, "confidenceLevel" },
586 { 339, "informationElementDataType" },
587 { 340, "informationElementDescription" },
588 { 341, "informationElementName" },
589 { 342, "informationElementRangeBegin" },
590 { 343, "informationElementRangeEnd" },
591 { 344, "informationElementSemantics" },
592 { 345, "informationElementUnits" },
593 { 346, "privateEnterpriseNumber" },
594 /* Ericsson NAT Logging */
595 { 24628, "NAT_LOG_FIELD_IDX_CONTEXT_ID" },
596 { 24629, "NAT_LOG_FIELD_IDX_CONTEXT_NAME" },
597 { 24630, "NAT_LOG_FIELD_IDX_ASSIGN_TS_SEC" },
598 { 24631, "NAT_LOG_FIELD_IDX_UNASSIGN_TS_SEC" },
599 { 24632, "NAT_LOG_FIELD_IDX_IPV4_INT_ADDR" },
600 { 24633, "NAT_LOG_FIELD_IDX_IPV4_EXT_ADDR" },
601 { 24634, "NAT_LOG_FIELD_IDX_EXT_PORT_FIRST" },
602 { 24635, "NAT_LOG_FIELD_IDX_EXT_PORT_LAST" },
603 /* Cisco ASA5500 Series NetFlow */
604 { 33000, "INGRESS_ACL_ID" },
605 { 33001, "EGRESS_ACL_ID" },
606 { 33002, "FW_EXT_EVENT" },
607 /* Cisco TrustSec */
608 { 34000, "SGT_SOURCE_TAG" },
609 { 34001, "SGT_DESTINATION_TAG" },
610 { 34002, "SGT_SOURCE_NAME" },
611 { 34003, "SGT_DESTINATION_NAME" },
612 /* medianet performance monitor */
613 { 37000, "PACKETS_DROPPED" },
614 { 37003, "BYTE_RATE" },
615 { 37004, "APPLICATION_MEDIA_BYTES" },
616 { 37006, "APPLICATION_MEDIA_BYTE_RATE" },
617 { 37007, "APPLICATION_MEDIA_PACKETS" },
618 { 37009, "APPLICATION_MEDIA_PACKET_RATE" },
619 { 37011, "APPLICATION_MEDIA_EVENT" },
620 { 37012, "MONITOR_EVENT" },
621 { 37013, "TIMESTAMP_INTERVAL" },
622 { 37014, "TRANSPORT_PACKETS_EXPECTED" },
623 { 37016, "TRANSPORT_ROUND_TRIP_TIME" },
624 { 37017, "TRANSPORT_EVENT_PACKET_LOSS" },
625 { 37019, "TRANSPORT_PACKETS_LOST" },
626 { 37021, "TRANSPORT_PACKETS_LOST_RATE" },
627 { 37022, "TRANSPORT_RTP_SSRC" },
628 { 37023, "TRANSPORT_RTP_JITTER_MEAN" },
629 { 37024, "TRANSPORT_RTP_JITTER_MIN" },
630 { 37025, "TRANSPORT_RTP_JITTER_MAX" },
631 { 37041, "TRANSPORT_RTP_PAYLOAD_TYPE" },
632 { 37071, "TRANSPORT_BYTES_OUT_OF_ORDER" },
633 { 37074, "TRANSPORT_PACKETS_OUT_OF_ORDER" },
634 { 37083, "TRANSPORT_TCP_WINDOWS_SIZE_MIN" },
635 { 37084, "TRANSPORT_TCP_WINDOWS_SIZE_MAX" },
636 { 37085, "TRANSPORT_TCP_WINDOWS_SIZE_MEAN" },
637 { 37086, "TRANSPORT_TCP_MAXIMUM_SEGMENT_SIZE" },
638 { 40000, "AAA_USERNAME" },
639 { 40001, "XLATE_SRC_ADDR_IPV4" },
640 { 40002, "XLATE_DST_ADDR_IPV4" },
641 { 40003, "XLATE_SRC_PORT" },
642 { 40004, "XLATE_DST_PORT" },
643 { 40005, "FW_EVENT" },
644 /* v9 nTop extensions. */
645 { 80 + NTOP_BASE, "FRAGMENTS" },
646 { 82 + NTOP_BASE, "CLIENT_NW_DELAY_SEC" },
647 { 83 + NTOP_BASE, "CLIENT_NW_DELAY_USEC" },
648 { 84 + NTOP_BASE, "SERVER_NW_DELAY_SEC" },
649 { 85 + NTOP_BASE, "SERVER_NW_DELAY_USEC" },
650 { 86 + NTOP_BASE, "APPL_LATENCY_SEC" },
651 { 87 + NTOP_BASE, "APPL_LATENCY_USEC" },
652 { 98 + NTOP_BASE, "ICMP_FLAGS" },
653 { 101 + NTOP_BASE, "SRC_IP_COUNTRY" },
654 { 102 + NTOP_BASE, "SRC_IP_CITY" },
655 { 103 + NTOP_BASE, "DST_IP_COUNTRY" },
656 { 104 + NTOP_BASE, "DST_IP_CITY" },
657 { 105 + NTOP_BASE, "FLOW_PROTO_PORT" },
658 { 106 + NTOP_BASE, "TUNNEL_ID" },
659 { 107 + NTOP_BASE, "LONGEST_FLOW_PKT" },
660 { 108 + NTOP_BASE, "SHORTEST_FLOW_PKT" },
661 { 109 + NTOP_BASE, "RETRANSMITTED_IN_PKTS" },
662 { 110 + NTOP_BASE, "RETRANSMITTED_OUT_PKTS" },
663 { 111 + NTOP_BASE, "OOORDER_IN_PKTS" },
664 { 112 + NTOP_BASE, "OOORDER_OUT_PKTS" },
665 { 113 + NTOP_BASE, "UNTUNNELED_PROTOCOL" },
666 { 114 + NTOP_BASE, "UNTUNNELED_IPV4_SRC_ADDR" },
667 { 115 + NTOP_BASE, "UNTUNNELED_L4_SRC_PORT" },
668 { 116 + NTOP_BASE, "UNTUNNELED_IPV4_DST_ADDR" },
669 { 117 + NTOP_BASE, "UNTUNNELED_L4_DST_PORT" },
670 { 120 + NTOP_BASE, "DUMP_PATH" },
671 { 130 + NTOP_BASE, "SIP_CALL_ID" },
672 { 131 + NTOP_BASE, "SIP_CALLING_PARTY" },
673 { 132 + NTOP_BASE, "SIP_CALLED_PARTY" },
674 { 133 + NTOP_BASE, "SIP_RTP_CODECS" },
675 { 134 + NTOP_BASE, "SIP_INVITE_TIME" },
676 { 135 + NTOP_BASE, "SIP_TRYING_TIME" },
677 { 136 + NTOP_BASE, "SIP_RINGING_TIME" },
678 { 137 + NTOP_BASE, "SIP_OK_TIME" },
679 { 138 + NTOP_BASE, "SIP_BYE_TIME" },
680 { 139 + NTOP_BASE, "SIP_RTP_SRC_IP" },
681 { 140 + NTOP_BASE, "SIP_RTP_SRC_PORT" },
682 { 141 + NTOP_BASE, "SIP_RTP_DST_IP" },
683 { 142 + NTOP_BASE, "SIP_RTP_DST_PORT" },
684 { 150 + NTOP_BASE, "RTP_FIRST_SSRC" },
685 { 151 + NTOP_BASE, "RTP_FIRST_TS" },
686 { 152 + NTOP_BASE, "RTP_LAST_SSRC" },
687 { 153 + NTOP_BASE, "RTP_LAST_TS" },
688 { 154 + NTOP_BASE, "RTP_IN_JITTER" },
689 { 155 + NTOP_BASE, "RTP_OUT_JITTER" },
690 { 156 + NTOP_BASE, "RTP_IN_PKT_LOST" },
691 { 157 + NTOP_BASE, "RTP_OUT_PKT_LOST" },
692 { 158 + NTOP_BASE, "RTP_OUT_PAYLOAD_TYPE" },
693 { 159 + NTOP_BASE, "RTP_IN_MAX_DELTA" },
694 { 160 + NTOP_BASE, "RTP_OUT_MAX_DELTA" },
695 { 165 + NTOP_BASE, "L7_PROTO" },
696 { 180 + NTOP_BASE, "HTTP_URL" },
697 { 181 + NTOP_BASE, "HTTP_RET_CODE" },
698 { 182 + NTOP_BASE, "HTTP_REFERER" },
699 { 183 + NTOP_BASE, "HTTP_UA" },
700 { 184 + NTOP_BASE, "HTTP_MIME" },
701 { 185 + NTOP_BASE, "SMTP_MAIL_FROM" },
702 { 186 + NTOP_BASE, "SMTP_RCPT_TO" },
703 { 195 + NTOP_BASE, "MYSQL_SERVER_VERSION" },
704 { 196 + NTOP_BASE, "MYSQL_USERNAME" },
705 { 197 + NTOP_BASE, "MYSQL_DB" },
706 { 198 + NTOP_BASE, "MYSQL_QUERY" },
707 { 199 + NTOP_BASE, "MYSQL_RESPONSE" },
708 { 0, NULL }
709 };
710 static value_string_ext v9_v10_template_types_ext = VALUE_STRING_EXT_INIT(v9_v10_template_types);
711
712 static const value_string v10_template_types_plixer[] = {
713 { 100, "client_ip_v4" },
714 { 101, "client_hostname" },
715 { 102, "partner_name" },
716 { 103, "server_hostname" },
717 { 104, "server_ip_v4" },
718 { 105, "recipient_address" },
719 { 106, "event_id" },
720 { 107, "msgid" },
721 { 108, "priority" },
722 { 109, "recipient_report_status" },
723 { 110, "number_recipients" },
724 { 111, "origination_time" },
725 { 112, "encryption" },
726 { 113, "service_version" },
727 { 114, "linked_msgid" },
728 { 115, "message_subject" },
729 { 116, "sender_address" },
730 { 117, "date_time" },
731 { 118, "client_ip_v6" },
732 { 119, "server_ip_v6" },
733 { 120, "source_context" },
734 { 121, "connector_id" },
735 { 122, "source_component" },
736 { 124, "related_recipient_address" },
737 { 125, "reference" },
738 { 126, "return_path" },
739 { 127, "message_info" },
740 { 128, "directionality" },
741 { 129, "tenant_id" },
742 { 130, "original_client_ip_v4" },
743 { 131, "original_server_ip_v4" },
744 { 132, "custom_data" },
745 { 133, "internal_message_id" },
746 { 0, NULL }
747 };
748 static value_string_ext v10_template_types_plixer_ext = VALUE_STRING_EXT_INIT(v10_template_types_plixer);
749
750 static const value_string v10_template_types_ntop[] = {
751 { 80, "FRAGMENTS" },
752 { 82, "CLIENT_NW_DELAY_SEC" },
753 { 83, "CLIENT_NW_DELAY_USEC" },
754 { 84, "SERVER_NW_DELAY_SEC" },
755 { 85, "SERVER_NW_DELAY_USEC" },
756 { 86, "APPL_LATENCY_SEC" },
757 { 87, "APPL_LATENCY_USEC" },
758 { 98, "ICMP_FLAGS" },
759 { 101, "SRC_IP_COUNTRY" },
760 { 102, "SRC_IP_CITY" },
761 { 103, "DST_IP_COUNTRY" },
762 { 104, "DST_IP_CITY" },
763 { 105, "FLOW_PROTO_PORT" },
764 { 106, "TUNNEL_ID" },
765 { 107, "LONGEST_FLOW_PKT" },
766 { 108, "SHORTEST_FLOW_PKT" },
767 { 109, "RETRANSMITTED_IN_PKTS" },
768 { 110, "RETRANSMITTED_OUT_PKTS" },
769 { 111, "OOORDER_IN_PKTS" },
770 { 112, "OOORDER_OUT_PKTS" },
771 { 113, "UNTUNNELED_PROTOCOL" },
772 { 114, "UNTUNNELED_IPV4_SRC_ADDR" },
773 { 115, "UNTUNNELED_L4_SRC_PORT" },
774 { 116, "UNTUNNELED_IPV4_DST_ADDR" },
775 { 117, "UNTUNNELED_L4_DST_PORT" },
776 { 120, "DUMP_PATH" },
777 { 130, "SIP_CALL_ID" },
778 { 131, "SIP_CALLING_PARTY" },
779 { 132, "SIP_CALLED_PARTY" },
780 { 133, "SIP_RTP_CODECS" },
781 { 134, "SIP_INVITE_TIME" },
782 { 135, "SIP_TRYING_TIME" },
783 { 136, "SIP_RINGING_TIME" },
784 { 137, "SIP_OK_TIME" },
785 { 138, "SIP_BYE_TIME" },
786 { 139, "SIP_RTP_SRC_IP" },
787 { 140, "SIP_RTP_SRC_PORT" },
788 { 141, "SIP_RTP_DST_IP" },
789 { 142, "SIP_RTP_DST_PORT" },
790 { 150, "RTP_FIRST_SSRC" },
791 { 151, "RTP_FIRST_TS" },
792 { 152, "RTP_LAST_SSRC" },
793 { 153, "RTP_LAST_TS" },
794 { 154, "RTP_IN_JITTER" },
795 { 155, "RTP_OUT_JITTER" },
796 { 156, "RTP_IN_PKT_LOST" },
797 { 157, "RTP_OUT_PKT_LOST" },
798 { 158, "RTP_OUT_PAYLOAD_TYPE" },
799 { 159, "RTP_IN_MAX_DELTA" },
800 { 160, "RTP_OUT_MAX_DELTA" },
801 { 165, "L7_PROTO" },
802 { 180, "HTTP_URL" },
803 { 181, "HTTP_RET_CODE" },
804 { 182, "HTTP_REFERER" },
805 { 183, "HTTP_UA" },
806 { 184, "HTTP_MIME" },
807 { 185, "SMTP_MAIL_FROM" },
808 { 186, "SMTP_RCPT_TO" },
809 { 195, "MYSQL_SERVER_VERSION" },
810 { 196, "MYSQL_USERNAME" },
811 { 197, "MYSQL_DB" },
812 { 198, "MYSQL_QUERY" },
813 { 199, "MYSQL_RESPONSE" },
814 { 0, NULL }
815 };
816 static value_string_ext v10_template_types_ntop_ext = VALUE_STRING_EXT_INIT(v10_template_types_ntop);
817
818 static const value_string v9_scope_field_types[] = {
819 { 1, "System" },
820 { 2, "Interface" },
821 { 3, "Line Card" },
822 { 4, "NetFlow Cache" },
823 { 5, "Template" },
824 { 0, NULL }
825 };
826 static value_string_ext v9_scope_field_types_ext = VALUE_STRING_EXT_INIT(v9_scope_field_types);
827
828 static const value_string v9_sampler_mode[] = {
829 { 0, "Deterministic" },
830 { 1, "Unknown" }, /* "Time-Based" ?? */
831 { 2, "Random" },
832 { 0, NULL }
833 };
834
835 static const value_string v9_direction[] = {
836 { 0, "Ingress" },
837 { 1, "Egress" },
838 { 0, NULL }
839 };
840
841 #define FORWARDING_STATUS_UNKNOWN 0
842 #define FORWARDING_STATUS_FORWARD 1
843 #define FORWARDING_STATUS_DROP 2
844 #define FORWARDING_STATUS_CONSUME 3
845
846 static const value_string v9_forwarding_status[] = {
847 { FORWARDING_STATUS_UNKNOWN, "Unknown"}, /* Observed on IOS-XR 3.2 */
848 { FORWARDING_STATUS_FORWARD, "Forward"}, /* Observed on 7200 12.4(9)T */
849 { FORWARDING_STATUS_DROP, "Drop"}, /* Observed on 7200 12.4(9)T */
850 { FORWARDING_STATUS_CONSUME, "Consume"}, /* Observed on 7200 12.4(9)T */
851 { 0, NULL }
852 };
853
854 static const value_string v9_forwarding_status_unknown_code[] = {
855 { 0, NULL }
856 };
857
858 static const value_string v9_forwarding_status_forward_code[] = {
859 { 0, "Forwarded (Unknown)" },
860 { 1, "Forwarded Fragmented" },
861 { 2, "Forwarded not Fragmented" },
862 { 0, NULL }
863 };
864
865 static const value_string v9_forwarding_status_drop_code[] = {
866 { 0, "Dropped (Unknown)" },
867 { 1, "Drop ACL Deny" },
868 { 2, "Drop ACL drop" },
869 { 3, "Drop Unroutable" },
870 { 4, "Drop Adjacency" },
871 { 5, "Drop Fragmentation & DF set" },
872 { 6, "Drop Bad header checksum" },
873 { 7, "Drop Bad total Length" },
874 { 8, "Drop Bad Header Length" },
875 { 9, "Drop bad TTL" },
876 { 10, "Drop Policer" },
877 { 11, "Drop WRED" },
878 { 12, "Drop RPF" },
879 { 13, "Drop For us" },
880 { 14, "Drop Bad output interface" },
881 { 15, "Drop Hardware" },
882 { 0, NULL }
883 };
884
885 static const value_string v9_forwarding_status_consume_code[] = {
886 { 0, "Consumed (Unknown)" },
887 { 1, "Terminate Punt Adjacency" },
888 { 2, "Terminate Incomplete Adjacency" },
889 { 3, "Terminate For us" },
890 { 0, NULL }
891 };
892
893 static const value_string v9_firewall_event[] = {
894 { 0, "Default (ignore)"},
895 { 1, "Flow created"},
896 { 2, "Flow deleted"},
897 { 3, "Flow denied"},
898 { 4, "Flow alert"},
899 { 0, NULL }
900 };
901
902 static const value_string v9_extended_firewall_event[] = {
903 { 0, "ignore"},
904 { 1001, "Flow denied by an ingress ACL"},
905 { 1002, "Flow denied by an egress ACL"},
906 { 1003, "Flow denied by security appliance"},
907 { 1004, "Flow denied (TCP flow beginning with not TCP SYN)"},
908 { 0, NULL }
909 };
910
911 static const value_string engine_type[] = {
912 { 0, "RP"},
913 { 1, "VIP/Linecard"},
914 { 2, "PFC/DFC" },
915 { 0, NULL }
916 };
917
918 static const value_string v9_flow_end_reason[] = {
919 { 0, "Unknown"},
920 { 1, "Idle timeout"},
921 { 2, "Active timeout" },
922 { 3, "End of Flow detected" },
923 { 4, "Forced end" },
924 { 5, "Lack of resources" },
925 { 0, NULL }
926 };
927
928 static const value_string v9_biflow_direction[] = {
929 { 0, "Arbitrary"},
930 { 1, "Initiator"},
931 { 2, "ReverseInitiator" },
932 { 3, "Perimeter" },
933 { 0, NULL }
934 };
935
936 static const value_string selector_algorithm[] = {
937 { 0, "Reserved"},
938 { 1, "Systematic count-based Sampling"},
939 { 2, "Systematic time-based Sampling"},
940 { 3, "Random n-out-of-N Sampling"},
941 { 4, "Uniform probabilistic Sampling"},
942 { 5, "Property match Filtering"},
943 { 6, "Hash based Filtering using BOB"},
944 { 7, "Hash based Filtering using IPSX"},
945 { 8, "Hash based Filtering using CRC"},
946 { 0, NULL }
947 };
948 static value_string_ext selector_algorithm_ext = VALUE_STRING_EXT_INIT(selector_algorithm);
949
950 static const value_string performance_monitor_specials[] = {
951 { 0xFFFFFFFF, "Not Measured"},
952 { 0xFFFF, "Not Measured"},
953 { 0xFF, "Not Measured"},
954 { 0, NULL }
955 };
956
957
958 /*
959 * wireshark tree identifiers
960 */
961
962 static int proto_netflow = -1;
963 static int ett_netflow = -1;
964 static int ett_unixtime = -1;
965 static int ett_flow = -1;
966 static int ett_flowtime = -1;
967 static int ett_str_len = -1;
968 static int ett_template = -1;
969 static int ett_field = -1;
970 static int ett_dataflowset = -1;
971 static int ett_fwdstat = -1;
972
973 /*
974 * cflow header
975 */
976
977 static int hf_cflow_version = -1;
978 static int hf_cflow_count = -1;
979 static int hf_cflow_len = -1;
980 static int hf_cflow_sysuptime = -1;
981 static int hf_cflow_exporttime = -1;
982 static int hf_cflow_unix_secs = -1;
983 static int hf_cflow_unix_nsecs = -1;
984 static int hf_cflow_timestamp = -1;
985 static int hf_cflow_samplingmode = -1;
986 static int hf_cflow_samplerate = -1;
987
988 static int hf_cflow_unknown_field_type = -1;
989
990 /*
991 * cflow version specific info
992 */
993 static int hf_cflow_sequence = -1;
994 static int hf_cflow_engine_type = -1;
995 static int hf_cflow_engine_id = -1;
996 static int hf_cflow_source_id = -1;
997
998 static int hf_cflow_aggmethod = -1;
999 static int hf_cflow_aggversion = -1;
1000
1001 /* Version 9 */
1002
1003 static int hf_cflow_flowset_id = -1;
1004 static int hf_cflow_flowset_length = -1;
1005 static int hf_cflow_template_id = -1;
1006 static int hf_cflow_template_field_count = -1;
1007 static int hf_cflow_template_field_type = -1;
1008 static int hf_cflow_template_field_length = -1;
1009 static int hf_cflow_option_scope_length = -1;
1010 static int hf_cflow_option_length = -1;
1011 static int hf_cflow_template_scope_field_type = -1;
1012
1013 static int hf_cflow_scope_system = -1;
1014 static int hf_cflow_scope_interface = -1;
1015 static int hf_cflow_scope_linecard = -1;
1016 static int hf_cflow_scope_cache = -1;
1017 static int hf_cflow_scope_template = -1;
1018
1019 /* IPFIX */
1020 static int hf_cflow_template_ipfix_total_field_count = -1;
1021 static int hf_cflow_template_ipfix_scope_field_count = -1;
1022 static int hf_cflow_template_ipfix_pen_provided = -1;
1023 static int hf_cflow_template_ipfix_field_type = -1;
1024 static int hf_cflow_template_ipfix_field_type_enterprise = -1;
1025 static int hf_cflow_template_ipfix_field_pen = -1;
1026
1027 /* IPFIX / vendor */
1028 static int hf_cflow_template_plixer_field_type = -1;
1029 static int hf_cflow_template_ntop_field_type = -1;
1030
1031
1032 /*
1033 * pdu storage
1034 */
1035 static int hf_cflow_srcaddr = -1;
1036 static int hf_cflow_srcaddr_v6 = -1;
1037 static int hf_cflow_srcnet = -1;
1038 static int hf_cflow_dstaddr = -1;
1039 static int hf_cflow_dstaddr_v6 = -1;
1040 static int hf_cflow_dstnet = -1;
1041 static int hf_cflow_nexthop = -1;
1042 static int hf_cflow_nexthop_v6 = -1;
1043 static int hf_cflow_bgpnexthop = -1;
1044 static int hf_cflow_bgpnexthop_v6 = -1;
1045 static int hf_cflow_inputint = -1;
1046 static int hf_cflow_outputint = -1;
1047 static int hf_cflow_flows = -1;
1048 static int hf_cflow_flows64 = -1;
1049 static int hf_cflow_packets = -1;
1050 static int hf_cflow_packets64 = -1;
1051 static int hf_cflow_octets = -1;
1052 static int hf_cflow_octets64 = -1;
1053 static int hf_cflow_length_min = -1;
1054 static int hf_cflow_length_max = -1;
1055 static int hf_cflow_length_min64 = -1;
1056 static int hf_cflow_length_max64 = -1;
1057 static int hf_cflow_timedelta = -1;
1058 static int hf_cflow_sys_init_time = -1;
1059 static int hf_cflow_timestart = -1;
1060 static int hf_cflow_timeend = -1;
1061 static int hf_cflow_srcport = -1;
1062 static int hf_cflow_dstport = -1;
1063 static int hf_cflow_prot = -1;
1064 static int hf_cflow_tos = -1;
1065 static int hf_cflow_flags = -1;
1066 static int hf_cflow_tcpflags = -1;
1067 static int hf_cflow_dstas = -1;
1068 static int hf_cflow_srcas = -1;
1069 static int hf_cflow_dstmask = -1;
1070 static int hf_cflow_dstmask_v6 = -1;
1071 static int hf_cflow_srcmask = -1;
1072 static int hf_cflow_srcmask_v6 = -1;
1073 static int hf_cflow_routersc = -1;
1074 static int hf_cflow_mulpackets = -1;
1075 static int hf_cflow_muloctets = -1;
1076 static int hf_cflow_octets_exp = -1;
1077 static int hf_cflow_octets_exp64 = -1;
1078 static int hf_cflow_packets_exp = -1;
1079 static int hf_cflow_packets_exp64 = -1;
1080 static int hf_cflow_flows_exp = -1;
1081 static int hf_cflow_flows_exp64 = -1;
1082 static int hf_cflow_srcprefix = -1;
1083 static int hf_cflow_dstprefix = -1;
1084 static int hf_cflow_flow_class = -1;
1085 static int hf_cflow_ttl_minimum = -1;
1086 static int hf_cflow_ttl_maximum = -1;
1087 static int hf_cflow_ipv4_id = -1;
1088 static int hf_cflow_ip_version = -1;
1089 static int hf_cflow_icmp_type = -1;
1090 static int hf_cflow_igmp_type = -1;
1091 static int hf_cflow_sampling_interval = -1;
1092 static int hf_cflow_sampling_algorithm = -1;
1093 static int hf_cflow_flow_active_timeout = -1;
1094 static int hf_cflow_flow_inactive_timeout = -1;
1095 static int hf_cflow_mpls_top_label_type = -1;
1096 static int hf_cflow_mpls_pe_addr = -1;
1097 static int hf_cflow_sampler_id = -1;
1098 static int hf_cflow_sampler_mode = -1;
1099 static int hf_cflow_sampler_random_interval = -1;
1100 static int hf_cflow_direction = -1;
1101 static int hf_cflow_if_name = -1;
1102 static int hf_cflow_if_descr = -1;
1103 static int hf_cflow_sampler_name = -1;
1104 static int hf_cflow_forwarding_status = -1;
1105 static int hf_cflow_forwarding_status_unknown_code = -1;
1106 static int hf_cflow_forwarding_status_forward_code = -1;
1107 static int hf_cflow_forwarding_status_consume_code = -1;
1108 static int hf_cflow_forwarding_status_drop_code = -1;
1109 static int hf_cflow_nbar_appl_desc = -1;
1110 static int hf_cflow_nbar_appl_id = -1;
1111 static int hf_cflow_nbar_appl_name = -1;
1112 static int hf_cflow_peer_srcas = -1;
1113 static int hf_cflow_peer_dstas = -1;
1114 static int hf_cflow_flow_exporter = -1;
1115 static int hf_cflow_icmp_ipv4_type = -1;
1116 static int hf_cflow_icmp_ipv4_code = -1;
1117 static int hf_cflow_icmp_ipv6_type = -1;
1118 static int hf_cflow_icmp_ipv6_code = -1;
1119 static int hf_cflow_tcp_window_size = -1;
1120 static int hf_cflow_ipv4_total_length = -1;
1121 static int hf_cflow_ip_ttl = -1;
1122 static int hf_cflow_ip_tos = -1;
1123 static int hf_cflow_ip_dscp = -1;
1124 static int hf_cflow_octets_squared64 = -1;
1125 static int hf_cflow_udp_length = -1;
1126 static int hf_cflow_is_multicast = -1;
1127 static int hf_cflow_ip_header_words = -1;
1128 static int hf_cflow_option_map = -1;
1129 static int hf_cflow_section_header = -1;
1130 static int hf_cflow_section_payload = -1;
1131 /* IPFIX (version 10) Information Elements */
1132 static int hf_cflow_post_octets = -1;
1133 static int hf_cflow_post_octets64 = -1;
1134 static int hf_cflow_post_packets = -1;
1135 static int hf_cflow_post_packets64 = -1;
1136 static int hf_cflow_ipv6_flowlabel = -1;
1137 static int hf_cflow_ipv6_flowlabel24 = -1;
1138 static int hf_cflow_post_tos = -1;
1139 static int hf_cflow_srcmac = -1;
1140 static int hf_cflow_post_dstmac = -1;
1141 static int hf_cflow_vlanid = -1;
1142 static int hf_cflow_post_vlanid = -1;
1143 static int hf_cflow_ipv6_exthdr = -1;
1144 static int hf_cflow_dstmac = -1;
1145 static int hf_cflow_post_srcmac = -1;
1146 static int hf_cflow_permanent_packets = -1;
1147 static int hf_cflow_permanent_packets64 = -1;
1148 static int hf_cflow_permanent_octets = -1;
1149 static int hf_cflow_permanent_octets64 = -1;
1150 static int hf_cflow_fragment_offset = -1;
1151 static int hf_cflow_mpls_vpn_rd = -1;
1152 static int hf_cflow_mpls_top_label_prefix_length = -1; /* ID: 91 */
1153 static int hf_cflow_post_ip_diff_serv_code_point = -1; /* ID: 98 */
1154 static int hf_cflow_multicast_replication_factor = -1; /* ID: 99 */
1155 static int hf_cflow_exporter_addr = -1;
1156 static int hf_cflow_exporter_addr_v6 = -1;
1157 static int hf_cflow_drop_octets = -1;
1158 static int hf_cflow_drop_octets64 = -1;
1159 static int hf_cflow_drop_packets = -1;
1160 static int hf_cflow_drop_packets64 = -1;
1161 static int hf_cflow_drop_total_octets = -1;
1162 static int hf_cflow_drop_total_octets64 = -1;
1163 static int hf_cflow_drop_total_packets = -1;
1164 static int hf_cflow_drop_total_packets64 = -1;
1165 static int hf_cflow_flow_end_reason = -1;
1166 static int hf_cflow_common_properties_id = -1;
1167 static int hf_cflow_observation_point_id = -1;
1168 static int hf_cflow_mpls_pe_addr_v6 = -1;
1169 static int hf_cflow_port_id = -1;
1170 static int hf_cflow_mp_id = -1;
1171 static int hf_cflow_wlan_channel_id = -1;
1172 static int hf_cflow_wlan_ssid = -1;
1173 static int hf_cflow_flow_id = -1;
1174 static int hf_cflow_od_id = -1;
1175 static int hf_cflow_abstimestart = -1;
1176 static int hf_cflow_abstimeend = -1;
1177 static int hf_cflow_dstnet_v6 = -1;
1178 static int hf_cflow_srcnet_v6 = -1;
1179 static int hf_cflow_ignore_packets = -1;
1180 static int hf_cflow_ignore_packets64 = -1;
1181 static int hf_cflow_ignore_octets = -1;
1182 static int hf_cflow_ignore_octets64 = -1;
1183 static int hf_cflow_notsent_flows = -1;
1184 static int hf_cflow_notsent_flows64 = -1;
1185 static int hf_cflow_notsent_packets = -1;
1186 static int hf_cflow_notsent_packets64 = -1;
1187 static int hf_cflow_notsent_octets = -1;
1188 static int hf_cflow_notsent_octets64 = -1;
1189 static int hf_cflow_post_total_octets = -1;
1190 static int hf_cflow_post_total_octets64 = -1;
1191 static int hf_cflow_post_total_packets = -1;
1192 static int hf_cflow_post_total_packets64 = -1;
1193 static int hf_cflow_key = -1;
1194 static int hf_cflow_post_total_mulpackets = -1;
1195 static int hf_cflow_post_total_mulpackets64 = -1;
1196 static int hf_cflow_post_total_muloctets = -1;
1197 static int hf_cflow_post_total_muloctets64 = -1;
1198 static int hf_cflow_tcp_seq_num = -1;
1199 static int hf_cflow_tcp_ack_num = -1;
1200 static int hf_cflow_tcp_urg_ptr = -1;
1201 static int hf_cflow_tcp_header_length = -1;
1202 static int hf_cflow_ip_header_length = -1;
1203 static int hf_cflow_ipv6_payload_length = -1;
1204 static int hf_cflow_ipv6_next_hdr = -1;
1205 static int hf_cflow_ip_precedence = -1;
1206 static int hf_cflow_ip_fragment_flags = -1;
1207 static int hf_cflow_mpls_top_label_ttl = -1;
1208 static int hf_cflow_mpls_label_length = -1;
1209 static int hf_cflow_mpls_label_depth = -1;
1210 static int hf_cflow_mpls_top_label_exp = -1;
1211 static int hf_cflow_ip_payload_length = -1;
1212 static int hf_cflow_tcp_option_map = -1;
1213 static int hf_cflow_collector_addr = -1;
1214 static int hf_cflow_collector_addr_v6 = -1;
1215 static int hf_cflow_export_interface = -1;
1216 static int hf_cflow_export_protocol_version = -1;
1217 static int hf_cflow_export_prot = -1;
1218 static int hf_cflow_collector_port = -1;
1219 static int hf_cflow_exporter_port = -1;
1220 static int hf_cflow_total_tcp_syn = -1;
1221 static int hf_cflow_total_tcp_fin = -1;
1222 static int hf_cflow_total_tcp_rst = -1;
1223 static int hf_cflow_total_tcp_psh = -1;
1224 static int hf_cflow_total_tcp_ack = -1;
1225 static int hf_cflow_total_tcp_urg = -1;
1226 static int hf_cflow_ip_total_length = -1;
1227 static int hf_cflow_post_natsource_ipv4_address = -1; /* ID: 225 */
1228 static int hf_cflow_post_natdestination_ipv4_address = -1; /* ID: 226 */
1229 static int hf_cflow_post_naptsource_transport_port = -1; /* ID: 227 */
1230 static int hf_cflow_post_naptdestination_transport_port = -1; /* ID: 228 */
1231 static int hf_cflow_nat_originating_address_realm = -1; /* ID: 229 */
1232 static int hf_cflow_nat_event = -1; /* ID: 230 */
1233 static int hf_cflow_initiator_octets = -1; /* ID: 231 */
1234 static int hf_cflow_responder_octets = -1; /* ID: 232 */
1235 static int hf_cflow_firewall_event = -1; /* ID: 233 */
1236 static int hf_cflow_ingress_vrfid = -1; /* ID: 234 */
1237 static int hf_cflow_egress_vrfid = -1; /* ID: 235 */
1238 static int hf_cflow_vrfname = -1; /* ID: 236 */
1239 static int hf_cflow_post_mpls_top_label_exp = -1; /* ID: 237 */
1240 static int hf_cflow_tcp_window_scale = -1; /* ID: 238 */
1241 static int hf_cflow_biflow_direction = -1;
1242 static int hf_cflow_ethernet_header_length = -1; /* ID: 240 */
1243 static int hf_cflow_ethernet_payload_length = -1; /* ID: 241 */
1244 static int hf_cflow_ethernet_total_length = -1; /* ID: 242 */
1245 static int hf_cflow_dot1q_vlan_id = -1; /* ID: 243 */
1246 static int hf_cflow_dot1q_priority = -1; /* ID: 244 */
1247 static int hf_cflow_dot1q_customer_vlan_id = -1; /* ID: 245 */
1248 static int hf_cflow_dot1q_customer_priority = -1; /* ID: 246 */
1249 static int hf_cflow_metro_evc_id = -1; /* ID: 247 */
1250 static int hf_cflow_metro_evc_type = -1; /* ID: 248 */
1251 static int hf_cflow_pseudo_wire_id = -1; /* ID: 249 */
1252 static int hf_cflow_pseudo_wire_type = -1; /* ID: 250 */
1253 static int hf_cflow_pseudo_wire_control_word = -1; /* ID: 251 */
1254 static int hf_cflow_ingress_physical_interface = -1; /* ID: 252 */
1255 static int hf_cflow_egress_physical_interface = -1; /* ID: 253 */
1256 static int hf_cflow_post_dot1q_vlan_id = -1; /* ID: 254 */
1257 static int hf_cflow_post_dot1q_customer_vlan_id = -1; /* ID: 255 */
1258 static int hf_cflow_ethernet_type = -1; /* ID: 256 */
1259 static int hf_cflow_post_ip_precedence = -1; /* ID: 257 */
1260 static int hf_cflow_collection_time_milliseconds = -1; /* ID: 258 */
1261 static int hf_cflow_export_sctp_stream_id = -1; /* ID: 259 */
1262 static int hf_cflow_max_export_seconds = -1; /* ID: 260 */
1263 static int hf_cflow_max_flow_end_seconds = -1; /* ID: 261 */
1264 static int hf_cflow_message_md5_checksum = -1; /* ID: 262 */
1265 static int hf_cflow_message_scope = -1; /* ID: 263 */
1266 static int hf_cflow_min_export_seconds = -1; /* ID: 264 */
1267 static int hf_cflow_min_flow_start_seconds = -1; /* ID: 265 */
1268 static int hf_cflow_opaque_octets = -1; /* ID: 266 */
1269 static int hf_cflow_session_scope = -1; /* ID: 267 */
1270 static int hf_cflow_max_flow_end_microseconds = -1; /* ID: 268 */
1271 static int hf_cflow_max_flow_end_milliseconds = -1; /* ID: 269 */
1272 static int hf_cflow_max_flow_end_nanoseconds = -1; /* ID: 270 */
1273 static int hf_cflow_min_flow_start_microseconds = -1; /* ID: 271 */
1274 static int hf_cflow_min_flow_start_milliseconds = -1; /* ID: 272 */
1275 static int hf_cflow_min_flow_start_nanoseconds = -1; /* ID: 273 */
1276 static int hf_cflow_collector_certificate = -1; /* ID: 274 */
1277 static int hf_cflow_exporter_certificate = -1; /* ID: 275 */
1278 static int hf_cflow_selection_sequence_id = -1; /* ID: 301 */
1279 static int hf_cflow_selector_id = -1; /* ID: 302 */
1280 static int hf_cflow_information_element_id = -1; /* ID: 303 */
1281 static int hf_cflow_selector_algorithm = -1; /* ID: 304 */
1282 static int hf_cflow_sampling_packet_interval = -1; /* ID: 305 */
1283 static int hf_cflow_sampling_packet_space = -1; /* ID: 306 */
1284 static int hf_cflow_sampling_time_interval = -1; /* ID: 307 */
1285 static int hf_cflow_sampling_time_space = -1; /* ID: 308 */
1286 static int hf_cflow_sampling_size = -1; /* ID: 309 */
1287 static int hf_cflow_sampling_population = -1; /* ID: 310 */
1288 static int hf_cflow_sampling_probability = -1; /* ID: 311 */
1289 static int hf_cflow_mpls_label_stack_section = -1; /* ID: 316 */
1290 static int hf_cflow_mpls_payload_packet_section = -1; /* ID: 317 */
1291 static int hf_cflow_selector_id_total_pkts_observed = -1; /* ID: 318 */
1292 static int hf_cflow_selector_id_total_pkts_selected = -1; /* ID: 319 */
1293 static int hf_cflow_absolute_error = -1; /* ID: 320 */
1294 static int hf_cflow_relative_error = -1; /* ID: 321 */
1295 static int hf_cflow_observation_time_seconds = -1; /* ID: 322 */
1296 static int hf_cflow_observation_time_milliseconds = -1; /* ID: 323 */
1297 static int hf_cflow_observation_time_microseconds = -1; /* ID: 324 */
1298 static int hf_cflow_observation_time_nanoseconds = -1; /* ID: 325 */
1299 static int hf_cflow_digest_hash_value = -1; /* ID: 326 */
1300 static int hf_cflow_hash_ippayload_offset = -1; /* ID: 327 */
1301 static int hf_cflow_hash_ippayload_size = -1; /* ID: 328 */
1302 static int hf_cflow_hash_output_range_min = -1; /* ID: 329 */
1303 static int hf_cflow_hash_output_range_max = -1; /* ID: 330 */
1304 static int hf_cflow_hash_selected_range_min = -1; /* ID: 331 */
1305 static int hf_cflow_hash_selected_range_max = -1; /* ID: 332 */
1306 static int hf_cflow_hash_digest_output = -1; /* ID: 333 */
1307 static int hf_cflow_hash_initialiser_value = -1; /* ID: 334 */
1308 static int hf_cflow_selector_name = -1; /* ID: 335 */
1309 static int hf_cflow_upper_cilimit = -1; /* ID: 336 */
1310 static int hf_cflow_lower_cilimit = -1; /* ID: 337 */
1311 static int hf_cflow_confidence_level = -1; /* ID: 338 */
1312 static int hf_cflow_information_element_data_type = -1; /* ID: 339 */
1313 static int hf_cflow_information_element_description = -1; /* ID: 340 */
1314 static int hf_cflow_information_element_name = -1; /* ID: 341 */
1315 static int hf_cflow_information_element_range_begin = -1; /* ID: 342 */
1316 static int hf_cflow_information_element_range_end = -1; /* ID: 343 */
1317 static int hf_cflow_information_element_semantics = -1; /* ID: 344 */
1318 static int hf_cflow_information_element_units = -1; /* ID: 345 */
1319 static int hf_cflow_private_enterprise_number = -1; /* ID: 346 */
1320 static int hf_cflow_cts_sgt_source_tag = -1; /* ID: 34000 */
1321 static int hf_cflow_cts_sgt_destination_tag = -1; /* ID: 34001 */
1322 static int hf_cflow_cts_sgt_source_name = -1; /* ID: 34002 */
1323 static int hf_cflow_cts_sgt_destination_name = -1; /* ID: 34003 */
1324 static int hf_cflow_packets_dropped = -1; /* ID: 37000 */
1325 static int hf_cflow_byte_rate = -1; /* ID: 37003 */
1326 static int hf_cflow_application_media_bytes = -1; /* ID: 37004 */
1327 static int hf_cflow_application_media_byte_rate = -1; /* ID: 37006 */
1328 static int hf_cflow_application_media_packets = -1; /* ID: 37007 */
1329 static int hf_cflow_application_media_packet_rate = -1; /* ID: 37009 */
1330 static int hf_cflow_application_media_event = -1; /* ID: 37011 */
1331 static int hf_cflow_monitor_event = -1; /* ID: 37012 */
1332 static int hf_cflow_timestamp_interval = -1; /* ID: 37013 */
1333 static int hf_cflow_transport_packets_expected = -1; /* ID: 37014 */
1334 static int hf_cflow_transport_round_trip_time = -1; /* ID: 37016 */
1335 static int hf_cflow_transport_round_trip_time_string = -1; /* ID: 37016 */
1336 static int hf_cflow_transport_event_packet_loss = -1; /* ID: 37017 */
1337 static int hf_cflow_transport_packets_lost = -1; /* ID: 37019 */
1338 static int hf_cflow_transport_packets_lost_string = -1; /* ID: 37019 */
1339 static int hf_cflow_transport_packets_lost_rate = -1; /* ID: 37021 */
1340 static int hf_cflow_transport_packets_lost_rate_string = -1; /* ID: 37021 */
1341 static int hf_cflow_transport_rtp_ssrc = -1; /* ID: 37022 */
1342 static int hf_cflow_transport_rtp_jitter_mean = -1; /* ID: 37023 */
1343 static int hf_cflow_transport_rtp_jitter_mean_string = -1; /* ID: 37023 */
1344 static int hf_cflow_transport_rtp_jitter_min = -1; /* ID: 37024 */
1345 static int hf_cflow_transport_rtp_jitter_min_string = -1; /* ID: 37024 */
1346 static int hf_cflow_transport_rtp_jitter_max = -1; /* ID: 37025 */
1347 static int hf_cflow_transport_rtp_jitter_max_string = -1; /* ID: 37025 */
1348
1349 static int hf_cflow_transport_rtp_payload_type = -1; /* ID: 37041 */
1350 static int hf_cflow_transport_rtp_payload_type_string = -1; /* ID: 37041 */
1351 static int hf_cflow_transport_bytes_out_of_order = -1; /* ID: 37071 */
1352 /* static int hf_cflow_transport_packets_out_of_order = -1; */ /* ID: 37074 */
1353 static int hf_cflow_transport_packets_out_of_order_string = -1; /* ID: 37074 */
1354 static int hf_cflow_transport_tcp_window_size_min = -1; /* ID: 37083 */
1355 static int hf_cflow_transport_tcp_window_size_min_string = -1; /* ID: 37083 */
1356 static int hf_cflow_transport_tcp_window_size_max = -1; /* ID: 37084 */
1357 static int hf_cflow_transport_tcp_window_size_max_string = -1; /* ID: 37084 */
1358 static int hf_cflow_transport_tcp_window_size_mean = -1; /* ID: 37085 */
1359 static int hf_cflow_transport_tcp_window_size_mean_string = -1; /* ID: 37085 */
1360 static int hf_cflow_transport_tcp_maximum_segment_size = -1; /* ID: 37086 */
1361 static int hf_cflow_transport_tcp_maximum_segment_size_string = -1; /* ID: 37086 */
1362
1363 /* Ericsson SE NAT Logging */
1364 static int hf_cflow_nat_context_id = -1; /* ID: 24628 */
1365 static int hf_cflow_nat_context_name = -1; /* ID: 24629 */
1366 static int hf_cflow_nat_assign_time = -1; /* ID: 24630 */
1367 static int hf_cflow_nat_unassign_time = -1; /* ID: 24631 */
1368 static int hf_cflow_nat_int_addr = -1; /* ID: 24632 */
1369 static int hf_cflow_nat_ext_addr = -1; /* ID: 24633 */
1370 static int hf_cflow_nat_ext_port_first = -1; /* ID: 24634 */
1371 static int hf_cflow_nat_ext_port_last = -1; /* ID: 24635 */
1372
1373
1374 /* Cisco ASA 5500 Series */
1375 static int hf_cflow_ingress_acl_id = -1; /* NF_F_INGRESS_ACL_ID (33000) */
1376 static int hf_cflow_egress_acl_id = -1; /* NF_F_EGRESS_ACL_ID (33001) */
1377 static int hf_cflow_fw_ext_event = -1; /* NF_F_FW_EXT_EVENT (33002) */
1378 static int hf_cflow_aaa_username = -1; /* NF_F_USERNAME[_MAX] (40000) */
1379
1380 static int hf_ipfix_enterprise_private_entry = -1;
1381
1382 /* pie = private information element */
1383
1384 static int hf_pie_cace_local_ipv4_address = -1;
1385 static int hf_pie_cace_remote_ipv4_address = -1;
1386 static int hf_pie_cace_local_ipv6_address = -1;
1387 static int hf_pie_cace_remote_ipv6_address = -1;
1388 static int hf_pie_cace_local_port = -1;
1389 static int hf_pie_cace_remote_port = -1;
1390 static int hf_pie_cace_local_ipv4_id = -1;
1391 static int hf_pie_cace_local_icmp_id = -1;
1392 static int hf_pie_cace_local_uid = -1;
1393 static int hf_pie_cace_local_pid = -1;
1394 static int hf_pie_cace_local_username_len = -1;
1395 static int hf_pie_cace_local_username = -1;
1396 static int hf_pie_cace_local_cmd_len = -1;
1397 static int hf_pie_cace_local_cmd = -1;
1398
1399 static int hf_pie_ntop_fragmented = -1;
1400 static int hf_pie_ntop_fingerprint = -1;
1401 static int hf_pie_ntop_client_nw_delay_sec = -1;
1402 static int hf_pie_ntop_client_nw_delay_usec = -1;
1403 static int hf_pie_ntop_server_nw_delay_sec = -1;
1404 static int hf_pie_ntop_server_nw_delay_usec = -1;
1405 static int hf_pie_ntop_appl_latency_sec = -1;
1406 static int hf_pie_ntop_icmp_flags = -1;
1407 static int hf_pie_ntop_src_ip_country = -1;
1408 static int hf_pie_ntop_src_ip_city = -1;
1409 static int hf_pie_ntop_dst_ip_country = -1;
1410 static int hf_pie_ntop_dst_ip_city = -1;
1411 static int hf_pie_ntop_flow_proto_port = -1;
1412
1413 static int hf_pie_ntop_longest_flow_pkt = -1;
1414 static int hf_pie_ntop_ooorder_in_pkts = -1;
1415 static int hf_pie_ntop_ooorder_out_pkts = -1;
1416 static int hf_pie_ntop_retransmitted_in_pkts = -1;
1417 static int hf_pie_ntop_retransmitted_out_pkts = -1;
1418 static int hf_pie_ntop_shortest_flow_pkt = -1;
1419 static int hf_pie_ntop_tunnel_id = -1;
1420 static int hf_pie_ntop_untunneled_ipv4_dst_addr = -1;
1421 static int hf_pie_ntop_untunneled_ipv4_src_addr = -1;
1422 static int hf_pie_ntop_untunneled_l4_dst_port = -1;
1423 static int hf_pie_ntop_untunneled_l4_src_port = -1;
1424 static int hf_pie_ntop_untunneled_protocol = -1;
1425
1426 static int hf_pie_ntop_dump_path = -1;
1427 static int hf_pie_ntop_sip_call_id = -1;
1428 static int hf_pie_ntop_sip_calling_party = -1;
1429 static int hf_pie_ntop_sip_called_party = -1;
1430 static int hf_pie_ntop_sip_rtp_codecs = -1;
1431 static int hf_pie_ntop_sip_invite_time = -1;
1432 static int hf_pie_ntop_sip_trying_time = -1;
1433 static int hf_pie_ntop_sip_ringing_time = -1;
1434 static int hf_pie_ntop_sip_ok_time = -1;
1435 static int hf_pie_ntop_sip_bye_time = -1;
1436 static int hf_pie_ntop_sip_rtp_src_ip = -1;
1437 static int hf_pie_ntop_sip_rtp_src_port = -1;
1438 static int hf_pie_ntop_sip_rtp_dst_ip = -1;
1439 static int hf_pie_ntop_sip_rtp_dst_port = -1;
1440 static int hf_pie_ntop_rtp_first_ssrc = -1;
1441 static int hf_pie_ntop_rtp_first_ts = -1;
1442 static int hf_pie_ntop_rtp_last_ssrc = -1;
1443 static int hf_pie_ntop_rtp_last_ts = -1;
1444 static int hf_pie_ntop_rtp_in_jitter = -1;
1445 static int hf_pie_ntop_rtp_out_jitter = -1;
1446 static int hf_pie_ntop_rtp_in_pkt_lost = -1;
1447 static int hf_pie_ntop_rtp_out_pkt_lost = -1;
1448 static int hf_pie_ntop_rtp_out_payload_type = -1;
1449 static int hf_pie_ntop_rtp_in_max_delta = -1;
1450 static int hf_pie_ntop_rtp_out_max_delta = -1;
1451 static int hf_pie_ntop_proc_id = -1;
1452 static int hf_pie_ntop_proc_name = -1;
1453 static int hf_pie_ntop_http_url = -1;
1454 static int hf_pie_ntop_http_ret_code = -1;
1455 static int hf_pie_ntop_smtp_mail_from = -1;
1456 static int hf_pie_ntop_smtp_rcpt_to = -1;
1457
1458 static int hf_pie_ntop_mysql_server_version = -1;
1459 static int hf_pie_ntop_mysql_username = -1;
1460 static int hf_pie_ntop_mysql_db = -1;
1461 static int hf_pie_ntop_mysql_query = -1;
1462 static int hf_pie_ntop_mysql_response = -1;
1463
1464 static int hf_pie_plixer_client_ip_v4 = -1;
1465 static int hf_pie_plixer_client_hostname = -1; /* string */
1466 static int hf_pie_plixer_partner_name = -1; /* string */
1467 static int hf_pie_plixer_server_hostname = -1; /* string */
1468 static int hf_pie_plixer_server_ip_v4 = -1;
1469 static int hf_pie_plixer_recipient_address = -1; /* string */
1470 static int hf_pie_plixer_event_id = -1;
1471 static int hf_pie_plixer_msgid = -1; /* string */
1472
1473 static int hf_pie_plixer_priority = -1;
1474 static int hf_pie_plixer_recipient_report_status = -1;
1475 static int hf_pie_plixer_number_recipients = -1;
1476 static int hf_pie_plixer_origination_time = -1;
1477 static int hf_pie_plixer_encryption = -1; /* string */
1478 static int hf_pie_plixer_service_version = -1; /* string */
1479 static int hf_pie_plixer_linked_msgid = -1; /* string */
1480 static int hf_pie_plixer_message_subject = -1; /* string */
1481 static int hf_pie_plixer_sender_address = -1; /* string */
1482 static int hf_pie_plixer_date_time = -1;
1483
1484 static int hf_string_len_short = -1;
1485 static int hf_string_len_long = -1;
1486
1487 static expert_field ei_cflow_entries = EI_INIT;
1488 static expert_field ei_cflow_options = EI_INIT;
1489 static expert_field ei_cflow_flowset_length = EI_INIT;
1490 static expert_field ei_cflow_scopes = EI_INIT;
1491 static expert_field ei_cflow_template_ipfix_scope_field_count_too_many = EI_INIT;
1492 static expert_field ei_cflow_template_ipfix_scope_field_count = EI_INIT;
1493 static expert_field ei_cflow_no_flow_information = EI_INIT;
1494
1495 static const value_string special_mpls_top_label_type[] = {
1496 {0, "Unknown"},
1497 {1, "TE-MIDPT"},
1498 {2, "ATOM"},
1499 {3, "VPN"},
1500 {4, "BGP"},
1501 {5, "LDP"},
1502 {0, NULL }
1503 };
1504
1505 static proto_item *
1506 proto_tree_add_mpls_label(proto_tree *pdutree, tvbuff_t *tvb, int offset, int length, int level)
1507 {
1508 proto_item *ti;
1509 if( length == 3) {
1510 guint8 b0 = tvb_get_guint8(tvb, offset);
1511 guint8 b1 = tvb_get_guint8(tvb, offset + 1);
1512 guint8 b2 = tvb_get_guint8(tvb, offset + 2);
1513 ti = proto_tree_add_text(pdutree, tvb, offset, length,
1514 "MPLS-Label%d: %u exp-bits: %u %s", level,
1515 ((b0<<12)+(b1<<4)+(b2>>4)),
1516 ((b2>>1)&0x7),
1517 ((b2&0x1)?"top-of-stack":""));
1518 } else {
1519 ti = proto_tree_add_text(pdutree, tvb, offset, length,
1520 "MPLS-Label%d: bad length %d", level, length);
1521 }
1522 return ti;
1523 }
1524
1525
1526 static void
1527 nbar_fmt_id(gchar *result, guint32 nbar_id)
1528 {
1529 guint32 nbar_id_type = (nbar_id>>24)&0xFF;
1530 nbar_id &= 0xFFFFFF;
1531
1532 g_snprintf(result, ITEM_LABEL_LENGTH,
1533 "NBAR Application ID: %d:%d (type:id)", nbar_id_type, nbar_id);
1534 }
1535
1536
1537 void proto_reg_handoff_netflow(void);
1538
1539 typedef struct _hdrinfo_t {
1540 guint8 vspec;
1541 guint32 src_id; /* SourceID in NetFlow V9, Observation Domain ID in IPFIX */
1542 time_t export_time_secs; /* secs since epoch */
1543 } hdrinfo_t;
1544
1545 typedef int dissect_pdu_t(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
1546 hdrinfo_t *hdrinfo_p);
1547
1548 static int dissect_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset,
1549 hdrinfo_t *hdrinfo_p);
1550 static int dissect_v8_aggpdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1551 int offset, hdrinfo_t *hdrinfo_p);
1552 static int dissect_v8_flowpdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1553 int offset, hdrinfo_t *hdrinfo_p);
1554 static int dissect_v9_v10_flowset(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1555 int offset, hdrinfo_t *hdrinfo_p);
1556 static int dissect_v9_v10_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1557 int offset, guint16 id, guint length, hdrinfo_t *hdrinfo_p);
1558 static guint dissect_v9_v10_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1559 int offset, v9_v10_tmplt_t *tmplt_p, hdrinfo_t *hdrinfo_p);
1560 static guint dissect_v9_pdu_scope(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1561 int offset, v9_v10_tmplt_t *tmplt_p);
1562 static guint dissect_v9_v10_pdu_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1563 int offset, v9_v10_tmplt_t *tmplt_p, hdrinfo_t *hdrinfo_p,
1564 v9_v10_tmplt_fields_type_t fields_type);
1565 static int dissect_v9_v10_options_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1566 int offset, int len, hdrinfo_t *hdrinfo_p, guint16 flowset_id);
1567 static int dissect_v9_v10_data_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
1568 int offset, int len, hdrinfo_t *hdrinfo_p, guint16 flowset_id);
1569
1570 static const gchar *getprefix(const guint32 *address, int prefix);
1571
1572 static int flow_process_ints(proto_tree *pdutree, tvbuff_t *tvb,
1573 int offset);
1574 static int flow_process_ports(proto_tree *pdutree, tvbuff_t *tvb,
1575 int offset);
1576 static int flow_process_timeperiod(proto_tree *pdutree, tvbuff_t *tvb,
1577 int offset);
1578 static int flow_process_aspair(proto_tree *pdutree, tvbuff_t *tvb,
1579 int offset);
1580 static int flow_process_sizecount(proto_tree *pdutree, tvbuff_t *tvb,
1581 int offset);
1582 static int flow_process_textfield(proto_tree *pdutree, tvbuff_t *tvb,
1583 int offset, int bytes,
1584 const char *text);
1585
1586 static v9_v10_tmplt_t *v9_v10_tmplt_build_key(v9_v10_tmplt_t *tmplt_p, packet_info *pinfo, guint32 src_id, guint16 tmplt_id);
1587
1588
1589
1590 static int
1591 pen_to_type_hf_list (guint32 pen) {
1592 switch (pen) {
1593 case VENDOR_PLIXER:
1594 return TF_PLIXER;
1595 case VENDOR_NTOP:
1596 return TF_NTOP;
1597 default:
1598 return TF_NO_VENDOR_INFO;
1599 }
1600 }
1601
1602 static int
1603 dissect_netflow(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
1604 {
1605 proto_tree *netflow_tree = NULL;
1606 proto_tree *ti;
1607 proto_item *timeitem, *pduitem;
1608 proto_tree *timetree, *pdutree;
1609 unsigned int pduret, ver, pdus, x;
1610 hdrinfo_t hdrinfo;
1611 gint flow_len = -1;
1612 guint available, pdusize, offset = 0;
1613 nstime_t ts;
1614 dissect_pdu_t *pduptr;
1615
1616 ipfix_debug0("dissect_netflow: start");
1617
1618 ver = tvb_get_ntohs(tvb, offset);
1619
1620 ipfix_debug1("dissect_netflow: found version %d", ver);
1621
1622 switch (ver) {
1623 case 1:
1624 pdusize = V1PDU_SIZE;
1625 pduptr = &dissect_pdu;
1626 break;
1627 case 5:
1628 pdusize = V5PDU_SIZE;
1629 pduptr = &dissect_pdu;
1630 break;
1631 case 7:
1632 pdusize = V7PDU_SIZE;
1633 pduptr = &dissect_pdu;
1634 break;
1635 case 8:
1636 pdusize = -1; /* deferred */
1637 pduptr = &dissect_v8_aggpdu;
1638 break;
1639 case 9:
1640 case 10: /* IPFIX */
1641 pdusize = -1; /* deferred */
1642 pduptr = &dissect_v9_v10_flowset;
1643 break;
1644 default:
1645 /* This does not appear to be a valid netflow packet;
1646 * return 0 to let another dissector have a chance at
1647 * dissecting it.
1648 */
1649 return 0;
1650 }
1651
1652 col_set_str(pinfo->cinfo, COL_PROTOCOL, "CFLOW");
1653 col_clear(pinfo->cinfo, COL_INFO);
1654 ipfix_debug0("dissect_netflow: column cleared");
1655
1656 if (tree) {
1657 ti = proto_tree_add_item(tree, proto_netflow, tvb, offset, -1, ENC_NA);
1658 netflow_tree = proto_item_add_subtree(ti, ett_netflow);
1659 }
1660 ipfix_debug0("dissect_netflow: tree added");
1661
1662 hdrinfo.vspec = ver;
1663 hdrinfo.src_id = 0;
1664
1665 if (tree)
1666 proto_tree_add_uint(netflow_tree, hf_cflow_version, tvb, offset, 2, ver);
1667 offset += 2;
1668
1669 pdus = tvb_get_ntohs(tvb, offset);
1670 if (tree) {
1671 if(ver == 10) {
1672 proto_tree_add_uint(netflow_tree, hf_cflow_len, tvb, offset, 2, pdus);
1673 flow_len = pdus;
1674 } else {
1675 proto_tree_add_uint(netflow_tree, hf_cflow_count, tvb, offset, 2, pdus);
1676 flow_len = -1;
1677 }
1678 }
1679 offset += 2;
1680
1681 /*
1682 * set something interesting in the display now that we have info
1683 */
1684 if (ver == 9) {
1685 col_add_fstr(pinfo->cinfo, COL_INFO,
1686 "total: %u (v%u) record%s", pdus, ver,
1687 plurality(pdus, "", "s"));
1688 } else if (ver == 10) {
1689 gint remaining = tvb_reported_length_remaining(tvb, offset)+4;
1690
1691 if(remaining == flow_len)
1692 col_add_fstr(pinfo->cinfo, COL_INFO, "IPFIX flow (%d bytes)", flow_len);
1693 else
1694 col_add_fstr(pinfo->cinfo, COL_INFO,
1695 "IPFIX partial flow (%u/%u bytes)",
1696 remaining, flow_len);
1697 } else {
1698 col_add_fstr(pinfo->cinfo, COL_INFO,
1699 "total: %u (v%u) flow%s", pdus, ver,
1700 plurality(pdus, "", "s"));
1701 }
1702
1703 /*
1704 * The rest is only interesting if we're displaying/searching the
1705 * packet or if V9/V10 so we need to keep going to find any templates
1706 */
1707 if ( (ver != 9) && (ver != 10) && !tree )
1708 return tvb_reported_length(tvb);
1709
1710 if(ver != 10) {
1711 guint32 sysuptime = tvb_get_ntohl(tvb, offset);
1712 nstime_t nsuptime;
1713
1714 nsuptime.secs = sysuptime / 1000;
1715 nsuptime.nsecs = sysuptime * 1000;
1716 proto_tree_add_time(netflow_tree, hf_cflow_sysuptime, tvb,
1717 offset, 4, &nsuptime);
1718 offset += 4;
1719 }
1720
1721 ts.secs = tvb_get_ntohl(tvb, offset);
1722 hdrinfo.export_time_secs = ts.secs;
1723
1724 if ((ver != 9) && (ver != 10)) {
1725 ts.nsecs = tvb_get_ntohl(tvb, offset + 4);
1726 timeitem = proto_tree_add_time(netflow_tree,
1727 hf_cflow_timestamp, tvb, offset,
1728 8, &ts);
1729 } else {
1730 ts.nsecs = 0;
1731 timeitem = proto_tree_add_time(netflow_tree,
1732 hf_cflow_timestamp, tvb, offset,
1733 4, &ts);
1734 }
1735
1736 timetree = proto_item_add_subtree(timeitem, ett_unixtime);
1737
1738 proto_tree_add_item(timetree,
1739 (ver == 10) ? hf_cflow_exporttime : hf_cflow_unix_secs,
1740 tvb, offset, 4, ENC_BIG_ENDIAN);
1741
1742 offset += 4;
1743
1744 if ((ver != 9) && (ver != 10)) {
1745 proto_tree_add_item(timetree, hf_cflow_unix_nsecs, tvb,
1746 offset, 4, ENC_BIG_ENDIAN);
1747 offset += 4;
1748 }
1749
1750 /*
1751 * version specific header
1752 */
1753 if (ver == 5 || ver == 7 || ver == 8 || ver == 9 || ver == 10) {
1754 proto_tree_add_item(netflow_tree, hf_cflow_sequence,
1755 tvb, offset, 4, ENC_BIG_ENDIAN);
1756 offset += 4;
1757 }
1758 if (ver == 5 || ver == 8) {
1759 proto_tree_add_item(netflow_tree, hf_cflow_engine_type,
1760 tvb, offset++, 1, ENC_NA);
1761 proto_tree_add_item(netflow_tree, hf_cflow_engine_id,
1762 tvb, offset++, 1, ENC_NA);
1763 } else if ((ver == 9) || (ver == 10)) {
1764 proto_tree_add_item(netflow_tree,
1765 (ver == 9) ? hf_cflow_source_id : hf_cflow_od_id,
1766 tvb, offset, 4, ENC_BIG_ENDIAN);
1767 hdrinfo.src_id = tvb_get_ntohl(tvb, offset);
1768 offset += 4;
1769 }
1770 if (ver == 8) {
1771 hdrinfo.vspec = tvb_get_guint8(tvb, offset);
1772 switch (hdrinfo.vspec) {
1773 case V8PDU_AS_METHOD:
1774 pdusize = V8PDU_AS_SIZE;
1775 break;
1776 case V8PDU_PROTO_METHOD:
1777 pdusize = V8PDU_PROTO_SIZE;
1778 break;
1779 case V8PDU_SPREFIX_METHOD:
1780 pdusize = V8PDU_SPREFIX_SIZE;
1781 break;
1782 case V8PDU_DPREFIX_METHOD:
1783 pdusize = V8PDU_DPREFIX_SIZE;
1784 break;
1785 case V8PDU_MATRIX_METHOD:
1786 pdusize = V8PDU_MATRIX_SIZE;
1787 break;
1788 case V8PDU_DESTONLY_METHOD:
1789 pdusize = V8PDU_DESTONLY_SIZE;
1790 pduptr = &dissect_v8_flowpdu;
1791 break;
1792 case V8PDU_SRCDEST_METHOD:
1793 pdusize = V8PDU_SRCDEST_SIZE;
1794 pduptr = &dissect_v8_flowpdu;
1795 break;
1796 case V8PDU_FULL_METHOD:
1797 pdusize = V8PDU_FULL_SIZE;
1798 pduptr = &dissect_v8_flowpdu;
1799 break;
1800 case V8PDU_TOSAS_METHOD:
1801 pdusize = V8PDU_TOSAS_SIZE;
1802 break;
1803 case V8PDU_TOSPROTOPORT_METHOD:
1804 pdusize = V8PDU_TOSPROTOPORT_SIZE;
1805 break;
1806 case V8PDU_TOSSRCPREFIX_METHOD:
1807 pdusize = V8PDU_TOSSRCPREFIX_SIZE;
1808 break;
1809 case V8PDU_TOSDSTPREFIX_METHOD:
1810 pdusize = V8PDU_TOSDSTPREFIX_SIZE;
1811 break;
1812 case V8PDU_TOSMATRIX_METHOD:
1813 pdusize = V8PDU_TOSMATRIX_SIZE;
1814 break;
1815 case V8PDU_PREPORTPROTOCOL_METHOD:
1816 pdusize = V8PDU_PREPORTPROTOCOL_SIZE;
1817 break;
1818 default:
1819 pdusize = -1;
1820 hdrinfo.vspec = 0;
1821 break;
1822 }
1823 proto_tree_add_uint(netflow_tree, hf_cflow_aggmethod,
1824 tvb, offset++, 1, hdrinfo.vspec);
1825 proto_tree_add_item(netflow_tree, hf_cflow_aggversion,
1826 tvb, offset++, 1, ENC_NA);
1827 }
1828 if (ver == 7 || ver == 8)
1829 offset = flow_process_textfield(netflow_tree, tvb, offset, 4, "reserved");
1830 else if (ver == 5) {
1831 proto_tree_add_item(netflow_tree, hf_cflow_samplingmode,
1832 tvb, offset, 2, ENC_BIG_ENDIAN);
1833 proto_tree_add_item(netflow_tree, hf_cflow_samplerate,
1834 tvb, offset, 2, ENC_BIG_ENDIAN);
1835 offset += 2;
1836 }
1837
1838 if (pdus == 0) { /* no payload to decode - in theory */
1839 /* This is absurd, but does happen in practice. */
1840 proto_tree_add_text(netflow_tree, tvb, offset, tvb_reported_length_remaining(tvb, offset),
1841 "FlowSets impossible - PDU Count is %d", pdus);
1842 return tvb_reported_length(tvb);
1843 }
1844 /*
1845 * everything below here should be payload
1846 */
1847 available = tvb_reported_length_remaining(tvb, offset);
1848 for (x = 1; ((ver != 10) && (x < pdus + 1)) || ((ver == 10) && ((available - pdusize) > 0)); x++) {
1849 /*
1850 * make sure we have a pdu's worth of data
1851 */
1852 available = tvb_reported_length_remaining(tvb, offset);
1853 if(((ver == 9) || (ver == 10)) && available >= 4) {
1854 /* pdusize can be different for each v9/v10 flowset */
1855 pdusize = tvb_get_ntohs(tvb, offset + 2);
1856 }
1857
1858 if (available < pdusize)
1859 break;
1860
1861 if ((ver == 9) || (ver == 10)) {
1862 pduitem = proto_tree_add_text(netflow_tree, tvb,
1863 offset, pdusize,
1864 (ver == 9) ? "FlowSet %u" : "Set %u", x);
1865 } else {
1866 pduitem = proto_tree_add_text(netflow_tree, tvb,
1867 offset, pdusize, "pdu %u/%u", x, pdus);
1868 }
1869 pdutree = proto_item_add_subtree(pduitem, ett_flow);
1870
1871 pduret = pduptr(tvb, pinfo, pdutree, offset, &hdrinfo);
1872
1873 if (pduret < pdusize) pduret = pdusize; /* padding */
1874
1875 /*
1876 * if we came up short, stop processing
1877 */
1878 if ((pduret == pdusize) && (pduret != 0))
1879 offset += pduret;
1880 else
1881 break;
1882 }
1883
1884 return tvb_reported_length(tvb);
1885 }
1886
1887 /*
1888 * flow_process_* == common groups of fields, probably could be inline
1889 */
1890
1891 static int
1892 flow_process_ints(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1893 {
1894 proto_tree_add_item(pdutree, hf_cflow_inputint, tvb, offset, 2, ENC_BIG_ENDIAN);
1895 offset += 2;
1896
1897 proto_tree_add_item(pdutree, hf_cflow_outputint, tvb, offset, 2,
1898 ENC_BIG_ENDIAN);
1899 offset += 2;
1900
1901 return offset;
1902 }
1903
1904 static int
1905 flow_process_ports(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1906 {
1907 proto_tree_add_item(pdutree, hf_cflow_srcport, tvb, offset, 2, ENC_BIG_ENDIAN);
1908 offset += 2;
1909
1910 proto_tree_add_item(pdutree, hf_cflow_dstport, tvb, offset, 2, ENC_BIG_ENDIAN);
1911 offset += 2;
1912
1913 return offset;
1914 }
1915
1916 static int
1917 flow_process_timeperiod(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1918 {
1919 nstime_t ts_start, ts_end;
1920 int offset_s, offset_e;
1921 nstime_t ts_delta;
1922 guint32 msec_start, msec_end;
1923 guint32 msec_delta;
1924 proto_tree *timetree;
1925 proto_item *timeitem;
1926
1927
1928 msec_start = tvb_get_ntohl(tvb, offset);
1929 ts_start.secs = msec_start / 1000;
1930 ts_start.nsecs = (msec_start % 1000) * 1000000;
1931 offset_s = offset;
1932 offset += 4;
1933
1934 msec_end = tvb_get_ntohl(tvb, offset);
1935 ts_end.secs = msec_end / 1000;
1936 ts_end.nsecs = (msec_end % 1000) * 1000000;
1937 offset_e = offset;
1938 offset += 4;
1939
1940 msec_delta = msec_end - msec_start;
1941 ts_delta.secs = msec_delta / 1000;
1942 ts_delta.nsecs = (msec_delta % 1000) * 1000000;
1943
1944
1945 timeitem = proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
1946 offset_s, 8, &ts_delta);
1947 PROTO_ITEM_SET_GENERATED(timeitem);
1948 timetree = proto_item_add_subtree(timeitem, ett_flowtime);
1949
1950 proto_tree_add_time(timetree, hf_cflow_timestart, tvb, offset_s, 4,
1951 &ts_start);
1952 proto_tree_add_time(timetree, hf_cflow_timeend, tvb, offset_e, 4,
1953 &ts_end);
1954
1955 return offset;
1956 }
1957
1958
1959 static int
1960 flow_process_aspair(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1961 {
1962 proto_tree_add_item(pdutree, hf_cflow_srcas, tvb, offset, 2, ENC_BIG_ENDIAN);
1963 offset += 2;
1964
1965 proto_tree_add_item(pdutree, hf_cflow_dstas, tvb, offset, 2, ENC_BIG_ENDIAN);
1966 offset += 2;
1967
1968 return offset;
1969 }
1970
1971 static int
1972 flow_process_sizecount(proto_tree *pdutree, tvbuff_t *tvb, int offset)
1973 {
1974 proto_tree_add_item(pdutree, hf_cflow_packets, tvb, offset, 4, ENC_BIG_ENDIAN);
1975 offset += 4;
1976
1977 proto_tree_add_item(pdutree, hf_cflow_octets, tvb, offset, 4, ENC_BIG_ENDIAN);
1978 offset += 4;
1979
1980 return offset;
1981 }
1982
1983 static int
1984 flow_process_textfield(proto_tree *pdutree, tvbuff_t *tvb, int offset, int bytes, const char *text)
1985 {
1986 proto_tree_add_text(pdutree, tvb, offset, bytes, "%s", text);
1987 offset += bytes;
1988
1989 return offset;
1990 }
1991
1992 static int
1993 dissect_v8_flowpdu(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *pdutree, int offset,
1994 hdrinfo_t *hdrinfo_p)
1995 {
1996 int startoffset = offset;
1997 guint8 verspec;
1998
1999 proto_tree_add_item(pdutree, hf_cflow_dstaddr, tvb, offset, 4, ENC_NA);
2000 offset += 4;
2001
2002 verspec = hdrinfo_p->vspec;
2003
2004 if (verspec != V8PDU_DESTONLY_METHOD) {
2005 proto_tree_add_item(pdutree, hf_cflow_srcaddr, tvb, offset, 4,
2006 ENC_BIG_ENDIAN);
2007 offset += 4;
2008 }
2009 if (verspec == V8PDU_FULL_METHOD) {
2010 proto_tree_add_item(pdutree, hf_cflow_dstport, tvb, offset, 2,
2011 ENC_BIG_ENDIAN);
2012 offset += 2;
2013 proto_tree_add_item(pdutree, hf_cflow_srcport, tvb, offset, 2,
2014 ENC_BIG_ENDIAN);
2015 offset += 2;
2016 }
2017
2018 offset = flow_process_sizecount(pdutree, tvb, offset);
2019 offset = flow_process_timeperiod(pdutree, tvb, offset);
2020
2021 proto_tree_add_item(pdutree, hf_cflow_outputint, tvb, offset, 2,
2022 ENC_BIG_ENDIAN);
2023 offset += 2;
2024
2025 if (verspec != V8PDU_DESTONLY_METHOD) {
2026 proto_tree_add_item(pdutree, hf_cflow_inputint, tvb, offset, 2, ENC_BIG_ENDIAN);
2027 offset += 2;
2028 }
2029
2030 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, ENC_NA);
2031 if (verspec == V8PDU_FULL_METHOD)
2032 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1, ENC_NA);
2033 offset = flow_process_textfield(pdutree, tvb, offset, 1, "marked tos");
2034
2035 if (verspec == V8PDU_SRCDEST_METHOD)
2036 offset = flow_process_textfield(pdutree, tvb, offset, 2, "reserved");
2037 else if (verspec == V8PDU_FULL_METHOD)
2038 offset = flow_process_textfield(pdutree, tvb, offset, 1, "padding");
2039
2040 offset = flow_process_textfield(pdutree, tvb, offset, 4, "extra packets");
2041
2042 proto_tree_add_item(pdutree, hf_cflow_routersc, tvb, offset, 4, ENC_NA);
2043 offset += 4;
2044
2045 return (offset - startoffset);
2046 }
2047
2048 /*
2049 * dissect a version 8 pdu, returning the length of the pdu processed
2050 */
2051
2052 static int
2053 dissect_v8_aggpdu(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *pdutree, int offset,
2054 hdrinfo_t *hdrinfo_p)
2055 {
2056 int startoffset = offset;
2057 guint8 verspec;
2058 int local_cflow_as; /* hf_cflow_srcas || hf_cflow_dstas */
2059 int local_cflow_net; /* hf_cflow_srcnet || hf_cflow_dstnet */
2060 int local_cflow_int; /* hf_cflow_outputint || hf_cflow_inputint */
2061 int local_cflow_mask; /* hf_cflow_srcmask || hf_cflow_dstmask */
2062
2063 proto_tree_add_item(pdutree, hf_cflow_flows, tvb, offset, 4, ENC_BIG_ENDIAN);
2064 offset += 4;
2065
2066 offset = flow_process_sizecount(pdutree, tvb, offset);
2067 offset = flow_process_timeperiod(pdutree, tvb, offset);
2068
2069 verspec = hdrinfo_p->vspec;
2070
2071 switch (verspec) {
2072
2073 case V8PDU_AS_METHOD:
2074 case V8PDU_TOSAS_METHOD:
2075 offset = flow_process_aspair(pdutree, tvb, offset);
2076
2077 if (verspec == V8PDU_TOSAS_METHOD) {
2078 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
2079 offset++, 1, ENC_NA);
2080 offset = flow_process_textfield(pdutree, tvb, offset, 1, "padding");
2081 offset = flow_process_textfield(pdutree, tvb, offset, 2, "reserved");
2082 }
2083 /* ACF - Seen in the wild and documented here...
2084 http://www.caida.org/tools/measurement/cflowd/configuration/configuration-9.html#ss9.1
2085 */
2086 offset = flow_process_ints(pdutree, tvb, offset);
2087 break;
2088
2089 case V8PDU_PROTO_METHOD:
2090 case V8PDU_TOSPROTOPORT_METHOD:
2091 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1, ENC_NA);
2092
2093 if (verspec == V8PDU_PROTO_METHOD)
2094 offset = flow_process_textfield(pdutree, tvb, offset, 1, "padding");
2095 else if (verspec == V8PDU_TOSPROTOPORT_METHOD)
2096 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, ENC_NA);
2097
2098 offset = flow_process_textfield(pdutree, tvb, offset, 2, "reserved");
2099 offset = flow_process_ports(pdutree, tvb, offset);
2100
2101 if (verspec == V8PDU_TOSPROTOPORT_METHOD)
2102 offset = flow_process_ints(pdutree, tvb, offset);
2103 break;
2104
2105 case V8PDU_SPREFIX_METHOD:
2106 case V8PDU_DPREFIX_METHOD:
2107 case V8PDU_TOSSRCPREFIX_METHOD:
2108 case V8PDU_TOSDSTPREFIX_METHOD:
2109 switch (verspec) {
2110 case V8PDU_SPREFIX_METHOD:
2111 case V8PDU_TOSSRCPREFIX_METHOD:
2112 local_cflow_net = hf_cflow_srcnet;
2113 local_cflow_mask = hf_cflow_srcmask;
2114 local_cflow_as = hf_cflow_srcas;
2115 local_cflow_int = hf_cflow_inputint;
2116 break;
2117 case V8PDU_DPREFIX_METHOD:
2118 case V8PDU_TOSDSTPREFIX_METHOD:
2119 default: /* stop warning that :
2120 'local_cflow_*' may be used
2121 uninitialized in this function */
2122 local_cflow_net = hf_cflow_dstnet;
2123 local_cflow_mask = hf_cflow_dstmask;
2124 local_cflow_as = hf_cflow_dstas;
2125 local_cflow_int = hf_cflow_outputint;
2126 break;
2127 }
2128
2129 proto_tree_add_item(pdutree, local_cflow_net, tvb, offset, 4, ENC_NA);
2130 offset += 4;
2131
2132 proto_tree_add_item(pdutree, local_cflow_mask, tvb, offset++, 1, ENC_NA);
2133
2134 if ((verspec == V8PDU_SPREFIX_METHOD) || (verspec == V8PDU_DPREFIX_METHOD))
2135 offset = flow_process_textfield(pdutree, tvb, offset, 1, "padding");
2136
2137 else if ((verspec == V8PDU_TOSSRCPREFIX_METHOD) || (verspec == V8PDU_TOSDSTPREFIX_METHOD))
2138 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, ENC_NA);
2139
2140 proto_tree_add_item(pdutree, local_cflow_as, tvb, offset, 2, ENC_BIG_ENDIAN);
2141 offset += 2;
2142
2143 proto_tree_add_item(pdutree, local_cflow_int, tvb, offset, 2, ENC_BIG_ENDIAN);
2144 offset += 2;
2145
2146 offset = flow_process_textfield(pdutree, tvb, offset, 2, "reserved");
2147 break;
2148
2149 case V8PDU_MATRIX_METHOD:
2150 case V8PDU_TOSMATRIX_METHOD:
2151 case V8PDU_PREPORTPROTOCOL_METHOD:
2152 proto_tree_add_item(pdutree, hf_cflow_srcnet, tvb, offset, 4, ENC_NA);
2153 offset += 4;
2154
2155 proto_tree_add_item(pdutree, hf_cflow_dstnet, tvb, offset, 4, ENC_NA);
2156 offset += 4;
2157
2158 proto_tree_add_item(pdutree, hf_cflow_srcmask, tvb, offset++, 1, ENC_NA);
2159
2160 proto_tree_add_item(pdutree, hf_cflow_dstmask, tvb, offset++, 1, ENC_NA);
2161
2162 if ((verspec == V8PDU_TOSMATRIX_METHOD) ||
2163 (verspec == V8PDU_PREPORTPROTOCOL_METHOD)) {
2164 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, ENC_NA);
2165 if (verspec == V8PDU_TOSMATRIX_METHOD) {
2166 offset = flow_process_textfield(pdutree, tvb, offset, 1, "padding");
2167 } else if (verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
2168 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1, ENC_NA);
2169 }
2170 } else {
2171 offset = flow_process_textfield(pdutree, tvb, offset, 2, "reserved");
2172 }
2173
2174 if ((verspec == V8PDU_MATRIX_METHOD)
2175 || (verspec == V8PDU_TOSMATRIX_METHOD)) {
2176 offset = flow_process_aspair(pdutree, tvb, offset);
2177 } else if (verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
2178 offset = flow_process_ports(pdutree, tvb, offset);
2179 }
2180
2181 offset = flow_process_ints(pdutree, tvb, offset);
2182 break;
2183 }
2184
2185 return (offset - startoffset);
2186 }
2187
2188 /* Dissect a version 9 FlowSet and return the length we processed. */
2189
2190 static int
2191 dissect_v9_v10_flowset(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset, hdrinfo_t *hdrinfo_p)
2192 {
2193 int length;
2194 guint16 flowset_id;
2195 guint8 ver;
2196
2197 ver = hdrinfo_p->vspec;
2198
2199 if ((ver != 9) && (ver != 10))
2200 return (0);
2201
2202 flowset_id = tvb_get_ntohs(tvb, offset);
2203 length = tvb_get_ntohs(tvb, offset + 2);
2204
2205 if (length < 4) {
2206 expert_add_info_format(pinfo, NULL, &ei_cflow_flowset_length,
2207 "Length (%u) too short", length);
2208 return tvb_reported_length_remaining(tvb, offset);
2209 }
2210
2211 proto_tree_add_item(pdutree, hf_cflow_flowset_id, tvb, offset, 2, ENC_BIG_ENDIAN);
2212 offset += 2;
2213
2214 proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb, offset, 2, ENC_BIG_ENDIAN);
2215 offset += 2;
2216
2217 switch (flowset_id) {
2218 case FLOWSET_ID_V9_DATA_TEMPLATE:
2219 case FLOWSET_ID_V10_DATA_TEMPLATE:
2220 dissect_v9_v10_data_template(tvb, pinfo, pdutree, offset, length - 4, hdrinfo_p, flowset_id);
2221 break;
2222 case FLOWSET_ID_V9_OPTIONS_TEMPLATE:
2223 case FLOWSET_ID_V10_OPTIONS_TEMPLATE:
2224 dissect_v9_v10_options_template(tvb, pinfo, pdutree, offset, length - 4, hdrinfo_p, flowset_id);
2225 break;
2226 default:
2227 if (flowset_id >= FLOWSET_ID_DATA_MIN) {
2228 dissect_v9_v10_data(tvb, pinfo, pdutree, offset, flowset_id, (guint)length - 4, hdrinfo_p);
2229 }
2230 break;
2231 }
2232
2233 return (length);
2234 }
2235
2236 static int
2237 dissect_v9_v10_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset,
2238 guint16 id, guint length, hdrinfo_t *hdrinfo_p)
2239 {
2240 v9_v10_tmplt_t *tmplt_p;
2241 v9_v10_tmplt_t tmplt_key;
2242 proto_tree *data_tree;
2243 proto_item *data_item;
2244 guint pdu_len;
2245
2246 if (length == 0) {
2247 expert_add_info(pinfo, pdutree, &ei_cflow_no_flow_information);
2248 }
2249
2250 v9_v10_tmplt_build_key(&tmplt_key, pinfo, hdrinfo_p->src_id, id);
2251 tmplt_p = (v9_v10_tmplt_t *)g_hash_table_lookup(v9_v10_tmplt_table, &tmplt_key);
2252 if ((tmplt_p != NULL) && (tmplt_p->length != 0)) {
2253 int count = 1;
2254 /* Note: If the flow contains variable length fields then */
2255 /* tmplt_p->length will be less then actual length of the flow. */
2256 while (length >= tmplt_p->length) {
2257 data_item = proto_tree_add_text(pdutree, tvb,
2258 offset, tmplt_p->length, "Flow %d", count++);
2259 data_tree = proto_item_add_subtree(data_item, ett_dataflowset);
2260
2261 pdu_len = dissect_v9_v10_pdu(tvb, pinfo, data_tree, offset, tmplt_p, hdrinfo_p);
2262
2263 offset += pdu_len;
2264 /* XXX - Throw an exception */
2265 length -= (pdu_len < length) ? pdu_len : length;
2266 }
2267 if (length != 0) {
2268 proto_tree_add_text(pdutree, tvb, offset, length,
2269 "Padding (%u byte%s)",
2270 length, plurality(length, "", "s"));
2271 }
2272 } else {
2273 proto_tree_add_text(pdutree, tvb, offset, length,
2274 "Data (%u byte%s), no template found",
2275 length, plurality(length, "", "s"));
2276 }
2277
2278 return (0);
2279 }
2280
2281 #define GOT_LOCAL_ADDR (1 << 0)
2282 #define GOT_REMOTE_ADDR (1 << 1)
2283 #define GOT_LOCAL_PORT (1 << 2)
2284 #define GOT_REMOTE_PORT (1 << 3)
2285 #define GOT_IPv4_ID (1 << 4)
2286 #define GOT_ICMP_ID (1 << 5)
2287 #define GOT_UID (1 << 6)
2288 #define GOT_PID (1 << 7)
2289 #define GOT_USERNAME (1 << 8)
2290 #define GOT_COMMAND (1 << 9)
2291
2292 #define GOT_BASE ( \
2293 GOT_LOCAL_ADDR | \
2294 GOT_REMOTE_ADDR | \
2295 GOT_UID | \
2296 GOT_PID | \
2297 GOT_USERNAME | \
2298 GOT_COMMAND \
2299 )
2300
2301 #define GOT_TCP_UDP (GOT_BASE | GOT_LOCAL_PORT | GOT_REMOTE_PORT)
2302 #define GOT_ICMP (GOT_BASE | GOT_IPv4_ID | GOT_ICMP_ID)
2303
2304 static guint
2305 dissect_v9_v10_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset,
2306 v9_v10_tmplt_t *tmplt_p, hdrinfo_t *hdrinfo_p)
2307 {
2308 int orig_offset = offset;
2309
2310 if ((tmplt_p->fields_p[TF_SCOPES] != NULL)
2311 && (tmplt_p->field_count[TF_SCOPES] > 0)) {
2312 if (hdrinfo_p->vspec == 9) {
2313 offset += dissect_v9_pdu_scope(tvb, pinfo, pdutree, offset, tmplt_p);
2314 } else if (hdrinfo_p->vspec == 10) {
2315 offset += dissect_v9_v10_pdu_data(tvb, pinfo, pdutree, offset, tmplt_p, hdrinfo_p, TF_SCOPES);
2316 }
2317 }
2318 offset += dissect_v9_v10_pdu_data(tvb, pinfo, pdutree, offset, tmplt_p, hdrinfo_p, TF_ENTRIES);
2319
2320 return (guint) (offset - orig_offset);
2321 }
2322
2323 static guint
2324 dissect_v9_pdu_scope(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *pdutree, int offset,
2325 v9_v10_tmplt_t *tmplt_p)
2326 {
2327 int orig_offset;
2328 int i;
2329
2330 DISSECTOR_ASSERT(tmplt_p->fields_p[TF_SCOPES] != NULL);
2331
2332 orig_offset = offset;
2333
2334 for(i = 0; i < tmplt_p->field_count[TF_SCOPES]; i++) {
2335 guint16 type = tmplt_p->fields_p[TF_SCOPES][i].type;
2336 guint16 length = tmplt_p->fields_p[TF_SCOPES][i].length;
2337 if (length == 0) { /* XXX: Zero length fields probably shouldn't be included in the cached template */
2338 /* YYY: Maybe. If you don't cache the zero length fields can you still compare that you actually */
2339 /* have the same template with the same ID. See WMeier comment "c." above */
2340 continue;
2341 }
2342 switch (type) {
2343 /* XXX: template length fields should be validated during template processing ... */
2344 case 1: /* system */
2345 proto_tree_add_item(pdutree, hf_cflow_scope_system,
2346 tvb, offset, length, ENC_NA);
2347 break;
2348 case 2: /* interface */
2349 proto_tree_add_item(pdutree, hf_cflow_scope_interface,
2350 tvb, offset, length, ENC_NA);
2351 break;
2352 case 3: /* linecard */
2353 proto_tree_add_item(pdutree, hf_cflow_scope_linecard,
2354 tvb, offset, length, ENC_NA);
2355 break;
2356 case 4: /* netflow cache */
2357 proto_tree_add_item(pdutree, hf_cflow_scope_cache,
2358 tvb, offset, length, ENC_NA);
2359 break;
2360 case 5: /* tmplt */
2361 proto_tree_add_item(pdutree, hf_cflow_scope_template,
2362 tvb, offset, length, ENC_NA);
2363 break;
2364 default: /* unknown */
2365 proto_tree_add_item(pdutree, hf_cflow_unknown_field_type,
2366 tvb, offset, length, ENC_NA);
2367 break;
2368 }
2369 offset += length;
2370 }
2371 return (guint) (offset - orig_offset);
2372 }
2373
2374 static guint
2375 dissect_v9_v10_pdu_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset,
2376 v9_v10_tmplt_t *tmplt_p, hdrinfo_t *hdrinfo_p, v9_v10_tmplt_fields_type_t fields_type)
2377 {
2378 int orig_offset;
2379 int rev;
2380 nstime_t ts_start[2], ts_end[2];
2381 int offset_s[2], offset_e[2];
2382 nstime_t ts;
2383 guint32 msec_start[2], msec_end[2];
2384 guint32 msec_delta;
2385 nstime_t ts_delta;
2386 guint32 usec;
2387 int i;
2388
2389 address local_addr, remote_addr;
2390 guint16 local_port = 0, remote_port = 0/*, ipv4_id = 0, icmp_id = 0*/;
2391 guint32 uid = 0, pid = 0;
2392 int uname_len;
2393 gchar *uname_str = NULL;
2394 int cmd_len;
2395 gchar *cmd_str = NULL;
2396 guint16 got_flags = 0;
2397
2398 int string_len_short = 0;
2399 int string_len_long = 0;
2400
2401 proto_tree *string_tree;
2402
2403 gchar *gen_str = NULL;
2404 int gen_str_offset = 0;
2405
2406 proto_item *ti;
2407 guint16 count;
2408 v9_v10_tmplt_entry_t *entries_p;
2409 proto_tree *fwdstattree;
2410
2411 entries_p = tmplt_p->fields_p[fields_type];
2412 if (entries_p == NULL) {
2413 /* I don't think we can actually hit this condition.
2414 If we can, what would cause it? Does this need a
2415 warn? If so, what?
2416 */
2417 return 0;
2418 }
2419 orig_offset = offset;
2420 count = tmplt_p->field_count[fields_type];
2421
2422 offset_s[0] = offset_s[1] = offset_e[0] = offset_e[1] = 0;
2423 msec_start[0] = msec_start[1] = msec_end[0] = msec_end[1] = 0;
2424
2425 for (i = 0; i < count; i++) {
2426 guint64 pen_type;
2427 guint16 type;
2428 guint16 masked_type;
2429 guint16 length;
2430 guint32 pen;
2431 const gchar *pen_str;
2432 int vstr_len;
2433
2434 type = entries_p[i].type;
2435 length = entries_p[i].length;
2436 pen = entries_p[i].pen;
2437 pen_str = entries_p[i].pen_str;
2438
2439 if (length == 0) { /* XXX: Zero length fields probably shouldn't be included in the cached template */
2440 /* YYY: Maybe. If you don't cache the zero length fields can you still compare that you actually */
2441 /* have the same template with the same ID. See WMeier comment "c." above */
2442 continue;
2443 }
2444 /* See if variable length field */
2445 vstr_len = 0;
2446 if (length == VARIABLE_LENGTH) {
2447 vstr_len = 1;
2448 string_len_short = length = tvb_get_guint8(tvb, offset);
2449 if (length == 255) {
2450 vstr_len = 3;
2451 string_len_long = length = tvb_get_ntohs(tvb, offset+1);
2452 }
2453 offset += vstr_len;
2454 gen_str_offset = offset;
2455 }
2456
2457 /* v9 types
2458 * 0x 0000 0000 0000 to
2459 * 0x 0000 0000 ffff
2460 * v10 global types (presumably consistent with v9 types 0x0000 - 0x7fff)
2461 * 0x 0000 0000 0000 to
2462 * 0x 0000 0000 7fff
2463 * V10 Enterprise types
2464 * 0x 0000 0001 0000 to
2465 * 0x ffff ffff 7fff
2466 */
2467 pen_type = masked_type = type;
2468 rev = 0;
2469
2470 if ((hdrinfo_p->vspec == 10) && (type & 0x8000)) {
2471 pen_type = masked_type = type & 0x7fff;
2472 if (pen == REVPEN) { /* reverse PEN */
2473 rev = 1;
2474 } else if (pen == 0) {
2475 pen_type = (0xffff << 16) | pen_type; /* hack to force "unknown" */
2476 } else {
2477 pen_type = (pen << 16) | pen_type;
2478 }
2479 }
2480
2481 ti = NULL;
2482 switch (pen_type) {
2483
2484 case 1: /* bytes */
2485 if (length == 4) {
2486 ti = proto_tree_add_item(pdutree, hf_cflow_octets,
2487 tvb, offset, length, ENC_BIG_ENDIAN);
2488 } else if (length == 8) {
2489 ti = proto_tree_add_item(pdutree, hf_cflow_octets64,
2490 tvb, offset, length, ENC_BIG_ENDIAN);
2491 } else {
2492 ti = proto_tree_add_text(pdutree,
2493 tvb, offset, length,
2494 "Octets: length %u", length);
2495 }
2496 break;
2497
2498 case 2: /* packets */
2499 if (length == 4) {
2500 ti = proto_tree_add_item(pdutree, hf_cflow_packets,
2501 tvb, offset, length, ENC_BIG_ENDIAN);
2502 } else if (length == 8) {
2503 ti = proto_tree_add_item(pdutree, hf_cflow_packets64,
2504 tvb, offset, length, ENC_BIG_ENDIAN);
2505 } else {
2506 ti = proto_tree_add_text(pdutree,
2507 tvb, offset, length,
2508 "Packets: length %u", length);
2509 }
2510 break;
2511
2512 case 163: /* observedFlowTotalCount */
2513 case 3: /* flows */
2514 if (length == 4) {
2515 ti = proto_tree_add_item(pdutree, hf_cflow_flows,
2516 tvb, offset, length, ENC_BIG_ENDIAN);
2517 } else if (length == 8) {
2518 ti = proto_tree_add_item(pdutree, hf_cflow_flows64,
2519 tvb, offset, length, ENC_BIG_ENDIAN);
2520 } else {
2521 ti = proto_tree_add_text(pdutree,
2522 tvb, offset, length,
2523 "Flows: length %u", length);
2524 }
2525 break;
2526
2527 case 4: /* proto */
2528 ti = proto_tree_add_item(pdutree, hf_cflow_prot,
2529 tvb, offset, length, ENC_NA);
2530 break;
2531
2532 case 5: /* TOS */
2533 ti = proto_tree_add_item(pdutree, hf_cflow_tos,
2534 tvb, offset, length, ENC_NA);
2535 break;
2536
2537 case 6: /* TCP flags */
2538 ti = proto_tree_add_item(pdutree, hf_cflow_tcpflags,
2539 tvb, offset, length, ENC_NA);
2540 break;
2541
2542 case 7: /* source port */
2543 case 180: /* udpSourcePort */
2544 case 182: /* tcpSourcePort */
2545 ti = proto_tree_add_item(pdutree, hf_cflow_srcport,
2546 tvb, offset, length, ENC_BIG_ENDIAN);
2547 break;
2548
2549 case 8: /* source IP */
2550 if (length == 4) {
2551 ti = proto_tree_add_item(pdutree, hf_cflow_srcaddr,
2552 tvb, offset, length, ENC_NA);
2553 } else if (length == 16) {
2554 ti = proto_tree_add_item(pdutree, hf_cflow_srcaddr_v6,
2555 tvb, offset, length, ENC_NA);
2556 } else {
2557 ti = proto_tree_add_text(pdutree,
2558 tvb, offset, length,
2559 "SrcAddr: length %u", length);
2560 }
2561 break;
2562
2563 case 9: /* source mask */
2564 ti = proto_tree_add_item(pdutree, hf_cflow_srcmask,
2565 tvb, offset, length, ENC_NA);
2566 break;
2567
2568 case 10: /* input SNMP */
2569 ti = proto_tree_add_item(pdutree, hf_cflow_inputint,
2570 tvb, offset, length, ENC_BIG_ENDIAN);
2571 break;
2572
2573 case 11: /* dest port */
2574 case 181: /* udpDestinationPort */
2575 case 183: /* tcpDestinationPort */
2576 ti = proto_tree_add_item(pdutree, hf_cflow_dstport,
2577 tvb, offset, length, ENC_BIG_ENDIAN);
2578 break;
2579
2580 case 12: /* dest IP */
2581 if (length == 4) {
2582 ti = proto_tree_add_item(pdutree, hf_cflow_dstaddr,
2583 tvb, offset, length, ENC_NA);
2584 } else if (length == 16) {
2585 ti = proto_tree_add_item(pdutree, hf_cflow_dstaddr_v6,
2586 tvb, offset, length, ENC_NA);
2587 } else {
2588 ti = proto_tree_add_text(pdutree,
2589 tvb, offset, length,
2590 "DstAddr: length %u", length);
2591 }
2592 break;
2593
2594 case 13: /* dest mask */
2595 ti = proto_tree_add_item(pdutree, hf_cflow_dstmask,
2596 tvb, offset, length, ENC_NA);
2597 break;
2598
2599 case 14: /* output SNMP */
2600 ti = proto_tree_add_item(pdutree, hf_cflow_outputint,
2601 tvb, offset, length, ENC_BIG_ENDIAN);
2602 break;
2603
2604 case 15: /* nexthop IP */
2605 if (length == 4) {
2606 ti = proto_tree_add_item(pdutree, hf_cflow_nexthop,
2607 tvb, offset, length, ENC_NA);
2608 } else {
2609 ti = proto_tree_add_text(pdutree,
2610 tvb, offset, length,
2611 "NextHop: length %u", length);
2612 }
2613 break;
2614
2615 case 16: /* source AS */
2616 ti = proto_tree_add_item(pdutree, hf_cflow_srcas,
2617 tvb, offset, length, ENC_BIG_ENDIAN);
2618 break;
2619
2620 case 17: /* dest AS */
2621 ti = proto_tree_add_item(pdutree, hf_cflow_dstas,
2622 tvb, offset, length, ENC_BIG_ENDIAN);
2623 break;
2624
2625 case 18: /* BGP nexthop IP */
2626 if (length == 4) {
2627 ti = proto_tree_add_item(pdutree, hf_cflow_bgpnexthop,
2628 tvb, offset, length, ENC_NA);
2629 } else if (length == 16) {
2630 ti = proto_tree_add_item(pdutree, hf_cflow_bgpnexthop_v6,
2631 tvb, offset, length, ENC_NA);
2632 } else {
2633 ti = proto_tree_add_text(pdutree,
2634 tvb, offset, length,
2635 "BGPNextHop: length %u", length);
2636 }
2637 break;
2638
2639 case 19: /* multicast packets */
2640 ti = proto_tree_add_item(pdutree, hf_cflow_mulpackets,
2641 tvb, offset, length, ENC_BIG_ENDIAN);
2642 break;
2643
2644 case 20: /* multicast octets */
2645 ti = proto_tree_add_item(pdutree, hf_cflow_muloctets,
2646 tvb, offset, length, ENC_BIG_ENDIAN);
2647 break;
2648
2649 case 21: /* last switched */
2650 offset_e[rev] = offset;
2651 msec_end[rev] = tvb_get_ntohl(tvb, offset);
2652 ts_end[rev].secs = msec_end[rev] / 1000;
2653 ts_end[rev].nsecs = (msec_end[rev] % 1000) * 1000000;
2654 goto timestamp_common;
2655 break;
2656 case 22: /* first switched */
2657 offset_s[rev] = offset;
2658 msec_start[rev] = tvb_get_ntohl(tvb, offset);
2659 ts_start[rev].secs = msec_start[rev] / 1000;
2660 ts_start[rev].nsecs = (msec_start[rev] % 1000) * 1000000;
2661 goto timestamp_common;
2662 break;
2663
2664 case 150: /* flowStartSeconds */
2665 offset_s[rev] = offset;
2666 ts_start[rev].secs = tvb_get_ntohl(tvb, offset);
2667 ts_start[rev].nsecs = 0;
2668 goto timestamp_common;
2669 break;
2670
2671 case 151: /* flowEndSeconds */
2672 offset_e[rev] = offset;
2673 ts_end[rev].secs = tvb_get_ntohl(tvb, offset);
2674 ts_end[rev].nsecs = 0;
2675 goto timestamp_common;
2676 break;
2677
2678 case 152: /* flowStartMilliseconds: 64-bit integer */
2679 offset_s[rev] = offset;
2680 ts_start[rev].secs = (time_t)(tvb_get_ntoh64(tvb, offset)/1000);
2681 ts_start[rev].nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) * 1000000;
2682 goto timestamp_common;
2683 break;
2684
2685 case 153: /* flowEndMilliseconds; 64-bit integer */
2686 offset_e[rev] = offset;
2687 ts_end[rev].secs = (time_t)(tvb_get_ntoh64(tvb, offset)/1000);
2688 ts_end[rev].nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) * 1000000;
2689 goto timestamp_common;
2690 break;
2691
2692 case 154: /* flowStartMicroseconds: 64-bit NTP format */
2693 offset_s[rev] = offset;
2694 ntp_to_nstime(tvb, offset, &ts_start[rev]);
2695 goto timestamp_common;
2696 break;
2697
2698 case 155: /* flowEndMicroseconds: 64-bit NTP format */
2699 /* XXX: Not tested ... */
2700 offset_e[rev] = offset;
2701 ntp_to_nstime(tvb, offset, &ts_end[rev]);
2702 goto timestamp_common;
2703 break;
2704
2705 case 156: /* flowStartNanoseconds: 64-bit NTP format */
2706 /* XXX: Not tested ... */
2707 offset_s[rev] = offset;
2708 ntp_to_nstime(tvb, offset, &ts_start[rev]);
2709 goto timestamp_common;
2710 break;
2711
2712 case 157: /* flowEndNanoseconds: 64-bit NTP format */
2713 /* XXX: Not tested ... */
2714 offset_e[rev] = offset;
2715 ntp_to_nstime(tvb, offset, &ts_end[rev]);
2716 goto timestamp_common;
2717 break;
2718
2719 case 158: /* flowStartDeltaMicroseconds: 32-bit integer; negative time offset */
2720 /* relative to the export time specified in the IPFIX Message Header */
2721 /* XXX: Not tested ... */
2722 offset_s[rev] = offset;
2723 usec = tvb_get_ntohl(tvb, offset);
2724 ts_start[rev].secs = (time_t)(((guint64)(hdrinfo_p->export_time_secs)*1000000 - usec) / 1000000);
2725 ts_start[rev].nsecs = (int)(((guint64)(hdrinfo_p->export_time_secs)*1000000 - usec) % 1000000) * 1000;
2726 goto timestamp_common;
2727 break;
2728
2729 case 159: /* flowEndDeltaMicroseconds: 32-bit integer; negative time offset */
2730 /* relative to the export time specified in the IPFIX Message Header */
2731 /* XXX: Not tested ... */
2732 offset_e[rev] = offset;
2733 usec = tvb_get_ntohl(tvb, offset);
2734 ts_end[rev].secs = (time_t)(((guint64)(hdrinfo_p->export_time_secs)*1000000 - usec) / 1000000);
2735 ts_end[rev].nsecs = (int)(((guint64)(hdrinfo_p->export_time_secs)*1000000 - usec) % 1000000) * 1000;
2736
2737 /* This code executed for all timestamp fields above */
2738 /* !! Assumption: Only 1 set of time fields in a flow */
2739 timestamp_common:
2740 if(offset_s[rev] && offset_e[rev]) {
2741 proto_tree *timetree;
2742 proto_item *timeitem;
2743
2744 nstime_delta(&ts_delta, &ts_end[rev], &ts_start[rev]);
2745 timeitem =
2746 proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
2747 offset_s[rev], 0, &ts_delta);
2748 PROTO_ITEM_SET_GENERATED(timeitem);
2749 timetree = proto_item_add_subtree(timeitem, ett_flowtime);
2750 /* Note: length of "start" is assumed to match that of "end" */
2751 if (msec_start[rev]) {
2752 proto_tree_add_time(timetree, hf_cflow_timestart, tvb,
2753 offset_s[rev], length, &ts_start[rev]);
2754 } else {
2755 proto_tree_add_time(timetree, hf_cflow_abstimestart, tvb,
2756 offset_s[rev], length, &ts_start[rev]);
2757 }
2758 if (msec_end[rev]) {
2759 proto_tree_add_time(timetree, hf_cflow_timeend, tvb,
2760 offset_e[rev], length, &ts_end[rev]);
2761 } else {
2762 proto_tree_add_time(timetree, hf_cflow_abstimeend, tvb,
2763 offset_e[rev], length, &ts_end[rev]);
2764 }
2765 }
2766 break;
2767
2768 case 23: /* postOctetDeltaCount */
2769 if (length == 4) {
2770 ti = proto_tree_add_item(pdutree, hf_cflow_post_octets,
2771 tvb, offset, length, ENC_BIG_ENDIAN);
2772 } else if (length == 8) {
2773 ti = proto_tree_add_item(pdutree, hf_cflow_post_octets64,
2774 tvb, offset, length, ENC_BIG_ENDIAN);
2775 } else {
2776 ti = proto_tree_add_text(pdutree,
2777 tvb, offset, length,
2778 "Post Octets: length %u", length);
2779 }
2780 break;
2781
2782 case 24: /* postPacketDeltaCount */
2783 if (length == 4) {
2784 ti = proto_tree_add_item(pdutree, hf_cflow_post_packets,
2785 tvb, offset, length, ENC_BIG_ENDIAN);
2786 } else if (length == 8) {
2787 ti = proto_tree_add_item(pdutree, hf_cflow_post_packets64,
2788 tvb, offset, length, ENC_BIG_ENDIAN);
2789 } else {
2790 ti = proto_tree_add_text(pdutree,
2791 tvb, offset, length,
2792 "Post Packets: length %u", length);
2793 }
2794 break;
2795
2796 case 25: /* length_min */
2797 if (length == 2) {
2798 ti = proto_tree_add_item(pdutree, hf_cflow_length_min,
2799 tvb, offset, length, ENC_BIG_ENDIAN);
2800 } else if (length == 8) {
2801 ti = proto_tree_add_item(pdutree, hf_cflow_length_min64,
2802 tvb, offset, length, ENC_BIG_ENDIAN);
2803 } else {
2804 ti = proto_tree_add_text(pdutree,
2805 tvb, offset, length,
2806 "MinLength: length %u", length);
2807 }
2808 break;
2809
2810 case 26: /* length_max */
2811 if (length == 2) {
2812 ti = proto_tree_add_item(pdutree, hf_cflow_length_max,
2813 tvb, offset, length, ENC_BIG_ENDIAN);
2814 } else if (length == 8) {
2815 ti = proto_tree_add_item(pdutree, hf_cflow_length_max64,
2816 tvb, offset, length, ENC_BIG_ENDIAN);
2817 } else {
2818 ti = proto_tree_add_text(pdutree,
2819 tvb, offset, length,
2820 "MaxLength: length %u", length);
2821 }
2822 break;
2823
2824 case 27: /* IPv6 src addr */
2825 ti = proto_tree_add_item(pdutree, hf_cflow_srcaddr_v6,
2826 tvb, offset, length, ENC_NA);
2827 break;
2828
2829 case 28: /* IPv6 dst addr */
2830 ti = proto_tree_add_item(pdutree, hf_cflow_dstaddr_v6,
2831 tvb, offset, length, ENC_NA);
2832 break;
2833
2834 case 29: /* IPv6 src addr mask */
2835 ti = proto_tree_add_item(pdutree, hf_cflow_srcmask_v6,
2836 tvb, offset, length, ENC_NA);
2837 break;
2838
2839 case 30: /* IPv6 dst addr mask */
2840 ti = proto_tree_add_item(pdutree, hf_cflow_dstmask_v6,
2841 tvb, offset, length, ENC_NA);
2842 break;
2843
2844 case 31: /* flowLabelIPv6 */
2845 /* RFC5102 defines that Abstract Data Type of this
2846 Information Element is unsigned32 */
2847 if (length == 4) {
2848 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_flowlabel,
2849 tvb, offset, length, ENC_BIG_ENDIAN);
2850 }
2851 /* RFC3954 defines that length of this field is 3
2852 Bytes */
2853 else if (length == 3) {
2854 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_flowlabel24,
2855 tvb, offset, length, ENC_BIG_ENDIAN);
2856 }
2857 break;
2858
2859 case 32: /* ICMP_TYPE */
2860 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_type,
2861 tvb, offset, length, ENC_NA);
2862 break;
2863
2864 case 33: /* IGMP_TYPE */
2865 ti = proto_tree_add_item(pdutree, hf_cflow_igmp_type,
2866 tvb, offset, length, ENC_NA);
2867 break;
2868
2869 case 34: /* sampling interval */
2870 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_interval,
2871 tvb, offset, length, ENC_BIG_ENDIAN);
2872 break;
2873
2874 case 35: /* sampling algorithm */
2875 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_algorithm,
2876 tvb, offset, length, ENC_NA);
2877 break;
2878
2879 case 36: /* flow active timeout */
2880 ti = proto_tree_add_item(pdutree, hf_cflow_flow_active_timeout,
2881 tvb, offset, length, ENC_BIG_ENDIAN);
2882 break;
2883
2884 case 37: /* flow inactive timeout */
2885 ti = proto_tree_add_item(pdutree, hf_cflow_flow_inactive_timeout,
2886 tvb, offset, length, ENC_BIG_ENDIAN);
2887 break;
2888
2889 case 38: /* engine type */
2890 ti = proto_tree_add_item(pdutree, hf_cflow_engine_type,
2891 tvb, offset, length, ENC_NA);
2892 break;
2893
2894 case 39: /* engine id*/
2895 ti = proto_tree_add_item(pdutree, hf_cflow_engine_id,
2896 tvb, offset, length, ENC_NA);
2897 break;
2898
2899 case 40: /* bytes exported */
2900 if( length == 8 ) {
2901 ti = proto_tree_add_item(pdutree, hf_cflow_octets_exp64,
2902 tvb, offset, length, ENC_BIG_ENDIAN);
2903 } else if( length == 4 ) {
2904 ti = proto_tree_add_item(pdutree, hf_cflow_octets_exp,
2905 tvb, offset, length, ENC_BIG_ENDIAN);
2906 } else {
2907 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2908 "BytesExported: length %u", length);
2909 }
2910 break;
2911
2912 case 41: /* packets exported */
2913 if( length == 8 ) {
2914 ti = proto_tree_add_item(pdutree, hf_cflow_packets_exp64,
2915 tvb, offset, length, ENC_BIG_ENDIAN);
2916 } else if( length == 4 ) {
2917 ti = proto_tree_add_item(pdutree, hf_cflow_packets_exp,
2918 tvb, offset, length, ENC_BIG_ENDIAN);
2919 } else {
2920 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2921 "PacketsExported: length %u", length);
2922 }
2923 break;
2924
2925 case 42: /* flows exported */
2926 if( length == 8 ) {
2927 ti = proto_tree_add_item(pdutree, hf_cflow_flows_exp64,
2928 tvb, offset, length, ENC_BIG_ENDIAN);
2929 } else if( length == 4 ) {
2930 ti = proto_tree_add_item(pdutree, hf_cflow_flows_exp,
2931 tvb, offset, length, ENC_BIG_ENDIAN);
2932 } else {
2933 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2934 "FlowsExported: length %u", length);
2935 }
2936 break;
2937
2938 case 44: /* IP source prefix */
2939 if (length == 4) {
2940 ti = proto_tree_add_item(pdutree, hf_cflow_srcprefix,
2941 tvb, offset, length, ENC_NA);
2942 } else {
2943 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2944 "SrcPrefix: length %u", length);
2945 }
2946 break;
2947
2948 case 45: /* IP destination prefix */
2949 if (length == 4) {
2950 ti = proto_tree_add_item(pdutree, hf_cflow_dstprefix,
2951 tvb, offset, length, ENC_NA);
2952 } else {
2953 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2954 "DstPrefix: length %u", length);
2955 }
2956 break;
2957
2958 case 46: /* top MPLS label type*/
2959 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_type,
2960 tvb, offset, length, ENC_NA);
2961 break;
2962
2963 case 47: /* top MPLS label PE address*/
2964 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_pe_addr,
2965 tvb, offset, length, ENC_NA);
2966 break;
2967
2968 case 48: /* Flow Sampler ID */
2969 #if 0
2970 /* XXX: Why was code originally add_text for just this one case ? */
2971 ti = proto_tree_add_text(pdutree, tvb, offset, length,
2972 "FlowSamplerID: %d", tvb_get_guint8(tvb, offset));
2973 #endif
2974 ti = proto_tree_add_item(pdutree, hf_cflow_sampler_id,
2975 tvb, offset, length, ENC_NA);
2976 break;
2977
2978 case 49: /* FLOW_SAMPLER_MODE */
2979 ti = proto_tree_add_item(pdutree, hf_cflow_sampler_mode,
2980 tvb, offset, length, ENC_NA);
2981 break;
2982
2983 case 50: /* FLOW_SAMPLER_RANDOM_INTERVAL */
2984 ti = proto_tree_add_item(pdutree, hf_cflow_sampler_random_interval,
2985 tvb, offset, length, ENC_BIG_ENDIAN);
2986 break;
2987
2988 case 51: /* FLOW_CLASS */
2989 ti = proto_tree_add_item(pdutree, hf_cflow_flow_class,
2990 tvb, offset, length, ENC_NA);
2991 break;
2992
2993 case 52: /* TTL_MINIMUM */
2994 ti = proto_tree_add_item(pdutree, hf_cflow_ttl_minimum,
2995 tvb, offset, length, ENC_NA);
2996 break;
2997
2998 case 53: /* TTL_MAXIMUM */
2999 ti = proto_tree_add_item(pdutree, hf_cflow_ttl_maximum,
3000 tvb, offset, length, ENC_NA);
3001 break;
3002
3003 case 54: /* IPV4_ID */
3004 ti = proto_tree_add_item(pdutree, hf_cflow_ipv4_id,
3005 tvb, offset, length, ENC_BIG_ENDIAN);
3006 break;
3007
3008 case 55: /* postIpClassOfService */
3009 ti = proto_tree_add_item(pdutree, hf_cflow_post_tos,
3010 tvb, offset, length, ENC_NA);
3011 break;
3012
3013 case 56: /* sourceMacAddress */
3014 ti = proto_tree_add_item(pdutree, hf_cflow_srcmac,
3015 tvb, offset, length, ENC_NA);
3016 break;
3017
3018 case 57: /* postDestinationMacAddress */
3019 ti = proto_tree_add_item(pdutree, hf_cflow_post_dstmac,
3020 tvb, offset, length, ENC_NA);
3021 break;
3022
3023 case 58: /* vlanId */
3024 ti = proto_tree_add_item(pdutree, hf_cflow_vlanid,
3025 tvb, offset, length, ENC_BIG_ENDIAN);
3026 break;
3027
3028 case 59: /* postVlanId */
3029 ti = proto_tree_add_item(pdutree, hf_cflow_post_vlanid,
3030 tvb, offset, length, ENC_NA);
3031 break;
3032
3033 case 60: /* IP_VERSION */
3034 ti = proto_tree_add_item(pdutree, hf_cflow_ip_version,
3035 tvb, offset, length, ENC_NA);
3036 break;
3037
3038 case 61: /* DIRECTION */
3039 ti = proto_tree_add_item(pdutree, hf_cflow_direction,
3040 tvb, offset, length, ENC_NA);
3041 break;
3042
3043 case 62: /* IPV6_NEXT_HOP */
3044 if (length == 16) {
3045 ti = proto_tree_add_item(pdutree, hf_cflow_nexthop_v6,
3046 tvb, offset, length, ENC_NA);
3047 } else {
3048 ti = proto_tree_add_text(pdutree,
3049 tvb, offset, length,
3050 "NextHop: length %u", length);
3051 }
3052 break;
3053
3054 case 63: /* BGP_IPV6_NEXT_HOP */
3055 if (length == 16) {
3056 ti = proto_tree_add_item(pdutree, hf_cflow_bgpnexthop_v6,
3057 tvb, offset, length, ENC_NA);
3058 } else {
3059 ti = proto_tree_add_text(pdutree,
3060 tvb, offset, length,
3061 "BGPNextHop: length %u", length);
3062 }
3063 break;
3064
3065 case 64: /* ipv6ExtensionHeaders */
3066 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_exthdr,
3067 tvb, offset, length, ENC_BIG_ENDIAN);
3068 break;
3069
3070 case 70: /* MPLS label1*/
3071 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 1);
3072 break;
3073
3074 case 71: /* MPLS label2*/
3075 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 2);
3076 break;
3077
3078 case 72: /* MPLS label3*/
3079 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 3);
3080 break;
3081
3082 case 73: /* MPLS label4*/
3083 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 4);
3084 break;
3085
3086 case 74: /* MPLS label5*/
3087 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 5);
3088 break;
3089
3090 case 75: /* MPLS label6*/
3091 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 6);
3092 break;
3093
3094 case 76: /* MPLS label7*/
3095 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 7);
3096 break;
3097
3098 case 77: /* MPLS label8*/
3099 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 8);
3100 break;
3101
3102 case 78: /* MPLS label9*/
3103 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 9);
3104 break;
3105
3106 case 79: /* MPLS label10*/
3107 ti = proto_tree_add_mpls_label(pdutree, tvb, offset, length, 10);
3108 break;
3109
3110 case 80: /* destinationMacAddress */
3111 ti = proto_tree_add_item(pdutree, hf_cflow_dstmac,
3112 tvb, offset, length, ENC_NA);
3113 break;
3114
3115 case 81: /* postSourceMacAddress */
3116 ti = proto_tree_add_item(pdutree, hf_cflow_post_srcmac,
3117 tvb, offset, length, ENC_NA);
3118 break;
3119
3120 case 82: /* IF_NAME */
3121 ti = proto_tree_add_item(pdutree, hf_cflow_if_name,
3122 tvb, offset, length, ENC_ASCII|ENC_NA);
3123 break;
3124
3125 case 83: /* IF_DESCR */
3126 ti = proto_tree_add_item(pdutree, hf_cflow_if_descr,
3127 tvb, offset, length, ENC_ASCII|ENC_NA);
3128 break;
3129
3130 case 84: /* SAMPLER_NAME */
3131 ti = proto_tree_add_item(pdutree, hf_cflow_sampler_name,
3132 tvb, offset, length, ENC_ASCII|ENC_NA);
3133 break;
3134
3135 case 85: /* BYTES_PERMANENT */
3136 if (length == 4) {
3137 ti = proto_tree_add_item(pdutree, hf_cflow_permanent_octets,
3138 tvb, offset, length, ENC_BIG_ENDIAN);
3139 } else if (length == 8) {
3140 ti = proto_tree_add_item(pdutree, hf_cflow_permanent_octets64,
3141 tvb, offset, length, ENC_BIG_ENDIAN);
3142 } else {
3143 ti = proto_tree_add_text(pdutree,
3144 tvb, offset, length,
3145 "Running Octets: length %u", length);
3146 }
3147 break;
3148
3149 case 86: /* PACKETS_PERMANENT */
3150 if (length == 4) {
3151 ti = proto_tree_add_item(pdutree, hf_cflow_permanent_packets,
3152 tvb, offset, length, ENC_BIG_ENDIAN);
3153 } else if (length == 8) {
3154 ti = proto_tree_add_item(pdutree, hf_cflow_permanent_packets64,
3155 tvb, offset, length, ENC_BIG_ENDIAN);
3156 } else {
3157 ti = proto_tree_add_text(pdutree,
3158 tvb, offset, length,
3159 "Running Packets: length %u", length);
3160 }
3161 break;
3162
3163 case 88: /* fragmentOffset */
3164 ti = proto_tree_add_item(pdutree, hf_cflow_fragment_offset,
3165 tvb, offset, length, ENC_BIG_ENDIAN);
3166 break;
3167
3168 case 89: {
3169 /* FORWARDING_STATUS */
3170 /* Forwarding status is encoded on 1 byte with
3171 * the 2 left bits giving the status and the 6
3172 * remaining bits giving the reason code. */
3173
3174 guint8 forwarding_status;
3175 const value_string *x_vs;
3176 int x_hf;
3177
3178 ti = proto_tree_add_text(pdutree, tvb, offset, length, "Forwarding Status");
3179 fwdstattree = proto_item_add_subtree(ti, ett_fwdstat);
3180
3181 forwarding_status = tvb_get_guint8(tvb, offset)>>6;
3182 switch(forwarding_status) {
3183 default:
3184 case FORWARDING_STATUS_UNKNOWN:
3185 x_vs = v9_forwarding_status_unknown_code;
3186 x_hf = hf_cflow_forwarding_status_unknown_code;
3187 break;
3188 case FORWARDING_STATUS_FORWARD:
3189 x_vs = v9_forwarding_status_forward_code;
3190 x_hf = hf_cflow_forwarding_status_forward_code;
3191 break;
3192 case FORWARDING_STATUS_DROP:
3193 x_vs = v9_forwarding_status_drop_code;
3194 x_hf = hf_cflow_forwarding_status_drop_code;
3195 break;
3196 case FORWARDING_STATUS_CONSUME:
3197 x_vs = v9_forwarding_status_consume_code;
3198 x_hf = hf_cflow_forwarding_status_consume_code;
3199 break;
3200 }
3201
3202 proto_tree_add_item(fwdstattree, hf_cflow_forwarding_status,
3203 tvb, offset, length, ENC_NA);
3204
3205 proto_tree_add_item(fwdstattree, x_hf,
3206 tvb, offset, length, ENC_NA);
3207
3208 /* add status code to tree summary */
3209 if (length==1) {
3210 proto_item_append_text(ti, ": %s", val_to_str_const(forwarding_status,
3211 v9_forwarding_status, "(Unknown)"));
3212 proto_item_append_text(ti, ": %s", val_to_str_const((tvb_get_guint8(tvb, offset)&0x3F),
3213 x_vs, "(Unknown)"));
3214 };
3215 }
3216 break;
3217
3218 case 90: /* mplsVpnRouteDistinguisher */
3219 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_vpn_rd,
3220 tvb, offset, length, ENC_NA);
3221 break;
3222
3223 case 91: /* mplsTopLabelPrefixLength */
3224 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_prefix_length,
3225 tvb, offset, length, ENC_NA);
3226 break;
3227
3228 case 94: /* NBAR applicationDesc */
3229 ti = proto_tree_add_item(pdutree, hf_cflow_nbar_appl_desc,
3230 tvb, offset, length, ENC_ASCII|ENC_NA);
3231 break;
3232
3233 case 95: /* NBAR applicationId */
3234 ti = proto_tree_add_item(pdutree, hf_cflow_nbar_appl_id,
3235 tvb, offset, length, ENC_BIG_ENDIAN);
3236 break;
3237
3238 case 96: /* NBAR applicationName */
3239 ti = proto_tree_add_item(pdutree, hf_cflow_nbar_appl_name,
3240 tvb, offset, length, ENC_ASCII|ENC_NA);
3241 break;
3242
3243 case 98: /* postIpDiffServCodePoint */
3244 ti = proto_tree_add_item(pdutree, hf_cflow_post_ip_diff_serv_code_point,
3245 tvb, offset, length, ENC_NA);
3246 break;
3247
3248 case 99: /* multicastReplicationFactor */
3249 ti = proto_tree_add_item(pdutree, hf_cflow_multicast_replication_factor,
3250 tvb, offset, length, ENC_NA);
3251 break;
3252
3253 case 128: /* dest AS Peer */
3254 ti = proto_tree_add_item(pdutree, hf_cflow_peer_dstas,
3255 tvb, offset, length, ENC_BIG_ENDIAN);
3256 break;
3257
3258 case 129: /* source AS Peer*/
3259 ti = proto_tree_add_item(pdutree, hf_cflow_peer_srcas,
3260 tvb, offset, length, ENC_BIG_ENDIAN);
3261 break;
3262
3263 case 130: /* exporterIPv4Address */
3264 ti = proto_tree_add_item(pdutree, hf_cflow_exporter_addr,
3265 tvb, offset, length, ENC_NA);
3266 break;
3267
3268 case 131: /* exporterIPv6Address */
3269 ti = proto_tree_add_item(pdutree,
3270 hf_cflow_exporter_addr_v6,
3271 tvb, offset, length, ENC_NA);
3272 break;
3273
3274 case 132: /* droppedOctetDeltaCount */
3275 if (length == 4) {
3276 ti = proto_tree_add_item(pdutree, hf_cflow_drop_octets,
3277 tvb, offset, length, ENC_BIG_ENDIAN);
3278 } else if (length == 8) {
3279 ti = proto_tree_add_item(pdutree, hf_cflow_drop_octets64,
3280 tvb, offset, length, ENC_BIG_ENDIAN);
3281 } else {
3282 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3283 "Dropped Octets: length %u",
3284 length);
3285 }
3286 break;
3287
3288 case 133: /* droppedPacketDeltaCount */
3289 if (length == 4) {
3290 ti = proto_tree_add_item(pdutree, hf_cflow_drop_packets,
3291 tvb, offset, length, ENC_BIG_ENDIAN);
3292 } else if (length == 8) {
3293 ti = proto_tree_add_item(pdutree, hf_cflow_drop_packets64,
3294 tvb, offset, length, ENC_BIG_ENDIAN);
3295 } else {
3296 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3297 "Dropped Packets: length %u",
3298 length);
3299 }
3300 break;
3301
3302 case 134: /* droppedOctetTotalCount */
3303 if (length == 4) {
3304 ti = proto_tree_add_item(pdutree, hf_cflow_drop_total_octets,
3305 tvb, offset, length, ENC_BIG_ENDIAN);
3306 } else if (length == 8) {
3307 ti = proto_tree_add_item(pdutree, hf_cflow_drop_total_octets64,
3308 tvb, offset, length, ENC_BIG_ENDIAN);
3309 } else {
3310 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3311 "Dropped Total Octets: length %u", length);
3312 }
3313 break;
3314
3315 case 135: /* droppedPacketTotalCount */
3316 if (length == 4) {
3317 ti = proto_tree_add_item(pdutree, hf_cflow_drop_total_packets,
3318 tvb, offset, length, ENC_BIG_ENDIAN);
3319 } else if (length == 8) {
3320 ti = proto_tree_add_item(pdutree, hf_cflow_drop_total_packets64,
3321 tvb, offset, length, ENC_BIG_ENDIAN);
3322 } else {
3323 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3324 "Dropped Total Packets: length %u", length);
3325 }
3326 break;
3327
3328 case 136: /* flowEndReason */
3329 ti = proto_tree_add_item(pdutree, hf_cflow_flow_end_reason,
3330 tvb, offset, length, ENC_NA);
3331 break;
3332
3333 case 137: /* commonPropertiesId */
3334 ti = proto_tree_add_item(pdutree, hf_cflow_common_properties_id,
3335 tvb, offset, length, ENC_BIG_ENDIAN);
3336 break;
3337
3338 case 138: /* observationPointId */
3339 ti = proto_tree_add_item(pdutree, hf_cflow_observation_point_id,
3340 tvb, offset, length, ENC_BIG_ENDIAN);
3341 break;
3342
3343 case 139: /* icmpTypeCodeIPv6 */
3344 proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_type,
3345 tvb, offset, 1, ENC_NA);
3346 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_code,
3347 tvb, offset + 1, 1, ENC_NA);
3348 break;
3349
3350 case 140: /* mplsTopLabelIPv6Address */
3351 if (length == 16) {
3352 ti = proto_tree_add_item(pdutree,
3353 hf_cflow_mpls_pe_addr_v6,
3354 tvb, offset, length, ENC_NA);
3355 } else {
3356 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3357 "mplsTopLabelIPv6Addr: length %u",
3358 length);
3359 }
3360 break;
3361
3362 case 141: /* lineCardId */
3363 ti = proto_tree_add_item(pdutree, hf_cflow_scope_linecard,
3364 tvb, offset, length, ENC_NA);
3365 break;
3366
3367 case 142: /* portId */
3368 ti = proto_tree_add_item(pdutree, hf_cflow_port_id,
3369 tvb, offset, length, ENC_BIG_ENDIAN);
3370 break;
3371
3372 case 143: /* meteringProcessId */
3373 ti = proto_tree_add_item(pdutree, hf_cflow_mp_id,
3374 tvb, offset, length, ENC_BIG_ENDIAN);
3375 break;
3376
3377 case 144: /* FLOW EXPORTER */
3378 ti = proto_tree_add_item(pdutree, hf_cflow_flow_exporter,
3379 tvb, offset, length, ENC_NA);
3380 break;
3381
3382 case 145: /* templateId */
3383 ti = proto_tree_add_item(pdutree, hf_cflow_template_id,
3384 tvb, offset, length, ENC_BIG_ENDIAN);
3385 break;
3386
3387 case 146: /* wlanChannelId */
3388 ti = proto_tree_add_item(pdutree, hf_cflow_wlan_channel_id,
3389 tvb, offset, length, ENC_NA);
3390 break;
3391
3392 case 147: /* wlanSSID */
3393 ti = proto_tree_add_item(pdutree, hf_cflow_wlan_ssid,
3394 tvb, offset, length, ENC_ASCII|ENC_NA);
3395 break;
3396
3397 case 148: /* flowId */
3398 ti = proto_tree_add_item(pdutree, hf_cflow_flow_id,
3399 tvb, offset, length, ENC_BIG_ENDIAN);
3400 break;
3401
3402 case 149: /* observationDomainId */
3403 ti = proto_tree_add_item(pdutree, hf_cflow_od_id,
3404 tvb, offset, length, ENC_BIG_ENDIAN);
3405 break;
3406
3407 case 160: /* systemInitTimeMilliseconds */
3408 ts.secs = (time_t)(tvb_get_ntoh64(tvb, offset)/1000);
3409 ts.nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) *1000000;
3410 ti = proto_tree_add_time(pdutree,
3411 hf_cflow_sys_init_time,
3412 tvb, offset, length, &ts);
3413 break;
3414
3415 case 161: /* flowDurationMilliseconds */
3416 msec_delta = tvb_get_ntohl(tvb, offset);
3417 ts_delta.secs = msec_delta / 1000;
3418 ts_delta.nsecs = (msec_delta % 1000) * 1000000;
3419 ti = proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
3420 offset, length, &ts_delta);
3421 break;
3422
3423 case 162: /* flowDurationMicroseconds */
3424 msec_delta = tvb_get_ntohl(tvb, offset);
3425 ts_delta.secs = msec_delta / 1000000;
3426 ts_delta.nsecs = (msec_delta % 1000000) * 1000;
3427 ti = proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
3428 offset, length, &ts_delta);
3429 break;
3430
3431 case 164: /* ignoredPacketTotalCount */
3432 if (length == 4) {
3433 ti = proto_tree_add_item(pdutree, hf_cflow_ignore_packets,
3434 tvb, offset, length, ENC_BIG_ENDIAN);
3435 } else if (length == 8) {
3436 ti = proto_tree_add_item(pdutree, hf_cflow_ignore_packets64,
3437 tvb, offset, length, ENC_BIG_ENDIAN);
3438 } else {
3439 ti = proto_tree_add_text(pdutree,
3440 tvb, offset, length,
3441 "Ignored Packets: length %u", length);
3442 }
3443 break;
3444
3445 case 165: /* ignoredOctetTotalCount */
3446 if (length == 4) {
3447 ti = proto_tree_add_item(pdutree, hf_cflow_ignore_octets,
3448 tvb, offset, length, ENC_BIG_ENDIAN);
3449 } else if (length == 8) {
3450 ti = proto_tree_add_item(pdutree, hf_cflow_ignore_octets64,
3451 tvb, offset, length, ENC_BIG_ENDIAN);
3452 } else {
3453 ti = proto_tree_add_text(pdutree,
3454 tvb, offset, length,
3455 "Ignored Octets: length %u", length);
3456 }
3457 break;
3458
3459 case 166: /* notSentFlowTotalCount */
3460 if (length == 4) {
3461 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_flows,
3462 tvb, offset, length, ENC_BIG_ENDIAN);
3463 } else if (length == 8) {
3464 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_flows64,
3465 tvb, offset, length, ENC_BIG_ENDIAN);
3466 } else {
3467 ti = proto_tree_add_text(pdutree,
3468 tvb, offset, length,
3469 "Not Sent Flows: length %u", length);
3470 }
3471 break;
3472
3473 case 167: /* notSentPacketTotalCount */
3474 if (length == 4) {
3475 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_packets,
3476 tvb, offset, length, ENC_BIG_ENDIAN);
3477 } else if (length == 8) {
3478 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_packets64,
3479 tvb, offset, length, ENC_BIG_ENDIAN);
3480 } else {
3481 ti = proto_tree_add_text(pdutree,
3482 tvb, offset, length,
3483 "Not Sent Packets: length %u", length);
3484 }
3485 break;
3486
3487 case 168: /* notSentOctetTotalCount */
3488 if (length == 4) {
3489 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_octets,
3490 tvb, offset, length, ENC_BIG_ENDIAN);
3491 } else if (length == 8) {
3492 ti = proto_tree_add_item(pdutree, hf_cflow_notsent_octets64,
3493 tvb, offset, length, ENC_BIG_ENDIAN);
3494 } else {
3495 ti = proto_tree_add_text(pdutree,
3496 tvb, offset, length,
3497 "Not Sent Packets: length %u", length);
3498 }
3499 break;
3500
3501 case 169: /* destinationIPv6Prefix */
3502 if (length == 16) {
3503 ti = proto_tree_add_item(pdutree, hf_cflow_dstnet_v6,
3504 tvb, offset, length, ENC_NA);
3505 } else {
3506 ti = proto_tree_add_text(pdutree,
3507 tvb, offset, length,
3508 "DstPrefix: length %u", length);
3509 }
3510 break;
3511
3512 case 170: /* sourceIPv6Prefix */
3513 if (length == 16) {
3514 ti = proto_tree_add_item(pdutree, hf_cflow_srcnet_v6,
3515 tvb, offset, length, ENC_NA);
3516 } else if (length != 4 && length != 16) {
3517 ti = proto_tree_add_text(pdutree,
3518 tvb, offset, length,
3519 "SrcPrefix: length %u", length);
3520 }
3521 break;
3522
3523 case 171: /* postOctetTotalCount */
3524 if (length == 4) {
3525 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_octets,
3526 tvb, offset, length, ENC_BIG_ENDIAN);
3527 } else if (length == 8) {
3528 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_octets64,
3529 tvb, offset, length, ENC_BIG_ENDIAN);
3530 } else {
3531 ti = proto_tree_add_text(pdutree,
3532 tvb, offset, length,
3533 "Post Total Octets: length %u", length);
3534 }
3535 break;
3536
3537 case 172: /* postPacketTotalCount */
3538 if (length == 4) {
3539 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_packets,
3540 tvb, offset, length, ENC_BIG_ENDIAN);
3541 } else if (length == 8) {
3542 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_packets64,
3543 tvb, offset, length, ENC_BIG_ENDIAN);
3544 } else {
3545 ti = proto_tree_add_text(pdutree,
3546 tvb, offset, length,
3547 "Post Total Packets: length %u", length);
3548 }
3549 break;
3550
3551 case 173: /* flowKeyIndicator */
3552 ti = proto_tree_add_item(pdutree, hf_cflow_key,
3553 tvb, offset, length, ENC_NA);
3554 break;
3555
3556 case 174: /* postMCastPacketTotalCount */
3557 if (length == 4) {
3558 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_mulpackets,
3559 tvb, offset, length, ENC_BIG_ENDIAN);
3560 } else if (length == 8) {
3561 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_mulpackets64,
3562 tvb, offset, length, ENC_BIG_ENDIAN);
3563 } else {
3564 ti = proto_tree_add_text(pdutree,
3565 tvb, offset, length,
3566 "Post Total Multicast Packets: length %u", length);
3567 }
3568 break;
3569
3570 case 175: /* postMCastOctetTotalCount */
3571 if (length == 4) {
3572 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_muloctets,
3573 tvb, offset, length, ENC_BIG_ENDIAN);
3574 } else if (length == 8) {
3575 ti = proto_tree_add_item(pdutree, hf_cflow_post_total_muloctets64,
3576 tvb, offset, length, ENC_BIG_ENDIAN);
3577 } else {
3578 ti = proto_tree_add_text(pdutree,
3579 tvb, offset, length,
3580 "Post Total Multicast Octets: length %u", length);
3581 }
3582 break;
3583
3584 case 176: /* ICMP_IPv4_TYPE */
3585 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv4_type,
3586 tvb, offset, length, ENC_NA);
3587 break;
3588
3589 case 177: /* ICMP_IPv4_CODE */
3590 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv4_code,
3591 tvb, offset, length, ENC_NA);
3592 break;
3593
3594 case 178: /* ICMP_IPv6_TYPE */
3595 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_type,
3596 tvb, offset, length, ENC_NA);
3597 break;
3598
3599 case 179: /* ICMP_IPv6_CODE */
3600 ti = proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_code,
3601 tvb, offset, length, ENC_NA);
3602 break;
3603
3604 case 184: /* tcpSequenceNumber */
3605 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_seq_num,
3606 tvb, offset, length, ENC_BIG_ENDIAN);
3607 break;
3608
3609 case 185: /* tcpAcknowledgementNumber */
3610 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_ack_num,
3611 tvb, offset, length, ENC_BIG_ENDIAN);
3612 break;
3613
3614 case 186: /* TCP_WINDOWS_SIZE */
3615 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_window_size,
3616 tvb, offset, length, ENC_BIG_ENDIAN);
3617 break;
3618
3619 case 187: /* tcpUrgentPointer */
3620 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_urg_ptr,
3621 tvb, offset, length, ENC_BIG_ENDIAN);
3622 break;
3623
3624 case 188: /* tcpHeaderLength */
3625 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_header_length,
3626 tvb, offset, length, ENC_NA);
3627 break;
3628
3629 case 189: /* ipHeaderLength */
3630 ti = proto_tree_add_item(pdutree, hf_cflow_ip_header_length,
3631 tvb, offset, length, ENC_NA);
3632 break;
3633
3634 case 190: /* IPV4_TOTAL_LENGTH */
3635 ti = proto_tree_add_item(pdutree, hf_cflow_ipv4_total_length,
3636 tvb, offset, length, ENC_BIG_ENDIAN);
3637 break;
3638
3639 case 191: /* payloadLengthIPv6 */
3640 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_payload_length,
3641 tvb, offset, length, ENC_BIG_ENDIAN);
3642 break;
3643
3644 case 192: /* IP_TTL */
3645 ti = proto_tree_add_item(pdutree, hf_cflow_ip_ttl,
3646 tvb, offset, length, ENC_NA);
3647 break;
3648
3649 case 193: /* nextHeaderIPv6 */
3650 ti = proto_tree_add_item(pdutree, hf_cflow_ipv6_next_hdr,
3651 tvb, offset, length, ENC_NA);
3652 break;
3653
3654 case 194: /* IP_TOS */
3655 ti = proto_tree_add_item(pdutree, hf_cflow_ip_tos,
3656 tvb, offset, length, ENC_NA);
3657 break;
3658
3659 case 195: /* IP_DSCP */
3660 ti = proto_tree_add_item(pdutree, hf_cflow_ip_dscp,
3661 tvb, offset, length, ENC_NA);
3662 break;
3663
3664 case 196: /* ipPrecedence */
3665 ti = proto_tree_add_item(pdutree, hf_cflow_ip_precedence,
3666 tvb, offset, length, ENC_NA);
3667 break;
3668
3669 case 197: /* fragmentFlags */
3670 ti = proto_tree_add_item(pdutree, hf_cflow_ip_fragment_flags,
3671 tvb, offset, length, ENC_NA);
3672 break;
3673
3674 case 198: /* BYTES_SQUARED */
3675 case 199: /* BYTES_SQUARED_PERMANENT */
3676 if( length == 8 ) {
3677 ti = proto_tree_add_item(pdutree, hf_cflow_octets_squared64,
3678 tvb, offset, length, ENC_BIG_ENDIAN);
3679 } else {
3680 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3681 "Bytes Squared: length %u", length);
3682 }
3683 break;
3684 case 200: /* mplsTopLabelTTL */
3685 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_ttl,
3686 tvb, offset, length, ENC_NA);
3687 break;
3688
3689 case 201: /* mplsLabelStackLength */
3690 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_label_length,
3691 tvb, offset, length, ENC_BIG_ENDIAN);
3692 break;
3693
3694 case 202: /* mplsLabelStackDepth */
3695 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_label_depth,
3696 tvb, offset, length, ENC_BIG_ENDIAN);
3697 break;
3698
3699 case 203: /* mplsTopLabelExp */
3700 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_exp,
3701 tvb, offset, length, ENC_NA);
3702 break;
3703
3704 case 204: /* ipPayloadLength */
3705 ti = proto_tree_add_item(pdutree, hf_cflow_ip_payload_length,
3706 tvb, offset, length, ENC_BIG_ENDIAN);
3707 break;
3708
3709 case 205: /* UDP_LENGTH */
3710 ti = proto_tree_add_item(pdutree, hf_cflow_udp_length,
3711 tvb, offset, length, ENC_BIG_ENDIAN);
3712 break;
3713
3714 case 206: /* IS_MULTICAST */
3715 ti = proto_tree_add_item(pdutree, hf_cflow_is_multicast,
3716 tvb, offset, length, ENC_NA);
3717 break;
3718
3719 case 207: /* IP_HEADER_WORDS */
3720 ti = proto_tree_add_item(pdutree, hf_cflow_ip_header_words,
3721 tvb, offset, length, ENC_NA);
3722 break;
3723
3724 case 208: /* OPTION_MAP */
3725 ti = proto_tree_add_item(pdutree, hf_cflow_option_map,
3726 tvb, offset, length, ENC_NA);
3727 break;
3728
3729 case 209: /* tcpOptions */
3730 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_option_map,
3731 tvb, offset, length, ENC_NA);
3732 break;
3733
3734 case 210: /* paddingOctets */
3735 ti = proto_tree_add_text(pdutree, tvb, offset, length,
3736 "Padding (%u byte%s)",
3737 length, plurality(length, "", "s"));
3738 break;
3739
3740 case 211: /* collectorIPv4Address */
3741 ti = proto_tree_add_item(pdutree, hf_cflow_collector_addr,
3742 tvb, offset, length, ENC_NA);
3743 break;
3744
3745 case 212: /* collectorIPv6Address */
3746 ti = proto_tree_add_item(pdutree, hf_cflow_collector_addr_v6,
3747 tvb, offset, length, ENC_NA);
3748 break;
3749
3750 case 213: /* exportInterface */
3751 if (length == 4) {
3752 ti = proto_tree_add_item(pdutree, hf_cflow_export_interface,
3753 tvb, offset, length, ENC_BIG_ENDIAN);
3754 } else {
3755 ti = proto_tree_add_text(pdutree,
3756 tvb, offset, length,
3757 "exportInterface: invalid size %d", length );
3758 }
3759 break;
3760
3761 case 214: /* exportProtocolVersion */
3762 ti = proto_tree_add_item(pdutree, hf_cflow_export_protocol_version,
3763 tvb, offset, length, ENC_NA);
3764 break;
3765
3766 case 215: /* exportTransportProtocol */
3767 ti = proto_tree_add_item(pdutree, hf_cflow_export_prot,
3768 tvb, offset, length, ENC_NA);
3769 break;
3770
3771 case 216: /* collectorTransportPort */
3772 ti = proto_tree_add_item(pdutree, hf_cflow_collector_port,
3773 tvb, offset, length, ENC_BIG_ENDIAN);
3774 break;
3775
3776 case 217: /* exporterTransportPort */
3777 ti = proto_tree_add_item(pdutree, hf_cflow_exporter_port,
3778 tvb, offset, length, ENC_BIG_ENDIAN);
3779 break;
3780
3781 case 218: /* tcpSynTotalCount */
3782 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_syn,
3783 tvb, offset, length, ENC_BIG_ENDIAN);
3784 break;
3785
3786 case 219: /* tcpFinTotalCount */
3787 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_fin,
3788 tvb, offset, length, ENC_BIG_ENDIAN);
3789 break;
3790
3791 case 220: /* tcpRstTotalCount */
3792 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_rst,
3793 tvb, offset, length, ENC_BIG_ENDIAN);
3794 break;
3795
3796 case 221: /* tcpPshTotalCount */
3797 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_psh,
3798 tvb, offset, length, ENC_BIG_ENDIAN);
3799 break;
3800
3801 case 222: /* tcpAckTotalCount */
3802 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_ack,
3803 tvb, offset, length, ENC_BIG_ENDIAN);
3804 break;
3805
3806 case 223: /* tcpUrgTotalCount */
3807 ti = proto_tree_add_item(pdutree, hf_cflow_total_tcp_urg,
3808 tvb, offset, length, ENC_BIG_ENDIAN);
3809 break;
3810
3811 case 224: /* IP_TOTAL_LENGTH */
3812 ti = proto_tree_add_item(pdutree, hf_cflow_ip_total_length,
3813 tvb, offset, length, ENC_BIG_ENDIAN);
3814 break;
3815
3816 case 225: /* postNATSourceIPv4Address */
3817 case 40001: /* NF_F_XLATE_SRC_ADDR_IPV4 (Cisco ASA 5500 Series) */
3818 ti = proto_tree_add_item(pdutree, hf_cflow_post_natsource_ipv4_address,
3819 tvb, offset, length, ENC_NA);
3820 break;
3821
3822 case 226: /* postNATDestinationIPv4Address */
3823 case 40002: /* NF_F_XLATE_DST_ADDR_IPV4 (Cisco ASA 5500 Series) */
3824 ti = proto_tree_add_item(pdutree, hf_cflow_post_natdestination_ipv4_address,
3825 tvb, offset, length, ENC_NA);
3826 break;
3827
3828 case 227: /* postNAPTSourceTransportPort */
3829 case 40003: /* NF_F_XLATE_SRC_PORT (Cisco ASA 5500 Series) */
3830 ti = proto_tree_add_item(pdutree, hf_cflow_post_naptsource_transport_port,
3831 tvb, offset, length, ENC_BIG_ENDIAN);
3832 break;
3833
3834 case 228: /* postNAPTDestinationTransportPort */
3835 case 40004: /* NF_F_XLATE_DST_PORT (Cisco ASA 5500 Series) */
3836 ti = proto_tree_add_item(pdutree, hf_cflow_post_naptdestination_transport_port,
3837 tvb, offset, length, ENC_BIG_ENDIAN);
3838 break;
3839
3840 case 229: /* natOriginatingAddressRealm */
3841 ti = proto_tree_add_item(pdutree, hf_cflow_nat_originating_address_realm,
3842 tvb, offset, length, ENC_NA);
3843 break;
3844
3845 case 230: /* natEvent */
3846 ti = proto_tree_add_item(pdutree, hf_cflow_nat_event,
3847 tvb, offset, length, ENC_NA);
3848 break;
3849
3850 case 231: /* initiatorOctets */
3851 ti = proto_tree_add_item(pdutree, hf_cflow_initiator_octets,
3852 tvb, offset, length, ENC_BIG_ENDIAN);
3853 break;
3854
3855 case 232: /* responderOctets */
3856 ti = proto_tree_add_item(pdutree, hf_cflow_responder_octets,
3857 tvb, offset, length, ENC_BIG_ENDIAN);
3858 break;
3859
3860 case 233: /* firewallEvent */
3861 case 40005: /* NF_F_FW_EVENT (Cisco ASA 5500 Series) */
3862 ti = proto_tree_add_item(pdutree, hf_cflow_firewall_event,
3863 tvb, offset, length, ENC_NA);
3864 break;
3865
3866 case 234: /* ingressVRFID */
3867 ti = proto_tree_add_item(pdutree, hf_cflow_ingress_vrfid,
3868 tvb, offset, length, ENC_BIG_ENDIAN);
3869 break;
3870
3871 case 235: /* egressVRFID */
3872 ti = proto_tree_add_item(pdutree, hf_cflow_egress_vrfid,
3873 tvb, offset, length, ENC_BIG_ENDIAN);
3874 break;
3875
3876 case 236: /* VRFname */
3877 ti = proto_tree_add_item(pdutree, hf_cflow_vrfname,
3878 tvb, offset, length, ENC_ASCII|ENC_NA);
3879 break;
3880
3881 case 237: /* postMplsTopLabelExp */
3882 ti = proto_tree_add_item(pdutree, hf_cflow_post_mpls_top_label_exp,
3883 tvb, offset, length, ENC_NA);
3884 break;
3885
3886 case 238: /* tcpWindowScale */
3887 ti = proto_tree_add_item(pdutree, hf_cflow_tcp_window_scale,
3888 tvb, offset, length, ENC_BIG_ENDIAN);
3889 break;
3890
3891 case 239: /* biflowDirection */
3892 ti = proto_tree_add_item(pdutree, hf_cflow_biflow_direction,
3893 tvb, offset, length, ENC_NA);
3894 break;
3895
3896 case 240: /* ethernetHeaderLength */
3897 ti = proto_tree_add_item(pdutree, hf_cflow_ethernet_header_length,
3898 tvb, offset, length, ENC_NA);
3899 break;
3900
3901 case 241: /* ethernetPayloadLength */
3902 ti = proto_tree_add_item(pdutree, hf_cflow_ethernet_payload_length,
3903 tvb, offset, length, ENC_BIG_ENDIAN);
3904 break;
3905
3906 case 242: /* ethernetTotalLength */
3907 ti = proto_tree_add_item(pdutree, hf_cflow_ethernet_total_length,
3908 tvb, offset, length, ENC_BIG_ENDIAN);
3909 break;
3910
3911 case 243: /* dot1qVlanId */
3912 ti = proto_tree_add_item(pdutree, hf_cflow_dot1q_vlan_id,
3913 tvb, offset, length, ENC_BIG_ENDIAN);
3914 break;
3915
3916 case 244: /* dot1qPriority */
3917 ti = proto_tree_add_item(pdutree, hf_cflow_dot1q_priority,
3918 tvb, offset, length, ENC_NA);
3919 break;
3920
3921 case 245: /* dot1qCustomerVlanId */
3922 ti = proto_tree_add_item(pdutree, hf_cflow_dot1q_customer_vlan_id,
3923 tvb, offset, length, ENC_BIG_ENDIAN);
3924 break;
3925
3926 case 246: /* dot1qCustomerPriority */
3927 ti = proto_tree_add_item(pdutree, hf_cflow_dot1q_customer_priority,
3928 tvb, offset, length, ENC_NA);
3929 break;
3930
3931 case 247: /* metroEvcId */
3932 ti = proto_tree_add_item(pdutree, hf_cflow_metro_evc_id,
3933 tvb, offset, length, ENC_ASCII|ENC_NA);
3934 break;
3935
3936 case 248: /* metroEvcType */
3937 ti = proto_tree_add_item(pdutree, hf_cflow_metro_evc_type,
3938 tvb, offset, length, ENC_NA);
3939 break;
3940
3941 case 249: /* pseudoWireId */
3942 ti = proto_tree_add_item(pdutree, hf_cflow_pseudo_wire_id,
3943 tvb, offset, length, ENC_BIG_ENDIAN);
3944 break;
3945
3946 case 250: /* pseudoWireType */
3947 ti = proto_tree_add_item(pdutree, hf_cflow_pseudo_wire_type,
3948 tvb, offset, length, ENC_BIG_ENDIAN);
3949 break;
3950
3951 case 251: /* pseudoWireControlWord */
3952 ti = proto_tree_add_item(pdutree, hf_cflow_pseudo_wire_control_word,
3953 tvb, offset, length, ENC_BIG_ENDIAN);
3954 break;
3955
3956 case 252: /* ingressPhysicalInterface */
3957 ti = proto_tree_add_item(pdutree, hf_cflow_ingress_physical_interface,
3958 tvb, offset, length, ENC_BIG_ENDIAN);
3959 break;
3960
3961 case 253: /* egressPhysicalInterface */
3962 ti = proto_tree_add_item(pdutree, hf_cflow_egress_physical_interface,
3963 tvb, offset, length, ENC_BIG_ENDIAN);
3964 break;
3965
3966 case 254: /* postDot1qVlanId */
3967 ti = proto_tree_add_item(pdutree, hf_cflow_post_dot1q_vlan_id,
3968 tvb, offset, length, ENC_BIG_ENDIAN);
3969 break;
3970
3971 case 255: /* postDot1qCustomerVlanId */
3972 ti = proto_tree_add_item(pdutree, hf_cflow_post_dot1q_customer_vlan_id,
3973 tvb, offset, length, ENC_BIG_ENDIAN);
3974 break;
3975
3976 case 256: /* ethernetType */
3977 ti = proto_tree_add_item(pdutree, hf_cflow_ethernet_type,
3978 tvb, offset, length, ENC_BIG_ENDIAN);
3979 break;
3980
3981 case 257: /* postIpPrecedence */
3982 ti = proto_tree_add_item(pdutree, hf_cflow_post_ip_precedence,
3983 tvb, offset, length, ENC_NA);
3984 break;
3985
3986 case 258: /* collectionTimeMilliseconds */
3987 ts.secs = (time_t)(tvb_get_ntoh64(tvb, offset)/1000);
3988 ts.nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) *1000000;
3989 ti = proto_tree_add_time(pdutree,
3990 hf_cflow_collection_time_milliseconds,
3991 tvb, offset, length, &ts);
3992 break;
3993
3994 case 259: /* exportSctpStreamId */
3995 ti = proto_tree_add_item(pdutree, hf_cflow_export_sctp_stream_id,
3996 tvb, offset, length, ENC_BIG_ENDIAN);
3997 break;
3998
3999 case 260: /* maxExportSeconds */
4000 ts.secs = tvb_get_ntohl(tvb, offset);
4001 ts.nsecs = 0;
4002 ti = proto_tree_add_time(pdutree, hf_cflow_max_export_seconds,
4003 tvb, offset, length, &ts);
4004 break;
4005
4006 case 261: /* maxFlowEndSeconds */
4007 ts.secs = tvb_get_ntohl(tvb, offset);
4008 ts.nsecs = 0;
4009 ti = proto_tree_add_time(pdutree, hf_cflow_max_flow_end_seconds,
4010 tvb, offset, length, &ts);
4011 break;
4012
4013 case 262: /* messageMD5Checksum */
4014 ti = proto_tree_add_item(pdutree, hf_cflow_message_md5_checksum,
4015 tvb, offset, length, ENC_NA);
4016 break;
4017
4018 case 263: /* messageScope */
4019 ti = proto_tree_add_item(pdutree, hf_cflow_message_scope,
4020 tvb, offset, length, ENC_NA);
4021 break;
4022
4023 case 264: /* minExportSeconds */
4024 ts.secs = tvb_get_ntohl(tvb, offset);
4025 ts.nsecs = 0;
4026 ti = proto_tree_add_time(pdutree, hf_cflow_min_export_seconds,
4027 tvb, offset, length, &ts);
4028 break;
4029
4030 case 265: /* minFlowStartSeconds */
4031 ts.secs = tvb_get_ntohl(tvb, offset);
4032 ts.nsecs = 0;
4033 ti = proto_tree_add_time(pdutree, hf_cflow_min_flow_start_seconds,
4034 tvb, offset, length, &ts);
4035 break;
4036
4037 case 266: /* opaqueOctets */
4038 ti = proto_tree_add_item(pdutree, hf_cflow_opaque_octets,
4039 tvb, offset, length, ENC_NA);
4040 break;
4041
4042 case 267: /* sessionScope */
4043 ti = proto_tree_add_item(pdutree, hf_cflow_session_scope,
4044 tvb, offset, length, ENC_NA);
4045 break;
4046
4047 case 268: /* maxFlowEndMicroseconds */
4048 ti = proto_tree_add_item(pdutree, hf_cflow_max_flow_end_microseconds,
4049 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4050 break;
4051
4052 case 269: /* maxFlowEndMilliseconds */
4053 ts.secs = (time_t)(tvb_get_ntoh64(tvb, offset)/1000);
4054 ts.nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) * 1000000;
4055 ti = proto_tree_add_time(pdutree, hf_cflow_max_flow_end_milliseconds,
4056 tvb, offset, length, &ts);
4057 break;
4058
4059 case 270: /* maxFlowEndNanoseconds */
4060 ti = proto_tree_add_item(pdutree, hf_cflow_max_flow_end_nanoseconds,
4061 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4062 break;
4063
4064 case 271: /* minFlowStartMicroseconds */
4065 ti = proto_tree_add_item(pdutree, hf_cflow_min_flow_start_microseconds,
4066 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4067 break;
4068
4069 case 272: /* minFlowStartMilliseconds */
4070 ts.secs = (tvb_get_ntohl(tvb, offset)/1000);
4071 ts.nsecs = (tvb_get_ntohl(tvb, offset)%1000) * 1000000;
4072 ti = proto_tree_add_time(pdutree, hf_cflow_min_flow_start_milliseconds,
4073 tvb, offset, length, &ts);
4074 break;
4075
4076 case 273: /* minFlowStartNanoseconds */
4077 ti = proto_tree_add_item(pdutree, hf_cflow_min_flow_start_nanoseconds,
4078 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4079 break;
4080
4081 case 274: /* collectorCertificate */
4082 ti = proto_tree_add_item(pdutree, hf_cflow_collector_certificate,
4083 tvb, offset, length, ENC_NA);
4084 break;
4085
4086 case 275: /* exporterCertificate */
4087 ti = proto_tree_add_item(pdutree, hf_cflow_exporter_certificate,
4088 tvb, offset, length, ENC_NA);
4089 break;
4090
4091 case 301: /* selectionSequenceId */
4092 ti = proto_tree_add_item(pdutree, hf_cflow_selection_sequence_id,
4093 tvb, offset, length, ENC_BIG_ENDIAN);
4094 break;
4095
4096 case 302: /* selectorId */
4097 ti = proto_tree_add_item(pdutree, hf_cflow_selector_id,
4098 tvb, offset, length, ENC_BIG_ENDIAN);
4099 break;
4100
4101 case 303: /* informationElementId */
4102 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_id,
4103 tvb, offset, length, ENC_BIG_ENDIAN);
4104 break;
4105
4106 case 304: /* selectorAlgorithm */
4107 ti = proto_tree_add_item(pdutree, hf_cflow_selector_algorithm,
4108 tvb, offset, length, ENC_BIG_ENDIAN);
4109 break;
4110
4111 case 305: /* samplingPacketInterval */
4112 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_packet_interval,
4113 tvb, offset, length, ENC_BIG_ENDIAN);
4114 break;
4115
4116 case 306: /* samplingPacketSpace */
4117 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_packet_space,
4118 tvb, offset, length, ENC_BIG_ENDIAN);
4119 break;
4120
4121 case 307: /* samplingTimeInterval */
4122 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_time_interval,
4123 tvb, offset, length, ENC_BIG_ENDIAN);
4124 break;
4125
4126 case 308: /* samplingTimeSpace */
4127 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_time_space,
4128 tvb, offset, length, ENC_BIG_ENDIAN);
4129 break;
4130
4131 case 309: /* samplingSize */
4132 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_size,
4133 tvb, offset, length, ENC_BIG_ENDIAN);
4134 break;
4135
4136 case 310: /* samplingPopulation */
4137 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_population,
4138 tvb, offset, length, ENC_BIG_ENDIAN);
4139 break;
4140
4141 case 311: /* samplingProbability */
4142 ti = proto_tree_add_item(pdutree, hf_cflow_sampling_probability,
4143 tvb, offset, length, ENC_NA);
4144 break;
4145
4146 case 313: /* SECTION_HEADER */
4147 ti = proto_tree_add_item(pdutree, hf_cflow_section_header,
4148 tvb, offset, length, ENC_NA);
4149 break;
4150
4151 case 314: /* SECTION_PAYLOAD */
4152 ti = proto_tree_add_item(pdutree, hf_cflow_section_payload,
4153 tvb, offset, length, ENC_NA);
4154 break;
4155
4156 case 316: /* mplsLabelStackSection */
4157 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_label_stack_section,
4158 tvb, offset, length, ENC_NA);
4159 break;
4160
4161 case 317: /* mplsPayloadPacketSection */
4162 ti = proto_tree_add_item(pdutree, hf_cflow_mpls_payload_packet_section,
4163 tvb, offset, length, ENC_NA);
4164 break;
4165
4166 case 318: /* selectorIdTotalPktsObserved */
4167 ti = proto_tree_add_item(pdutree, hf_cflow_selector_id_total_pkts_observed,
4168 tvb, offset, length, ENC_BIG_ENDIAN);
4169 break;
4170
4171 case 319: /* selectorIdTotalPktsSelected */
4172 ti = proto_tree_add_item(pdutree, hf_cflow_selector_id_total_pkts_selected,
4173 tvb, offset, length, ENC_BIG_ENDIAN);
4174 break;
4175
4176 case 320: /* absoluteError */
4177 ti = proto_tree_add_item(pdutree, hf_cflow_absolute_error,
4178 tvb, offset, length, ENC_NA);
4179 break;
4180
4181 case 321: /* relativeError */
4182 ti = proto_tree_add_item(pdutree, hf_cflow_relative_error,
4183 tvb, offset, length, ENC_NA);
4184 break;
4185
4186 case 322: /* observationTimeSeconds */
4187 ts.secs = tvb_get_ntohl(tvb, offset);
4188 ts.nsecs = 0;
4189 ti = proto_tree_add_time(pdutree, hf_cflow_observation_time_seconds,
4190 tvb, offset, length, &ts);
4191 break;
4192
4193 case 323: /* observationTimeMilliseconds */
4194 ts.secs = (time_t)(tvb_get_ntoh64(tvb, offset)/1000);
4195 ts.nsecs = (int)(tvb_get_ntoh64(tvb, offset)%1000) * 1000000;
4196 ti = proto_tree_add_time(pdutree, hf_cflow_observation_time_milliseconds,
4197 tvb, offset, length, &ts);
4198 break;
4199
4200 case 324: /* observationTimeMicroseconds */
4201 ti = proto_tree_add_item(pdutree, hf_cflow_observation_time_microseconds,
4202 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4203 break;
4204
4205 case 325: /* observationTimeNanoseconds */
4206 ti = proto_tree_add_item(pdutree, hf_cflow_observation_time_nanoseconds,
4207 tvb, offset, length, ENC_TIME_NTP|ENC_BIG_ENDIAN);
4208 break;
4209
4210 case 326: /* digestHashValue */
4211 ti = proto_tree_add_item(pdutree, hf_cflow_digest_hash_value,
4212 tvb, offset, length, ENC_BIG_ENDIAN);
4213 break;
4214
4215 case 327: /* hashIPPayloadOffset */
4216 ti = proto_tree_add_item(pdutree, hf_cflow_hash_ippayload_offset,
4217 tvb, offset, length, ENC_BIG_ENDIAN);
4218 break;
4219
4220 case 328: /* hashIPPayloadSize */
4221 ti = proto_tree_add_item(pdutree, hf_cflow_hash_ippayload_size,
4222 tvb, offset, length, ENC_BIG_ENDIAN);
4223 break;
4224
4225 case 329: /* hashOutputRangeMin */
4226 ti = proto_tree_add_item(pdutree, hf_cflow_hash_output_range_min,
4227 tvb, offset, length, ENC_BIG_ENDIAN);
4228 break;
4229
4230 case 330: /* hashOutputRangeMax */
4231 ti = proto_tree_add_item(pdutree, hf_cflow_hash_output_range_max,
4232 tvb, offset, length, ENC_BIG_ENDIAN);
4233 break;
4234
4235 case 331: /* hashSelectedRangeMin */
4236 ti = proto_tree_add_item(pdutree, hf_cflow_hash_selected_range_min,
4237 tvb, offset, length, ENC_BIG_ENDIAN);
4238 break;
4239
4240 case 332: /* hashSelectedRangeMax */
4241 ti = proto_tree_add_item(pdutree, hf_cflow_hash_selected_range_max,
4242 tvb, offset, length, ENC_BIG_ENDIAN);
4243 break;
4244
4245 case 333: /* hashDigestOutput */
4246 ti = proto_tree_add_item(pdutree, hf_cflow_hash_digest_output,
4247 tvb, offset, length, ENC_NA);
4248 break;
4249
4250 case 334: /* hashInitialiserValue */
4251 ti = proto_tree_add_item(pdutree, hf_cflow_hash_initialiser_value,
4252 tvb, offset, length, ENC_BIG_ENDIAN);
4253 break;
4254
4255 case 335: /* selectorName */
4256 ti = proto_tree_add_item(pdutree, hf_cflow_selector_name,
4257 tvb, offset, length, ENC_ASCII|ENC_NA);
4258 break;
4259
4260 case 336: /* upperCILimit */
4261 ti = proto_tree_add_item(pdutree, hf_cflow_upper_cilimit,
4262 tvb, offset, length, ENC_NA);
4263 break;
4264
4265 case 337: /* lowerCILimit */
4266 ti = proto_tree_add_item(pdutree, hf_cflow_lower_cilimit,
4267 tvb, offset, length, ENC_NA);
4268 break;
4269
4270 case 338: /* confidenceLevel */
4271 ti = proto_tree_add_item(pdutree, hf_cflow_confidence_level,
4272 tvb, offset, length, ENC_NA);
4273 break;
4274
4275 case 339: /* informationElementDataType */
4276 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_data_type,
4277 tvb, offset, length, ENC_NA);
4278 break;
4279
4280 case 340: /* informationElementDescription */
4281 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_description,
4282 tvb, offset, length, ENC_ASCII|ENC_NA);
4283 break;
4284
4285 case 341: /* informationElementName */
4286 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_name,
4287 tvb, offset, length, ENC_ASCII|ENC_NA);
4288 break;
4289
4290 case 342: /* informationElementRangeBegin */
4291 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_range_begin,
4292 tvb, offset, length, ENC_BIG_ENDIAN);
4293 break;
4294
4295 case 343: /* informationElementRangeEnd */
4296 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_range_end,
4297 tvb, offset, length, ENC_BIG_ENDIAN);
4298 break;
4299
4300 case 344: /* informationElementSemantics */
4301 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_semantics,
4302 tvb, offset, length, ENC_NA);
4303 break;
4304
4305 case 345: /* informationElementUnits */
4306 ti = proto_tree_add_item(pdutree, hf_cflow_information_element_units,
4307 tvb, offset, length, ENC_BIG_ENDIAN);
4308 break;
4309
4310 case 346: /* privateEnterpriseNumber */
4311 ti = proto_tree_add_item(pdutree, hf_cflow_private_enterprise_number,
4312 tvb, offset, length, ENC_BIG_ENDIAN);
4313 break;
4314
4315 case 34000: /* cts_sgt_source_tag */
4316 ti = proto_tree_add_item(pdutree, hf_cflow_cts_sgt_source_tag,
4317 tvb, offset, length, ENC_BIG_ENDIAN);
4318 break;
4319
4320 case 34001: /* cts_sgt_destination_tag */
4321 ti = proto_tree_add_item(pdutree, hf_cflow_cts_sgt_destination_tag,
4322 tvb, offset, length, ENC_BIG_ENDIAN);
4323 break;
4324
4325 case 34002: /* cts_sgt_source_name */
4326 ti = proto_tree_add_item(pdutree, hf_cflow_cts_sgt_source_name,
4327 tvb, offset, length, ENC_BIG_ENDIAN);
4328 break;
4329
4330 case 34003: /* cts_sgt_destination_name */
4331 ti = proto_tree_add_item(pdutree, hf_cflow_cts_sgt_destination_name,
4332 tvb, offset, length, ENC_BIG_ENDIAN);
4333 break;
4334
4335 case 37000: /* packets_dropped */
4336 ti = proto_tree_add_item(pdutree, hf_cflow_packets_dropped,
4337 tvb, offset, length, ENC_BIG_ENDIAN);
4338 break;
4339 case 37003: /* byte_rate */
4340 ti = proto_tree_add_item(pdutree, hf_cflow_byte_rate,
4341 tvb, offset, length, ENC_BIG_ENDIAN);
4342 break;
4343 case 37004: /* application_media_bytes */
4344 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_bytes,
4345 tvb, offset, length, ENC_BIG_ENDIAN);
4346 break;
4347 case 37006: /* application_media_byte_rate */
4348 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_byte_rate,
4349 tvb, offset, length, ENC_BIG_ENDIAN);
4350 break;
4351 case 37007: /* application_media_packets */
4352 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_packets,
4353 tvb, offset, length, ENC_BIG_ENDIAN);
4354 break;
4355 case 37009: /* application_media_packet_rate */
4356 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_packet_rate,
4357 tvb, offset, length, ENC_BIG_ENDIAN);
4358 break;
4359 case 37011: /* application_media_event */
4360 ti = proto_tree_add_item(pdutree, hf_cflow_application_media_event,
4361 tvb, offset, length, ENC_BIG_ENDIAN);
4362 break;
4363
4364 case 37012: /* monitor_event */
4365 ti = proto_tree_add_item(pdutree, hf_cflow_monitor_event,
4366 tvb, offset, length, ENC_BIG_ENDIAN);
4367 break;
4368
4369 case 37013: /* timestamp_interval */
4370 ti = proto_tree_add_item(pdutree, hf_cflow_timestamp_interval,
4371 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
4372 break;
4373 case 37014: /* transport_packets_expected */
4374 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_expected,
4375 tvb, offset, length, ENC_BIG_ENDIAN);
4376 break;
4377 case 37016: /* transport_round_trip_time */
4378 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4379 ti = proto_tree_add_item(pdutree, hf_cflow_transport_round_trip_time_string,
4380 tvb, offset, length, ENC_BIG_ENDIAN);
4381 } else {
4382 /* value is in microseconds, adjust to nanoseconds*/
4383 ts.secs =0;
4384 ts.nsecs= tvb_get_ntohl(tvb,offset) * 1000;
4385 ti = proto_tree_add_time(pdutree, hf_cflow_transport_round_trip_time,
4386 tvb, offset, length, &ts);
4387 }
4388 break;
4389 case 37017: /* transport_event_packet_loss */
4390 ti = proto_tree_add_item(pdutree, hf_cflow_transport_event_packet_loss,
4391 tvb, offset, length, ENC_BIG_ENDIAN);
4392 break;
4393 case 37019: /* transport_packets_lost */
4394 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4395 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_lost_string,
4396 tvb, offset, length, ENC_BIG_ENDIAN);
4397 } else {
4398 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_lost,
4399 tvb, offset, length, ENC_BIG_ENDIAN);
4400 }
4401 break;
4402 case 37021: /* transport_packets_lost_rate */
4403 if (tvb_get_ntohl(tvb,offset)== 0xFFFF ) {
4404 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_lost_rate_string,
4405 tvb, offset, length, ENC_BIG_ENDIAN);
4406 } else {
4407 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_lost_rate,
4408 tvb, offset, length, ENC_BIG_ENDIAN);
4409 }
4410 break;
4411 case 37022: /* transport_rtp_ssrc */
4412 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_ssrc,
4413 tvb, offset, length, ENC_BIG_ENDIAN);
4414 break;
4415 case 37023: /* transport_rtp_jitter_mean */
4416 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4417 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_jitter_mean_string,
4418 tvb, offset, length, ENC_BIG_ENDIAN);
4419 } else {
4420 /* value is in microseconds, adjust to nanoseconds*/
4421 ts.secs =0;
4422 ts.nsecs= tvb_get_ntohl(tvb,offset) * 1000;
4423
4424 ti = proto_tree_add_time(pdutree, hf_cflow_transport_rtp_jitter_mean,
4425 tvb, offset, length, &ts);
4426 }
4427 break;
4428 case 37024: /* transport_rtp_jitter_min */
4429 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4430 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_jitter_min_string,
4431 tvb, offset, length, ENC_BIG_ENDIAN);
4432 } else {
4433 /* value is in microseconds, adjust to nanoseconds*/
4434 ts.secs =0;
4435 ts.nsecs= tvb_get_ntohl(tvb,offset) * 1000;
4436 ti = proto_tree_add_time(pdutree, hf_cflow_transport_rtp_jitter_min,
4437 tvb, offset, length, &ts);
4438 }
4439 break;
4440 case 37025: /* transport_rtp_jitter_max */
4441 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF ) {
4442 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_jitter_max_string,
4443 tvb, offset, length, ENC_BIG_ENDIAN);
4444 } else {
4445 /* value is in microseconds, adjust to nanoseconds*/
4446 ts.secs =0;
4447 ts.nsecs= tvb_get_ntohl(tvb,offset) * 1000;
4448 ti = proto_tree_add_time(pdutree, hf_cflow_transport_rtp_jitter_max,
4449 tvb, offset, length, &ts);
4450 }
4451 break;
4452 case 37041: /* transport_payload_type */
4453 if (tvb_get_guint8(tvb,offset)== 0xFF) {
4454 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_payload_type_string,
4455 tvb, offset, length, ENC_BIG_ENDIAN);
4456 } else {
4457 ti = proto_tree_add_item(pdutree, hf_cflow_transport_rtp_payload_type,
4458 tvb, offset, length, ENC_BIG_ENDIAN);
4459 }
4460 break;
4461 case 37071: /* bytes_out_of_order */
4462 if (tvb_get_ntoh64(tvb,offset)== G_GINT64_CONSTANT(0xFFFFFFFFFFFFFFFF)) {
4463 /* need to add custom code to show "Not Measured" */
4464 proto_tree_add_text(pdutree, tvb, offset, 8,
4465 "Transport Bytes Out of Order: Not Measured (0x%"G_GINT64_MODIFIER"x)",
4466 tvb_get_ntoh64(tvb,offset));
4467 ti = proto_tree_add_item(pdutree, hf_cflow_transport_bytes_out_of_order,
4468 tvb, offset, length, ENC_BIG_ENDIAN);
4469 } else {
4470 ti = proto_tree_add_item(pdutree, hf_cflow_transport_bytes_out_of_order,
4471 tvb, offset, length, ENC_BIG_ENDIAN);
4472 }
4473 break;
4474 case 37074: /* packets_out_of_order */
4475 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF) {
4476 ti = proto_tree_add_item(pdutree, hf_cflow_transport_packets_out_of_order_string,
4477 tvb, offset, length, ENC_BIG_ENDIAN);
4478 } else {
4479 ti = proto_tree_add_item(pdutree, hf_cflow_transport_bytes_out_of_order,
4480 tvb, offset, length, ENC_BIG_ENDIAN);
4481 }
4482 break;
4483 case 37083: /* tcp_window_size_min */
4484 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF) {
4485 ti = proto_tree_add_item(pdutree, hf_cflow_transport_tcp_window_size_min_string,
4486 tvb, offset, length, ENC_BIG_ENDIAN);
4487 } else {
4488 ti = proto_tree_add_item(pdutree, hf_cflow_transport_tcp_window_size_min,
4489 tvb, offset, length, ENC_BIG_ENDIAN);
4490 }
4491 break;
4492
4493 case 37084: /* tcp_window_size_max */
4494 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF) {
4495 ti = proto_tree_add_item(pdutree, hf_cflow_transport_tcp_window_size_max_string,
4496 tvb, offset, length, ENC_BIG_ENDIAN);
4497 } else {
4498 ti = proto_tree_add_item(pdutree, hf_cflow_transport_tcp_window_size_max,
4499 tvb, offset, length, ENC_BIG_ENDIAN);
4500 }
4501 break;
4502
4503 case 37085: /* tcp_window_size_mean */
4504 if (tvb_get_ntohl(tvb,offset)== 0xFFFFFFFF) {
4505 ti = proto_tree_add_item(pdutree, hf_cflow_transport_tcp_window_size_mean_string,
4506 tvb, offset, length, ENC_BIG_ENDIAN);
4507 } else {
4508 ti = proto_tree_add_item(pdutree, hf_cflow_transport_tcp_window_size_mean,
4509 tvb, offset, length, ENC_BIG_ENDIAN);
4510 }
4511 break;
4512 case 37086: /* tcp_maximum_segment_size */
4513 if (tvb_get_ntohs(tvb,offset)== 0xFFFF) {
4514 ti = proto_tree_add_item(pdutree, hf_cflow_transport_tcp_maximum_segment_size_string,
4515 tvb, offset, length, ENC_BIG_ENDIAN);
4516 } else {
4517 ti = proto_tree_add_item(pdutree, hf_cflow_transport_tcp_maximum_segment_size,
4518 tvb, offset, length, ENC_BIG_ENDIAN);
4519 }
4520 break;
4521 /* Ericsson SE NAT Logging */
4522 case 24628: /* natContextId */
4523 ti = proto_tree_add_item(pdutree, hf_cflow_nat_context_id,
4524 tvb, offset, length, ENC_BIG_ENDIAN);
4525 break;
4526 case 24629: /* natContextName */
4527 ti = proto_tree_add_item(pdutree, hf_cflow_nat_context_name,
4528 tvb, offset, length, ENC_UTF_8|ENC_NA);
4529 break;
4530 case 24630: /* natAssignTime */
4531 ts.secs = tvb_get_ntohl(tvb, offset);
4532 ts.nsecs = 0;
4533 ti = proto_tree_add_time(pdutree, hf_cflow_nat_assign_time,
4534 tvb, offset, length, &ts);
4535 break;
4536 case 24631: /* natUnAssignTime */
4537 ts.secs = tvb_get_ntohl(tvb, offset);
4538 ts.nsecs = 0;
4539 ti = proto_tree_add_time(pdutree, hf_cflow_nat_unassign_time,
4540 tvb, offset, length, &ts);
4541 break;
4542 case 24632: /* natInternalAddr */
4543 ti = proto_tree_add_item(pdutree, hf_cflow_nat_int_addr,
4544 tvb, offset, length, ENC_NA);
4545 break;
4546 case 24633: /* natExternalAddr */
4547 ti = proto_tree_add_item(pdutree, hf_cflow_nat_ext_addr,
4548 tvb, offset, length, ENC_NA);
4549 break;
4550 case 24634: /* natExternalPortFirst */
4551 ti = proto_tree_add_item(pdutree, hf_cflow_nat_ext_port_first,
4552 tvb, offset, length, ENC_BIG_ENDIAN);
4553 break;
4554 case 24635: /* natExternalPortLast */
4555 ti = proto_tree_add_item(pdutree, hf_cflow_nat_ext_port_last,
4556 tvb, offset, length, ENC_BIG_ENDIAN);
4557 break;
4558
4559 /* Cisco ASA 5500 Series */
4560 case 33000: /* NF_F_INGRESS_ACL_ID */
4561 proto_tree_add_item(pdutree, hf_cflow_ingress_acl_id,
4562 tvb, offset, length, ENC_NA);
4563 break;
4564 case 33001: /* NF_F_EGRESS_ACL_ID */
4565 proto_tree_add_item(pdutree, hf_cflow_egress_acl_id,
4566 tvb, offset, length, ENC_NA);
4567 break;
4568 case 33002: /* NF_F_FW_EXT_EVENT */
4569 proto_tree_add_item(pdutree, hf_cflow_fw_ext_event,
4570 tvb, offset, length, ENC_BIG_ENDIAN);
4571 break;
4572 case 40000: /* NF_F_USERNAME[_MAX] */
4573 proto_tree_add_item(pdutree, hf_cflow_aaa_username,
4574 tvb, offset, length, ENC_ASCII|ENC_NA);
4575 break;
4576
4577 /* CACE Technologies */
4578 case VENDOR_CACE << 16 | 0: /* caceLocalIPv4Address */
4579 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_ipv4_address,
4580 tvb, offset, length, ENC_NA);
4581 TVB_SET_ADDRESS(&local_addr, AT_IPv4, tvb, offset, 4);
4582 got_flags |= GOT_LOCAL_ADDR;
4583 break;
4584
4585 case VENDOR_CACE << 16 | 1: /* caceRemoteIPv4Address */
4586 ti = proto_tree_add_item(pdutree, hf_pie_cace_remote_ipv4_address,
4587 tvb, offset, length, ENC_NA);
4588 TVB_SET_ADDRESS(&remote_addr, AT_IPv4, tvb, offset, 4);
4589 got_flags |= GOT_REMOTE_ADDR;
4590 break;
4591
4592 case VENDOR_CACE << 16 | 2: /* caceLocalIPv6Address */
4593 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_ipv6_address,
4594 tvb, offset, length, ENC_NA);
4595 TVB_SET_ADDRESS(&local_addr, AT_IPv6, tvb, offset, 16);
4596 got_flags |= GOT_LOCAL_ADDR;
4597 break;
4598
4599 case VENDOR_CACE << 16 | 3: /* caceRemoteIPv6Address */
4600 ti = proto_tree_add_item(pdutree, hf_pie_cace_remote_ipv6_address,
4601 tvb, offset, length, ENC_NA);
4602 TVB_SET_ADDRESS(&remote_addr, AT_IPv6, tvb, offset, 16);
4603 got_flags |= GOT_REMOTE_ADDR;
4604 break;
4605
4606 case VENDOR_CACE << 16 | 4: /* caceLocalTransportPort */
4607 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_port,
4608 tvb, offset, length, ENC_BIG_ENDIAN);
4609 local_port = tvb_get_ntohs(tvb, offset);
4610 got_flags |= GOT_LOCAL_PORT;
4611 break;
4612
4613 case VENDOR_CACE << 16 | 5: /* caceRemoteTransportPort */
4614 ti = proto_tree_add_item(pdutree, hf_pie_cace_remote_port,
4615 tvb, offset, length, ENC_BIG_ENDIAN);
4616 remote_port = tvb_get_ntohs(tvb, offset);
4617 got_flags |= GOT_REMOTE_PORT;
4618 break;
4619
4620 case VENDOR_CACE << 16 | 6: /* caceLocalIPv4id */
4621 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_ipv4_id,
4622 tvb, offset, length, ENC_BIG_ENDIAN);
4623 /*ipv4_id = tvb_get_ntohs(tvb, offset);*/
4624 /*got_flags |= GOT_IPv4_ID;*/
4625 break;
4626
4627 case VENDOR_CACE << 16 | 7: /* caceLocalICMPid */
4628 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_icmp_id,
4629 tvb, offset, length, ENC_BIG_ENDIAN);
4630 /*icmp_id = tvb_get_ntohs(tvb, offset);*/
4631 /*got_flags |= GOT_ICMP_ID;*/
4632 break;
4633
4634 case VENDOR_CACE << 16 | 8: /* caceLocalProcessUserId */
4635 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_uid,
4636 tvb, offset, length, ENC_BIG_ENDIAN);
4637 uid = tvb_get_ntohl(tvb, offset);
4638 got_flags |= GOT_UID;
4639 break;
4640
4641 case VENDOR_CACE << 16 | 9: /* caceLocalProcessId */
4642 ti = proto_tree_add_item(pdutree, hf_pie_cace_local_pid,
4643 tvb, offset, length, ENC_BIG_ENDIAN);
4644 pid = tvb_get_ntohl(tvb, offset);
4645 got_flags |= GOT_PID;
4646 break;
4647
4648 case VENDOR_CACE << 16 | 10: /* caceLocalProcessUserName */
4649 uname_len = tvb_get_guint8(tvb, offset);
4650 uname_str = tvb_format_text(tvb, offset+1, uname_len);
4651 proto_tree_add_item(pdutree, hf_pie_cace_local_username_len,
4652 tvb, offset, 1, ENC_NA);
4653 ti = proto_tree_add_string(pdutree, hf_pie_cace_local_username,
4654 tvb, offset+1, uname_len, uname_str);
4655 length = uname_len + 1;
4656 got_flags |= GOT_USERNAME;
4657 break;
4658
4659 case VENDOR_CACE << 16 | 11: /* caceLocalProcessCommand */
4660 cmd_len = tvb_get_guint8(tvb, offset);
4661 cmd_str = tvb_format_text(tvb, offset+1, cmd_len);
4662 proto_tree_add_item(pdutree, hf_pie_cace_local_cmd_len,
4663 tvb, offset, 1, ENC_NA);
4664 ti = proto_tree_add_string(pdutree, hf_pie_cace_local_cmd,
4665 tvb, offset+1, cmd_len, cmd_str);
4666 length = cmd_len + 1;
4667 got_flags |= GOT_COMMAND;
4668 break;
4669
4670 /* START NTOP */
4671 case (NTOP_BASE + 80): /* FRAGMENTED */
4672 case ((VENDOR_NTOP << 16) | 80): /* FRAGMENTED */
4673 ti = proto_tree_add_item(pdutree, hf_pie_ntop_fragmented,
4674 tvb, offset, length, ENC_BIG_ENDIAN);
4675 break;
4676 case (NTOP_BASE + 81): /* FINGERPRINT */
4677 case ((VENDOR_NTOP << 16) | 81): /* FINGERPRINT */
4678 ti = proto_tree_add_item(pdutree, hf_pie_ntop_fingerprint,
4679 tvb, offset, length, ENC_BIG_ENDIAN);
4680 break;
4681 case (NTOP_BASE + 82): /* CLIENT_NW_DELAY_SEC */
4682 case ((VENDOR_NTOP << 16) | 82): /* CLIENT_NW_DELAY_SEC */
4683 ti = proto_tree_add_item(pdutree, hf_pie_ntop_client_nw_delay_sec,
4684 tvb, offset, length, ENC_BIG_ENDIAN);
4685 break;
4686 case (NTOP_BASE + 83): /* /\* CLIENT_NW_DELAY_USEC *\/ */
4687 case ((VENDOR_NTOP << 16) | 83): /* CLIENT_NW_DELAY_USEC */
4688 ti = proto_tree_add_item(pdutree, hf_pie_ntop_client_nw_delay_usec,
4689 tvb, offset, length, ENC_BIG_ENDIAN);
4690 break;
4691 case (NTOP_BASE + 84): /* SERVER_NW_DELAY_SEC */
4692 case ((VENDOR_NTOP << 16) | 84): /* SERVER_NW_DELAY_SEC */
4693 ti = proto_tree_add_item(pdutree, hf_pie_ntop_server_nw_delay_sec,
4694 tvb, offset, length, ENC_BIG_ENDIAN);
4695 break;
4696 case (NTOP_BASE + 85): /* SERVER_NW_DELAY_USEC */
4697 case ((VENDOR_NTOP << 16) | 85): /* SERVER_NW_DELAY_USEC */
4698 ti = proto_tree_add_item(pdutree, hf_pie_ntop_server_nw_delay_usec,
4699 tvb, offset, length, ENC_BIG_ENDIAN);
4700 break;
4701 case (NTOP_BASE + 86): /* APPL_LATENCY_SEC */
4702 case ((VENDOR_NTOP << 16) | 86): /* APPL_LATENCY_SEC */
4703 ti = proto_tree_add_item(pdutree, hf_pie_ntop_appl_latency_sec,
4704 tvb, offset, length, ENC_BIG_ENDIAN);
4705 break;
4706 case (NTOP_BASE + 87): /* APPL_LATENCY_USEC */
4707 case ((VENDOR_NTOP << 16) | 87): /* APPL_LATENCY_USEC */
4708 ti = proto_tree_add_item(pdutree, hf_pie_ntop_appl_latency_sec,
4709 tvb, offset, length, ENC_BIG_ENDIAN);
4710 break;
4711 case (NTOP_BASE + 98): /* ICMP_FLAGS */
4712 case ((VENDOR_NTOP << 16) | 98): /* ICMP_FLAGS */
4713 /* Cumulative of all flow ICMP types */
4714 ti = proto_tree_add_item(pdutree, hf_pie_ntop_icmp_flags,
4715 tvb, offset, length, ENC_BIG_ENDIAN);
4716 break;
4717 case (NTOP_BASE + 101): /* SRC_IP_COUNTRY */
4718 case ((VENDOR_NTOP << 16) | 101): /* SRC_IP_COUNTRY */
4719 ti = proto_tree_add_item(pdutree, hf_pie_ntop_src_ip_country,
4720 tvb, offset, length, ENC_ASCII|ENC_NA);
4721 break;
4722 case (NTOP_BASE + 102): /* SRC_IP_CITY */
4723 case ((VENDOR_NTOP << 16) | 102): /* SRC_IP_CITY */
4724 ti = proto_tree_add_item(pdutree, hf_pie_ntop_src_ip_city,
4725 tvb, offset, length, ENC_ASCII|ENC_NA);
4726 break;
4727 case (NTOP_BASE + 103): /* DST_IP_COUNTRY */
4728 case ((VENDOR_NTOP << 16) | 103): /* DST_IP_COUNTRY */
4729 ti = proto_tree_add_item(pdutree, hf_pie_ntop_dst_ip_country,
4730 tvb, offset, length, ENC_ASCII|ENC_NA);
4731 break;
4732 case (NTOP_BASE + 104): /* DST_IP_CITY */
4733 case ((VENDOR_NTOP << 16) | 104): /* DST_IP_CITY */
4734 ti = proto_tree_add_item(pdutree, hf_pie_ntop_dst_ip_city,
4735 tvb, offset, length, ENC_ASCII|ENC_NA);
4736 break;
4737 case (NTOP_BASE + 105): /* FLOW_PROTO_PORT */
4738 case ((VENDOR_NTOP << 16) | 105): /* FLOW_PROTO_PORT */
4739 ti = proto_tree_add_item(pdutree, hf_pie_ntop_flow_proto_port,
4740 tvb, offset, length, ENC_BIG_ENDIAN);
4741 break;
4742
4743 case (NTOP_BASE + 106): /* TUNNEL_ID */
4744 case ((VENDOR_NTOP << 16) | 106): /* TUNNEL_ID */
4745 ti = proto_tree_add_item(pdutree, hf_pie_ntop_tunnel_id,
4746 tvb, offset, length, ENC_BIG_ENDIAN);
4747 break;
4748 case (NTOP_BASE + 107): /* LONGEST_FLOW_PKT */
4749 case ((VENDOR_NTOP << 16) | 107): /* LONGEST_FLOW_PKT */
4750 ti = proto_tree_add_item(pdutree, hf_pie_ntop_longest_flow_pkt,
4751 tvb, offset, length, ENC_BIG_ENDIAN);
4752 break;
4753 case (NTOP_BASE + 108): /* SHORTEST_FLOW_PKT */
4754 case ((VENDOR_NTOP << 16) | 108): /* SHORTEST_FLOW_PKT */
4755 ti = proto_tree_add_item(pdutree, hf_pie_ntop_shortest_flow_pkt,
4756 tvb, offset, length, ENC_BIG_ENDIAN);
4757 break;
4758 case (NTOP_BASE + 109): /* RETRANSMITTED_IN_PKTS */
4759 case ((VENDOR_NTOP << 16) | 109): /* RETRANSMITTED_IN_PKTS */
4760 ti = proto_tree_add_item(pdutree, hf_pie_ntop_retransmitted_in_pkts,
4761 tvb, offset, length, ENC_BIG_ENDIAN);
4762 break;
4763 case (NTOP_BASE + 110): /* RETRANSMITTED_OUT_PKTS */
4764 case ((VENDOR_NTOP << 16) | 110): /* RETRANSMITTED_OUT_PKTS */
4765 ti = proto_tree_add_item(pdutree, hf_pie_ntop_retransmitted_out_pkts,
4766 tvb, offset, length, ENC_BIG_ENDIAN);
4767 break;
4768 case (NTOP_BASE + 111): /* OOORDER_IN_PKTS */
4769 case ((VENDOR_NTOP << 16) | 111): /* OOORDER_IN_PKTS */
4770 ti = proto_tree_add_item(pdutree, hf_pie_ntop_ooorder_in_pkts,
4771 tvb, offset, length, ENC_BIG_ENDIAN);
4772 break;
4773 case (NTOP_BASE + 112): /* OOORDER_OUT_PKTS */
4774 case ((VENDOR_NTOP << 16) | 112): /* OOORDER_OUT_PKTS */
4775 ti = proto_tree_add_item(pdutree, hf_pie_ntop_ooorder_out_pkts,
4776 tvb, offset, length, ENC_BIG_ENDIAN);
4777 break;
4778 case (NTOP_BASE + 113): /* UNTUNNELED_PROTOCOL */
4779 case ((VENDOR_NTOP << 16) | 113): /* UNTUNNELED_PROTOCOL */
4780 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_protocol,
4781 tvb, offset, length, ENC_BIG_ENDIAN);
4782 break;
4783 case (NTOP_BASE + 114): /* UNTUNNELED_IPV4_SRC_ADDR */
4784 case ((VENDOR_NTOP << 16) | 114): /* UNTUNNELED_IPV4_SRC_ADDR */
4785 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_ipv4_src_addr,
4786 tvb, offset, length, ENC_BIG_ENDIAN);
4787 break;
4788 case (NTOP_BASE + 115): /* UNTUNNELED_L4_SRC_PORT */
4789 case ((VENDOR_NTOP << 16) | 115): /* UNTUNNELED_L4_SRC_PORT */
4790 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_l4_src_port,
4791 tvb, offset, length, ENC_BIG_ENDIAN);
4792 break;
4793 case (NTOP_BASE + 116): /* UNTUNNELED_IPV4_DST_ADDR */
4794 case ((VENDOR_NTOP << 16) | 116): /* UNTUNNELED_IPV4_DST_ADDR */
4795 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_ipv4_dst_addr,
4796 tvb, offset, length, ENC_BIG_ENDIAN);
4797 break;
4798 case (NTOP_BASE + 117): /* UNTUNNELED_L4_DST_PORT */
4799 case ((VENDOR_NTOP << 16) | 117): /* UNTUNNELED_L4_DST_PORT */
4800 ti = proto_tree_add_item(pdutree, hf_pie_ntop_untunneled_l4_dst_port,
4801 tvb, offset, length, ENC_BIG_ENDIAN);
4802 break;
4803
4804 case (NTOP_BASE + 120): /* DUMP_PATH */
4805 case ((VENDOR_NTOP << 16) | 120): /* DUMP_PATH */
4806 ti = proto_tree_add_item(pdutree, hf_pie_ntop_dump_path,
4807 tvb, offset, length, ENC_ASCII|ENC_NA);
4808 break;
4809
4810 case (NTOP_BASE + 130): /* SIP_CALL_ID */
4811 case ((VENDOR_NTOP << 16) | 130): /* SIP_CALL_ID */
4812 gen_str = tvb_format_text(tvb, offset, length);
4813 ti = proto_tree_add_string(pdutree, hf_pie_ntop_sip_call_id,
4814 tvb, offset, length, gen_str);
4815 break;
4816 case (NTOP_BASE + 131): /* SIP_CALLING_PARTY */
4817 case ((VENDOR_NTOP << 16) | 131): /* SIP_CALLING_PARTY */
4818 gen_str = tvb_format_text(tvb, offset, length);
4819 ti = proto_tree_add_string(pdutree, hf_pie_ntop_sip_calling_party,
4820 tvb, offset, length, gen_str);
4821 break;
4822 case (NTOP_BASE + 132): /* SIP_CALLED_PARTY */
4823 case ((VENDOR_NTOP << 16) | 132): /* SIP_CALLED_PARTY */
4824 gen_str = tvb_format_text(tvb, offset, length);
4825 ti = proto_tree_add_string(pdutree, hf_pie_ntop_sip_called_party,
4826 tvb, offset, length, gen_str);
4827 break;
4828 case (NTOP_BASE + 133): /* SIP_RTP_CODECS */
4829 case ((VENDOR_NTOP << 16) | 133): /* SIP_RTP_CODECS */
4830 gen_str = tvb_format_text(tvb, offset, length);
4831 ti = proto_tree_add_string(pdutree, hf_pie_ntop_sip_rtp_codecs,
4832 tvb, offset, length, gen_str);
4833 break;
4834 case (NTOP_BASE + 134): /* SIP_INVITE_TIME */
4835 case ((VENDOR_NTOP << 16) | 134): /* SIP_INVITE_TIME */
4836 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_invite_time,
4837 tvb, offset, length, ENC_BIG_ENDIAN);
4838 break;
4839 case (NTOP_BASE + 135): /* SIP_TRYING_TIME */
4840 case ((VENDOR_NTOP << 16) | 135): /* SIP_TRYING_TIME */
4841 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_trying_time,
4842 tvb, offset, length, ENC_BIG_ENDIAN);
4843 break;
4844 case (NTOP_BASE + 136): /* SIP_RINGING_TIME */
4845 case ((VENDOR_NTOP << 16) | 136): /* SIP_RINGING_TIME */
4846 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_ringing_time,
4847 tvb, offset, length, ENC_BIG_ENDIAN);
4848 break;
4849 case (NTOP_BASE + 137): /* SIP_OK_TIME */
4850 case ((VENDOR_NTOP << 16) | 137): /* SIP_OK_TIME */
4851 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_ok_time,
4852 tvb, offset, length, ENC_BIG_ENDIAN);
4853 break;
4854 case (NTOP_BASE + 138): /* SIP_BYE_TIME */
4855 case ((VENDOR_NTOP << 16) | 138): /* SIP_BYE_TIME */
4856 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_bye_time,
4857 tvb, offset, length, ENC_BIG_ENDIAN);
4858 break;
4859 case (NTOP_BASE + 139): /* SIP_RTP_SRC_IP */
4860 case ((VENDOR_NTOP << 16) | 139): /* SIP_RTP_SRC_IP */
4861 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_rtp_src_ip,
4862 tvb, offset, length, ENC_BIG_ENDIAN);
4863 break;
4864 case (NTOP_BASE + 140): /* SIP_RTP_SRC_PORT */
4865 case ((VENDOR_NTOP << 16) | 140): /* SIP_RTP_SRC_PORT */
4866 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_rtp_src_port,
4867 tvb, offset, length, ENC_BIG_ENDIAN);
4868 break;
4869 case (NTOP_BASE + 141): /* SIP_RTP_DST_IP */
4870 case ((VENDOR_NTOP << 16) | 141): /* SIP_RTP_DST_IP */
4871 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_rtp_dst_ip,
4872 tvb, offset, length, ENC_BIG_ENDIAN);
4873 break;
4874 case (NTOP_BASE + 142): /* SIP_RTP_DST_PORT */
4875 case ((VENDOR_NTOP << 16) | 142): /* SIP_RTP_DST_PORT */
4876 ti = proto_tree_add_item(pdutree, hf_pie_ntop_sip_rtp_dst_port,
4877 tvb, offset, length, ENC_BIG_ENDIAN);
4878 break;
4879 case (NTOP_BASE + 150): /* RTP_FIRST_SSRC */
4880 case ((VENDOR_NTOP << 16) | 150): /* RTP_FIRST_SSRC */
4881 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_first_ssrc,
4882 tvb, offset, length, ENC_BIG_ENDIAN);
4883 break;
4884 case (NTOP_BASE + 151): /* RTP_FIRST_TS */
4885 case ((VENDOR_NTOP << 16) | 151): /* RTP_FIRST_TS */
4886 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_first_ts,
4887 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
4888 break;
4889 case (NTOP_BASE + 152): /* RTP_LAST_SSRC */
4890 case ((VENDOR_NTOP << 16) | 152): /* RTP_LAST_SSRC */
4891 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_last_ssrc,
4892 tvb, offset, length, ENC_BIG_ENDIAN);
4893 break;
4894 case (NTOP_BASE + 153): /* RTP_LAST_TS */
4895 case ((VENDOR_NTOP << 16) | 153): /* RTP_LAST_TS */
4896 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_last_ts,
4897 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
4898 break;
4899 case (NTOP_BASE + 154): /* RTP_IN_JITTER */
4900 case ((VENDOR_NTOP << 16) | 154): /* RTP_IN_JITTER */
4901 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_in_jitter,
4902 tvb, offset, length, ENC_BIG_ENDIAN);
4903 break;
4904 case (NTOP_BASE + 155): /* RTP_OUT_JITTER */
4905 case ((VENDOR_NTOP << 16) | 155): /* RTP_OUT_JITTER */
4906 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_out_jitter,
4907 tvb, offset, length, ENC_BIG_ENDIAN);
4908 break;
4909 case (NTOP_BASE + 156): /* RTP_IN_PKT_LOST */
4910 case ((VENDOR_NTOP << 16) | 156): /* RTP_IN_PKT_LOST */
4911 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_in_pkt_lost,
4912 tvb, offset, length, ENC_BIG_ENDIAN);
4913 break;
4914 case (NTOP_BASE + 157): /* RTP_OUT_PKT_LOST */
4915 case ((VENDOR_NTOP << 16) | 157): /* RTP_OUT_PKT_LOST */
4916 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_out_pkt_lost,
4917 tvb, offset, length, ENC_BIG_ENDIAN);
4918 break;
4919 case (NTOP_BASE + 158): /* RTP_OUT_PAYLOAD_TYPE */
4920 case ((VENDOR_NTOP << 16) | 158): /* RTP_OUT_PAYLOAD_TYPE */
4921 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_out_payload_type,
4922 tvb, offset, length, ENC_BIG_ENDIAN);
4923 break;
4924 case (NTOP_BASE + 159): /* RTP_IN_MAX_DELTA */
4925 case ((VENDOR_NTOP << 16) | 159): /* RTP_IN_MAX_DELTA */
4926 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_in_max_delta,
4927 tvb, offset, length, ENC_BIG_ENDIAN);
4928 break;
4929 case (NTOP_BASE + 160): /* RTP_OUT_MAX_DELTA */
4930 case ((VENDOR_NTOP << 16) | 160): /* RTP_OUT_MAX_DELTA */
4931 ti = proto_tree_add_item(pdutree, hf_pie_ntop_rtp_out_max_delta,
4932 tvb, offset, length, ENC_BIG_ENDIAN);
4933 break;
4934 case (NTOP_BASE + 168): /* PROC_ID */
4935 case ((VENDOR_NTOP << 16) | 168): /* PROC_ID */
4936 ti = proto_tree_add_item(pdutree, hf_pie_ntop_proc_id,
4937 tvb, offset, length, ENC_BIG_ENDIAN);
4938 break;
4939 case (NTOP_BASE + 169): /* PROC_NAME */
4940 case ((VENDOR_NTOP << 16) | 169): /* PROC_NAME */
4941 ti = proto_tree_add_item(pdutree, hf_pie_ntop_proc_name,
4942 tvb, offset, length, ENC_ASCII|ENC_NA);
4943 break;
4944 case (NTOP_BASE + 180): /* HTTP_URL */
4945 case ((VENDOR_NTOP << 16) | 180): /* HTTP_URL */
4946 gen_str = tvb_format_text(tvb, offset, length);
4947 ti = proto_tree_add_string(pdutree, hf_pie_ntop_http_url,
4948 tvb, offset, length, gen_str);
4949 break;
4950 case (NTOP_BASE + 181): /* HTTP_RET_CODE */
4951 case ((VENDOR_NTOP << 16) | 181): /* HTTP_RET_CODE */
4952 ti = proto_tree_add_item(pdutree, hf_pie_ntop_http_ret_code,
4953 tvb, offset, length, ENC_BIG_ENDIAN);
4954 break;
4955
4956
4957 case (NTOP_BASE + 182): /* HTTP_REFERER */
4958 case ((VENDOR_NTOP << 16) | 182): /* HTTP_REFERER */
4959 break;
4960 case (NTOP_BASE + 183): /* HTTP_UA */
4961 case ((VENDOR_NTOP << 16) | 183): /* HTTP_UA */
4962 break;
4963 case (NTOP_BASE + 184): /* HTTP_MIME */
4964 case ((VENDOR_NTOP << 16) | 184): /* HTTP_MIME */
4965 break;
4966
4967 case (NTOP_BASE + 185): /* SMTP_MAIL_FROM */
4968 case ((VENDOR_NTOP << 16) | 185): /* SMTP_MAIL_FROM */
4969 gen_str = tvb_format_text(tvb, offset, length);
4970 ti = proto_tree_add_string(pdutree, hf_pie_ntop_smtp_mail_from,
4971 tvb, offset, length, gen_str);
4972 break;
4973 case (NTOP_BASE + 186): /* SMTP_RCPT_TO */
4974 case ((VENDOR_NTOP << 16) | 186): /* SMTP_RCPT_TO */
4975 gen_str = tvb_format_text(tvb, offset, length);
4976 ti = proto_tree_add_string(pdutree, hf_pie_ntop_smtp_rcpt_to,
4977 tvb, offset, length, gen_str);
4978 break;
4979
4980 case (NTOP_BASE + 190): /* FLOW_ID */
4981 case ((VENDOR_NTOP << 16) | 190): /* FLOW_ID */
4982 ti = proto_tree_add_item(pdutree, hf_cflow_flow_id,
4983 tvb, offset, length, ENC_BIG_ENDIAN);
4984 break;
4985
4986 case (NTOP_BASE + 195): /* MYSQL_SERVER_VERSION */
4987 case ((VENDOR_NTOP << 16) | 195): /* MYSQL_SERVER_VERSION */
4988 gen_str = tvb_format_text(tvb, offset, length);
4989 ti = proto_tree_add_string(pdutree, hf_pie_ntop_mysql_server_version,
4990 tvb, offset, length, gen_str);
4991 break;
4992 case (NTOP_BASE + 196): /* MYSQL_USERNAME */
4993 case ((VENDOR_NTOP << 16) | 196): /* MYSQL_USERNAME */
4994 gen_str = tvb_format_text(tvb, offset, length);
4995 ti = proto_tree_add_string(pdutree, hf_pie_ntop_mysql_username,
4996 tvb, offset, length, gen_str);
4997 break;
4998 case (NTOP_BASE + 197): /* MYSQL_DB */
4999 case ((VENDOR_NTOP << 16) | 197): /* MYSQL_DB */
5000 gen_str = tvb_format_text(tvb, offset, length);
5001 ti = proto_tree_add_string(pdutree, hf_pie_ntop_mysql_db,
5002 tvb, offset, length, gen_str);
5003 break;
5004 case (NTOP_BASE + 198): /* MYSQL_QUERY */
5005 case ((VENDOR_NTOP << 16) | 198): /* MYSQL_QUERY */
5006 gen_str = tvb_format_text(tvb, offset, length);
5007 ti = proto_tree_add_string(pdutree, hf_pie_ntop_mysql_query,
5008 tvb, offset, length, gen_str);
5009 break;
5010 case (NTOP_BASE + 199): /* MYSQL_RESPONSE */
5011 case ((VENDOR_NTOP << 16) | 199): /* MYSQL_RESPONSE */
5012 ti = proto_tree_add_item(pdutree, hf_pie_ntop_mysql_response,
5013 tvb, offset, length, ENC_BIG_ENDIAN);
5014
5015 break;
5016
5017 /* END NTOP */
5018
5019 /* START Plixer International */
5020 case ((VENDOR_PLIXER << 16) | 100): /* client_ip_v4 */
5021 ti = proto_tree_add_item(pdutree, hf_pie_plixer_client_ip_v4,
5022 tvb, offset, length, ENC_BIG_ENDIAN);
5023 break;
5024 case ((VENDOR_PLIXER << 16) | 101): /* client_hostname */
5025 gen_str = tvb_format_text(tvb, offset, length);
5026 ti = proto_tree_add_string(pdutree, hf_pie_plixer_client_hostname,
5027 tvb, offset, length, gen_str);
5028 break;
5029 case ((VENDOR_PLIXER << 16) | 102): /* partner_name */
5030 gen_str = tvb_format_text(tvb, offset, length);
5031 ti = proto_tree_add_string(pdutree, hf_pie_plixer_partner_name,
5032 tvb, offset, length, gen_str);
5033 break;
5034 case ((VENDOR_PLIXER << 16) | 103): /* server_hostname */
5035 gen_str = tvb_format_text(tvb, offset, length);
5036 ti = proto_tree_add_string(pdutree, hf_pie_plixer_server_hostname,
5037 tvb, offset, length, gen_str);
5038 break;
5039 case ((VENDOR_PLIXER << 16) | 104): /* server_ip_v4 */
5040 ti = proto_tree_add_item(pdutree, hf_pie_plixer_server_ip_v4,
5041 tvb, offset, length, ENC_BIG_ENDIAN);
5042 break;
5043 case ((VENDOR_PLIXER << 16) | 105): /* recipient_address */
5044 gen_str = tvb_format_text(tvb, offset, length);
5045 ti = proto_tree_add_string(pdutree, hf_pie_plixer_recipient_address,
5046 tvb, offset, length, gen_str);
5047 break;
5048 case ((VENDOR_PLIXER << 16) | 106): /* event_id */
5049 ti = proto_tree_add_item(pdutree, hf_pie_plixer_event_id,
5050 tvb, offset, length, ENC_BIG_ENDIAN);
5051 break;
5052 case ((VENDOR_PLIXER << 16) | 107): /* msgid */
5053 gen_str = tvb_format_text(tvb, offset, length);
5054 ti = proto_tree_add_string(pdutree, hf_pie_plixer_msgid,
5055 tvb, offset, length, gen_str);
5056 break;
5057 case ((VENDOR_PLIXER << 16) | 108): /* priority */
5058 ti = proto_tree_add_item(pdutree, hf_pie_plixer_priority,
5059 tvb, offset, length, ENC_BIG_ENDIAN);
5060 break;
5061 case ((VENDOR_PLIXER << 16) | 109): /* recipient_report_status */
5062 ti = proto_tree_add_item(pdutree, hf_pie_plixer_recipient_report_status,
5063 tvb, offset, length, ENC_BIG_ENDIAN);
5064 break;
5065 case ((VENDOR_PLIXER << 16) | 110): /* number_recipients */
5066 ti = proto_tree_add_item(pdutree, hf_pie_plixer_number_recipients,
5067 tvb, offset, length, ENC_BIG_ENDIAN);
5068 break;
5069 case ((VENDOR_PLIXER << 16) | 111): /* origination_time */
5070 ti = proto_tree_add_item(pdutree, hf_pie_plixer_origination_time,
5071 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
5072 break;
5073 case ((VENDOR_PLIXER << 16) | 112): /* encryption */
5074 ti = proto_tree_add_item(pdutree, hf_pie_plixer_encryption,
5075 tvb, offset, length, ENC_BIG_ENDIAN);
5076 break;
5077 case ((VENDOR_PLIXER << 16) | 113): /* service_version */
5078 gen_str = tvb_format_text(tvb, offset, length);
5079 ti = proto_tree_add_string(pdutree, hf_pie_plixer_service_version,
5080 tvb, offset, length, gen_str);
5081 break;
5082 case ((VENDOR_PLIXER << 16) | 114): /* linked_msgid */
5083 gen_str = tvb_format_text(tvb, offset, length);
5084 ti = proto_tree_add_string(pdutree, hf_pie_plixer_linked_msgid,
5085 tvb, offset, length, gen_str);
5086 break;
5087 case ((VENDOR_PLIXER << 16) | 115): /* message_subject */
5088 gen_str = tvb_format_text(tvb, offset, length);
5089 ti = proto_tree_add_string(pdutree, hf_pie_plixer_message_subject,
5090 tvb, offset, length, gen_str);
5091 break;
5092 case ((VENDOR_PLIXER << 16) | 116): /* sender_address */
5093 gen_str = tvb_format_text(tvb, offset, length);
5094 ti = proto_tree_add_string(pdutree, hf_pie_plixer_sender_address,
5095 tvb, offset, length, gen_str);
5096 break;
5097 case ((VENDOR_PLIXER << 16) | 117): /* date_time */
5098 ti = proto_tree_add_item(pdutree, hf_pie_plixer_date_time,
5099 tvb, offset, length, ENC_TIME_TIMESPEC|ENC_BIG_ENDIAN);
5100 break;
5101 /* END Plixer International */
5102
5103 default: /* Unknown Field ID */
5104 if ((hdrinfo_p->vspec == 9) || (pen == REVPEN)) {
5105 ti = proto_tree_add_bytes_format_value(pdutree, hf_cflow_unknown_field_type,
5106 tvb, offset, length, NULL,
5107 "Type %u: Value (hex bytes): %s",
5108 masked_type,
5109 tvb_bytes_to_str_punct(tvb, offset, length, ' '));
5110 } else { /* v10 PEN */
5111 ti = proto_tree_add_bytes_format_value(pdutree, hf_ipfix_enterprise_private_entry,
5112 tvb, offset, length, NULL,
5113 "(%s) Type %u: Value (hex bytes): %s",
5114 pen_str ? pen_str : "(null)",
5115 masked_type,
5116 tvb_bytes_to_str_punct(tvb, offset, length, ' '));
5117 }
5118 break;
5119
5120 } /* switch (pen_type) */
5121
5122 if (ti && (vstr_len != 0)) {
5123 /* XXX: ugh: not very pretty: how to show/highlight actual length bytes ?? */
5124 /* YYY: added the length in a tree. Not sure if this is best. */
5125 proto_item_append_text(ti, " (Variable Length)");
5126 PROTO_ITEM_SET_GENERATED(ti);
5127 string_tree = proto_item_add_subtree(ti, ett_str_len);
5128 proto_tree_add_uint(string_tree, hf_string_len_short, tvb,
5129 gen_str_offset-vstr_len, 1, string_len_short);
5130 if (vstr_len == 3) {
5131 proto_tree_add_uint(string_tree, hf_string_len_long, tvb,
5132 gen_str_offset-2, 2, string_len_long);
5133 }
5134
5135
5136
5137 }
5138
5139 if (ti && (pen == REVPEN)) {
5140 /* XXX: why showing type ? type not shown if not reverse */
5141 proto_item_append_text(ti, " (Reverse Type %u %s)",
5142 masked_type,
5143 val_to_str_ext_const(masked_type, &v9_v10_template_types_ext,"Unknown"));
5144 }
5145
5146 offset += length;
5147 } /* for (i=0; i < count; i++) */
5148
5149 /* If only "start" or "end" time, show it here */
5150 /* XXX: length is actually 8 if millisec, microsec, nanosec time */
5151 for (i = 0; i < 2; i++) {
5152 if (!(offset_s[i] && offset_e[i])) {
5153 if (offset_s[i]) {
5154 if (msec_start[i]) {
5155 proto_tree_add_time(pdutree, hf_cflow_timestart, tvb,
5156 offset_s[i], 4, &ts_start[i]);
5157 } else {
5158 proto_tree_add_time(pdutree, hf_cflow_abstimestart, tvb,
5159 offset_s[i], 4, &ts_start[i]);
5160 }
5161 }
5162 if (offset_e[i]) {
5163 if (msec_end[i]) {
5164 proto_tree_add_time(pdutree, hf_cflow_timeend, tvb,
5165 offset_e[i], 4, &ts_end[i]);
5166 } else {
5167 proto_tree_add_time(pdutree, hf_cflow_abstimeend, tvb,
5168 offset_s[i], 4, &ts_start[i]);
5169 }
5170 }
5171 }
5172 }
5173
5174 /* XXX - These IDs are currently hard-coded in procflow.py. */
5175 if (got_flags == GOT_TCP_UDP && (tmplt_p->tmplt_id == 256 || tmplt_p->tmplt_id == 258)) {
5176 add_tcp_process_info(pinfo->fd->num, &local_addr, &remote_addr, local_port, remote_port, uid, pid, uname_str, cmd_str);
5177 }
5178 if (got_flags == GOT_TCP_UDP && (tmplt_p->tmplt_id == 257 || tmplt_p->tmplt_id == 259)) {
5179 add_udp_process_info(pinfo->fd->num, &local_addr, &remote_addr, local_port, remote_port, uid, pid, uname_str, cmd_str);
5180 }
5181
5182 return (guint) (offset - orig_offset);
5183
5184 }
5185
5186 /* --- Dissect Template ---*/
5187 /* Template Fields Dissection */
5188 static const int *v9_template_type_hf_list[TF_NUM] = {
5189 &hf_cflow_template_scope_field_type, /* scope */
5190 &hf_cflow_template_field_type}; /* entry */
5191 static const int *v10_template_type_hf_list[TF_NUM_EXT] = {
5192 &hf_cflow_template_ipfix_field_type, /* scope */
5193 &hf_cflow_template_ipfix_field_type,
5194 &hf_cflow_template_plixer_field_type,
5195 &hf_cflow_template_ntop_field_type,
5196 NULL};
5197
5198 static value_string_ext *v9_template_type_vse_list[TF_NUM] = {
5199 &v9_scope_field_types_ext, /* scope */
5200 &v9_v10_template_types_ext }; /* entry */
5201 static value_string_ext *v10_template_type_vse_list[TF_NUM_EXT] = {
5202 &v9_v10_template_types_ext, /* scope */
5203 &v9_v10_template_types_ext, /* entry */
5204 &v10_template_types_plixer_ext,
5205 &v10_template_types_ntop_ext,
5206 NULL};
5207
5208 static int
5209 dissect_v9_v10_template_fields(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tmplt_tree, int offset,
5210 hdrinfo_t *hdrinfo_p,
5211 v9_v10_tmplt_t *tmplt_p,
5212 v9_v10_tmplt_fields_type_t fields_type)
5213 {
5214 int ver;
5215 int count;
5216 int i;
5217
5218 DISSECTOR_ASSERT((fields_type==TF_SCOPES) || (fields_type==TF_ENTRIES));
5219
5220 ver = hdrinfo_p->vspec;
5221 DISSECTOR_ASSERT((ver==9) || (ver==10));
5222
5223 count = tmplt_p->field_count[fields_type];
5224 for(i=0; i<count; i++) {
5225 guint16 type;
5226 guint16 length;
5227 guint32 pen;
5228 const gchar *pen_str;
5229 proto_tree *field_tree;
5230 proto_item *field_item;
5231 proto_item *ti;
5232
5233 pen = 0;
5234 pen_str = NULL;
5235 type = tvb_get_ntohs(tvb, offset);
5236 length = tvb_get_ntohs(tvb,offset+2); /* XXX: 0 length should not be allowed ? exception: "ScopeSystem" */
5237 if ((ver == 10) && (type & 0x8000)) { /* IPFIX only */
5238 pen = tvb_get_ntohl(tvb,offset+4);
5239 pen_str = val_to_str_ext_const(pen, &sminmpec_values_ext, "(Unknown)");
5240 }
5241
5242 if (tmplt_p->fields_p[fields_type] != NULL) {
5243 DISSECTOR_ASSERT (i < count);
5244 tmplt_p->fields_p[fields_type][i].type = type;
5245 tmplt_p->fields_p[fields_type][i].length = length;
5246 tmplt_p->fields_p[fields_type][i].pen = pen;
5247 tmplt_p->fields_p[fields_type][i].pen_str = pen_str;
5248 if (length != VARIABLE_LENGTH) { /* Don't include "variable length" in the total */
5249 tmplt_p->length += length;
5250 }
5251 }
5252
5253 field_item = proto_tree_add_text(tmplt_tree, tvb, offset, 4+((pen_str!=NULL)?4:0), "Field (%u/%u)", i+1, count);
5254 field_tree = proto_item_add_subtree(field_item, ett_field);
5255 if (fields_type == TF_SCOPES) {
5256 proto_item_append_text(field_item, " [Scope]");
5257 }
5258
5259 if (ver == 9) { /* v9 */
5260 proto_tree_add_item(field_tree, *v9_template_type_hf_list[fields_type],
5261 tvb, offset, 2, ENC_BIG_ENDIAN);
5262 proto_item_append_text(field_item, ": %s",
5263 val_to_str_ext(type, v9_template_type_vse_list[fields_type], "Unknown(%d)"));
5264 } else { /* v10 */
5265 proto_tree_add_item(field_tree, hf_cflow_template_ipfix_pen_provided,
5266 tvb, offset, 2, ENC_BIG_ENDIAN);
5267 if ( !(type & 0x8000) || (pen == REVPEN)) {
5268 proto_item *rp_ti;
5269 rp_ti = proto_tree_add_item(field_tree, *v10_template_type_hf_list[fields_type],
5270 tvb, offset, 2, ENC_BIG_ENDIAN);
5271 proto_item_append_text(field_item, ": %s",
5272 val_to_str_ext(type&0x7fff, v10_template_type_vse_list[fields_type], "Unknown(%d)"));
5273 if (pen == REVPEN) {
5274 proto_item_append_text(rp_ti, " [Reverse]");
5275 proto_item_append_text(field_item, " [Reverse]");
5276 }
5277 } else {
5278 int fields_type_pen = pen_to_type_hf_list(pen);
5279 if (fields_type_pen != TF_NO_VENDOR_INFO) {
5280 proto_tree_add_item(field_tree, *v10_template_type_hf_list[fields_type_pen],
5281 tvb, offset, 2, ENC_BIG_ENDIAN);
5282 proto_item_append_text(field_item, ": %s",
5283 val_to_str_ext(type&0x7fff, v10_template_type_vse_list[fields_type_pen], "Unknown(%d)"));
5284 } else { /* Private Enterprise */
5285 proto_item *pen_ti;
5286 pen_ti = proto_tree_add_item(field_tree, hf_cflow_template_ipfix_field_type_enterprise,
5287 tvb, offset, 2, ENC_BIG_ENDIAN);
5288 proto_item_append_text(pen_ti, " [pen: %s]", pen_str);
5289 proto_item_append_text(field_item, ": %3u [pen: %s]", type&0x7fff, pen_str);
5290 }
5291 }
5292 }
5293
5294 offset += 2;
5295
5296 ti = proto_tree_add_item(field_tree, hf_cflow_template_field_length, tvb,
5297 offset, 2, ENC_BIG_ENDIAN);
5298 if (length == VARIABLE_LENGTH) {
5299 proto_item_append_text(ti, " [i.e.: \"Variable Length\"]");
5300 }
5301 offset += 2;
5302
5303 /* Private Enterprise Number (IPFIX only) */
5304 if ((ver == 10) && (type & 0x8000)) {
5305 proto_tree_add_uint_format_value(field_tree, hf_cflow_template_ipfix_field_pen, tvb, offset, 4,
5306 pen, "%s (%u)", pen_str, pen);
5307 offset += 4;
5308 }
5309 }
5310 return offset;
5311 }
5312
5313 /* Options Template Dissection */
5314 static int
5315 dissect_v9_v10_options_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset, int length,
5316 hdrinfo_t *hdrinfo_p, guint16 flowset_id)
5317 {
5318 int remaining;
5319
5320 remaining = length;
5321 while (remaining > 3) { /* allow for padding */
5322 v9_v10_tmplt_t *tmplt_p;
5323 v9_v10_tmplt_t tmplt;
5324 proto_tree *tmplt_tree;
5325 proto_item *tmplt_item;
5326 proto_item *ti;
5327 guint16 id;
5328 guint16 option_scope_field_count;
5329 guint16 option_field_count;
5330 int orig_offset;
5331
5332 orig_offset = offset;
5333
5334 id = tvb_get_ntohs(tvb, offset);
5335
5336 tmplt_item = proto_tree_add_text(pdutree, tvb, offset, -1, "Options Template (Id = %u)", id);
5337 tmplt_tree = proto_item_add_subtree(tmplt_item, ett_template);
5338
5339 proto_tree_add_item(tmplt_tree, hf_cflow_template_id, tvb, offset, 2, ENC_BIG_ENDIAN);
5340 offset += 2;
5341
5342 if (flowset_id == FLOWSET_ID_V9_OPTIONS_TEMPLATE) { /* V9 */
5343 /* Note: v9: field_count = fields_byte_length/4 since each entry is 4 bytes */
5344 /* XXX: validate byte_length is a multiple of 4 ? */
5345 option_scope_field_count = tvb_get_ntohs(tvb, offset)/4;
5346 proto_tree_add_item(tmplt_tree,
5347 hf_cflow_option_scope_length,
5348 tvb, offset, 2, ENC_BIG_ENDIAN);
5349 offset += 2;
5350
5351 option_field_count = tvb_get_ntohs(tvb, offset)/4;
5352 ti = proto_tree_add_item(tmplt_tree,
5353 hf_cflow_option_length,
5354 tvb, offset, 2, ENC_BIG_ENDIAN);
5355 offset += 2;
5356 } else { /* IPFIX (V10) */
5357 guint16 option_total_field_count;
5358
5359 option_total_field_count = tvb_get_ntohs(tvb, offset);
5360 proto_tree_add_item(tmplt_tree,
5361 hf_cflow_template_ipfix_total_field_count,
5362 tvb, offset, 2, ENC_BIG_ENDIAN);
5363 offset += 2;
5364
5365 option_scope_field_count = tvb_get_ntohs(tvb, offset);
5366 ti = proto_tree_add_item(tmplt_tree,
5367 hf_cflow_template_ipfix_scope_field_count,
5368 tvb, offset, 2, ENC_BIG_ENDIAN);
5369 offset += 2;
5370
5371 option_field_count = option_total_field_count - option_scope_field_count;
5372
5373 if (option_scope_field_count == 0) {
5374 expert_add_info(pinfo, ti, &ei_cflow_template_ipfix_scope_field_count);
5375 return 0;
5376 }
5377 if (option_scope_field_count > option_total_field_count) {
5378 expert_add_info_format(pinfo, ti, &ei_cflow_template_ipfix_scope_field_count_too_many,
5379 "More scope fields (%u) than fields (%u)",
5380 option_scope_field_count, option_total_field_count);
5381 return 0;
5382 }
5383 }
5384
5385 proto_item_append_text(tmplt_item,
5386 " (Scope Count = %u; Data Count = %u)",
5387 option_scope_field_count, option_field_count);
5388 proto_item_set_len(tmplt_item, 6 +4*(option_scope_field_count+option_field_count));
5389
5390 if (v9_tmplt_max_fields &&
5391 (option_field_count > v9_tmplt_max_fields)) {
5392 expert_add_info_format(pinfo, ti, &ei_cflow_options,
5393 "More options (%u) than we can handle."
5394 " Maximum value can be adjusted in the protocol preferences.",
5395 option_field_count);
5396 }
5397
5398 if (v9_tmplt_max_fields &&
5399 (option_scope_field_count > v9_tmplt_max_fields)) {
5400 expert_add_info_format(pinfo, ti, &ei_cflow_scopes,
5401 "More scopes (%u) than we can handle [template won't be used]."
5402 " Maximum value can be adjusted in the protocol preferences.",
5403 option_scope_field_count);
5404 }
5405
5406 memset(&tmplt, 0, sizeof(tmplt));
5407
5408 v9_v10_tmplt_build_key(&tmplt, pinfo, hdrinfo_p->src_id, id);
5409
5410 tmplt.field_count[TF_SCOPES] = option_scope_field_count;
5411 tmplt.field_count[TF_ENTRIES] = option_field_count;
5412
5413 /* If an entry for this template already exists in the template table then after the */
5414 /* 'do {} while' tmplt.fields_p[TF_SCOPES] and tmplt.fields_p[TF_ENTRIES] will be NULL */
5415 /* (no memory will have been allocated) and thus this template will not be cached after */
5416 /* dissection. */
5417 /* ToDo: expert warning if replacement (changed) and new template ignored. */
5418 /* XXX: Is an Options template with only scope fields allowed for V9 ?? */
5419
5420 tmplt_p = (v9_v10_tmplt_t *)g_hash_table_lookup(v9_v10_tmplt_table, &tmplt);
5421 if (!pinfo->fd->flags.visited) { /* cache template info only during first pass */
5422 do {
5423 if ((option_scope_field_count == 0) ||
5424 (v9_tmplt_max_fields &&
5425 ((option_scope_field_count > v9_tmplt_max_fields)
5426 || (option_field_count > v9_tmplt_max_fields)))) {
5427 break; /* Don't allow cache of this template */
5428 }
5429 if (tmplt_p != NULL) {
5430 /* Entry for this template already exists; Can be dup or changed */
5431 /* ToDo: Test for changed template ? If so: expert ? */
5432 break; /* Don't allow cacheing of this template */
5433 }
5434 tmplt.fields_p[TF_SCOPES] = (v9_v10_tmplt_entry_t *)wmem_alloc0(wmem_file_scope(), option_scope_field_count *sizeof(v9_v10_tmplt_entry_t));
5435 tmplt.fields_p[TF_ENTRIES] = (v9_v10_tmplt_entry_t *)wmem_alloc0(wmem_file_scope(), option_field_count *sizeof(v9_v10_tmplt_entry_t));
5436 break;
5437 } while (FALSE);
5438 }
5439
5440 offset = dissect_v9_v10_template_fields(tvb, pinfo, tmplt_tree, offset,
5441 hdrinfo_p, &tmplt, TF_SCOPES);
5442
5443 offset = dissect_v9_v10_template_fields(tvb, pinfo, tmplt_tree, offset,
5444 hdrinfo_p, &tmplt, TF_ENTRIES);
5445
5446 if ((tmplt_p == NULL) && (tmplt.fields_p[TF_SCOPES] || tmplt.fields_p[TF_ENTRIES])) {
5447 /* create permanent template copy for storage in template table */
5448 tmplt_p = (v9_v10_tmplt_t *)wmem_memdup(wmem_file_scope(), &tmplt, sizeof(tmplt));
5449 SE_COPY_ADDRESS(&tmplt_p->src_addr, &pinfo->net_src);
5450 SE_COPY_ADDRESS(&tmplt_p->dst_addr, &pinfo->net_dst);
5451 g_hash_table_insert(v9_v10_tmplt_table, tmplt_p, tmplt_p);
5452 }
5453
5454 remaining -= offset - orig_offset;
5455 }
5456 if (remaining > 0)
5457 flow_process_textfield(pdutree, tvb, offset, remaining, "[Padding]");
5458
5459 return length;
5460 }
5461
5462 /* Data Template Dissection */
5463 static int
5464 dissect_v9_v10_data_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree, int offset, int length,
5465 hdrinfo_t *hdrinfo_p, guint16 flowset_id _U_)
5466 {
5467 int remaining;
5468
5469 remaining = length;
5470 while (remaining > 3) { /* allow for padding */
5471 v9_v10_tmplt_t *tmplt_p;
5472 v9_v10_tmplt_t tmplt;
5473 proto_tree *tmplt_tree;
5474 proto_item *tmplt_item;
5475 proto_item *ti;
5476 guint16 id;
5477 guint16 count;
5478 int orig_offset;
5479
5480 orig_offset = offset;
5481 id = tvb_get_ntohs(tvb, offset);
5482 count = tvb_get_ntohs(tvb, offset + 2);
5483
5484 tmplt_item = proto_tree_add_text(pdutree, tvb, offset,
5485 4 + 4 * count /* hdrsiz + count*2*(sizeof guint16)*/,
5486 "Template (Id = %u, Count = %u)", id, count);
5487 tmplt_tree = proto_item_add_subtree(tmplt_item, ett_template);
5488
5489 proto_tree_add_item(tmplt_tree, hf_cflow_template_id, tvb,
5490 offset, 2, ENC_BIG_ENDIAN);
5491 offset += 2;
5492
5493 ti = proto_tree_add_item(tmplt_tree, hf_cflow_template_field_count,
5494 tvb, offset, 2, ENC_BIG_ENDIAN);
5495 offset += 2;
5496
5497 if (v9_tmplt_max_fields && (count > v9_tmplt_max_fields)) {
5498 expert_add_info_format(pinfo, ti, &ei_cflow_entries,
5499 "More entries (%u) than we can handle [template won't be used]."
5500 " Maximum value can be adjusted in the protocol preferences.",
5501 count);
5502 }
5503
5504 memset(&tmplt, 0, sizeof(tmplt));
5505
5506 v9_v10_tmplt_build_key(&tmplt, pinfo, hdrinfo_p->src_id, id); /* lookup only ! */
5507
5508 tmplt.field_count[TF_ENTRIES] = count;
5509
5510 /* If an entry for this hash already exists in the template table then after the */
5511 /* 'do {} while' tmplt.fields_p[TF_ENTRIES] will be NULL (no memory will have been */
5512 /* been allocated) and thus this template will not be cached after dissection. */
5513 /* ToDo: expert warning if replacement (changed) and new template ignored. */
5514
5515 tmplt_p = (v9_v10_tmplt_t *)g_hash_table_lookup(v9_v10_tmplt_table, &tmplt);
5516 if (!pinfo->fd->flags.visited) { /* cache template info only during first pass */
5517 do {
5518 if ((count == 0) ||
5519 (v9_tmplt_max_fields && (count > v9_tmplt_max_fields))) {
5520 break; /* Don't allow cache of this template */
5521 }
5522 if (tmplt_p != NULL) {
5523 /* Entry for this template already exists; Can be dup or changed */
5524 /* ToDo: Test for changed template ? If so: expert ? */
5525 break; /* Don't allow cacheing of this template */
5526 }
5527 tmplt.fields_p[TF_ENTRIES] = (v9_v10_tmplt_entry_t *)wmem_alloc0(wmem_file_scope(), count * sizeof(v9_v10_tmplt_entry_t));
5528 break;
5529 } while (FALSE);
5530 }
5531 offset = dissect_v9_v10_template_fields(tvb, pinfo, tmplt_tree, offset,
5532 hdrinfo_p, &tmplt, TF_ENTRIES);
5533
5534 if ((tmplt_p == NULL) && tmplt.fields_p[TF_ENTRIES]) {
5535 /* create permanent template copy for storage in template table */
5536 tmplt_p = (v9_v10_tmplt_t *)wmem_memdup(wmem_file_scope(), &tmplt, sizeof(tmplt));
5537 SE_COPY_ADDRESS(&tmplt_p->src_addr, &pinfo->net_src);
5538 SE_COPY_ADDRESS(&tmplt_p->dst_addr, &pinfo->net_dst);
5539 g_hash_table_insert(v9_v10_tmplt_table, tmplt_p, tmplt_p);
5540 }
5541 remaining -= offset - orig_offset;
5542 }
5543 if (remaining > 0)
5544 flow_process_textfield(pdutree, tvb, offset, remaining, "[Padding]");
5545
5546 return length;
5547 }
5548
5549 /* build temporary key */
5550 /* Note: address at *(pinfo->net_???.data) is *not* copied */
5551 static v9_v10_tmplt_t *v9_v10_tmplt_build_key(v9_v10_tmplt_t *tmplt_p, packet_info *pinfo, guint32 src_id, guint16 tmplt_id)
5552 {
5553 SET_ADDRESS(&tmplt_p->src_addr, pinfo->net_src.type, pinfo->net_src.len, pinfo->net_src.data); /* lookup only! */
5554 tmplt_p->src_port = pinfo->srcport;
5555 SET_ADDRESS(&tmplt_p->dst_addr, pinfo->net_dst.type, pinfo->net_dst.len, pinfo->net_dst.data); /* lookup only! */
5556 tmplt_p->dst_port = pinfo->destport;
5557 tmplt_p->src_id = src_id;
5558 tmplt_p->tmplt_id = tmplt_id;
5559 return tmplt_p;
5560 }
5561
5562 static gboolean
5563 v9_v10_tmplt_table_equal(gconstpointer k1, gconstpointer k2)
5564 {
5565 const v9_v10_tmplt_t *ta = (v9_v10_tmplt_t *)k1;
5566 const v9_v10_tmplt_t *tb = (v9_v10_tmplt_t *)k2;
5567
5568 return (
5569 (CMP_ADDRESS(&ta->src_addr, &tb->src_addr) == 0) &&
5570 (ta->src_port == tb->src_port) &&
5571 (CMP_ADDRESS(&ta->dst_addr, &tb->dst_addr) == 0) &&
5572 (ta->dst_port == tb->dst_port) &&
5573 (ta->src_id == tb->src_id) &&
5574 (ta->tmplt_id == tb->tmplt_id)
5575 );
5576 }
5577
5578 static guint
5579 v9_v10_tmplt_table_hash(gconstpointer k)
5580 {
5581 const v9_v10_tmplt_t *tmplt_p = (v9_v10_tmplt_t *)k;
5582 guint32 val;
5583
5584 val = tmplt_p->src_id + (tmplt_p->tmplt_id << 9) + tmplt_p->src_port + tmplt_p->dst_port;
5585
5586 ADD_ADDRESS_TO_HASH(val, &tmplt_p->src_addr);
5587 ADD_ADDRESS_TO_HASH(val, &tmplt_p->dst_addr);
5588
5589 return val;
5590 }
5591
5592 /*
5593 * dissect a version 1, 5, or 7 pdu and return the length of the pdu we
5594 * processed
5595 */
5596
5597 static int
5598 dissect_pdu(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *pdutree, int offset, hdrinfo_t *hdrinfo_p)
5599 {
5600 proto_item *hidden_item;
5601 int startoffset = offset;
5602 guint32 srcaddr, dstaddr;
5603 guint8 mask;
5604 nstime_t ts;
5605 guint8 ver;
5606
5607 memset(&ts, 0, sizeof(ts));
5608
5609 /*
5610 * memcpy so we can use the values later to calculate a prefix
5611 */
5612 srcaddr = tvb_get_ipv4(tvb, offset);
5613 proto_tree_add_ipv4(pdutree, hf_cflow_srcaddr, tvb, offset, 4, srcaddr);
5614 offset += 4;
5615
5616 dstaddr = tvb_get_ipv4(tvb, offset);
5617 proto_tree_add_ipv4(pdutree, hf_cflow_dstaddr, tvb, offset, 4, dstaddr);
5618 offset += 4;
5619
5620 proto_tree_add_item(pdutree, hf_cflow_nexthop, tvb, offset, 4, ENC_NA);
5621 offset += 4;
5622
5623 offset = flow_process_ints(pdutree, tvb, offset);
5624 offset = flow_process_sizecount(pdutree, tvb, offset);
5625 offset = flow_process_timeperiod(pdutree, tvb, offset);
5626 offset = flow_process_ports(pdutree, tvb, offset);
5627
5628 /*
5629 * and the similarities end here
5630 */
5631
5632 ver = hdrinfo_p->vspec;
5633
5634 if (ver == 1) {
5635 offset = flow_process_textfield(pdutree, tvb, offset, 2, "padding");
5636
5637 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1, ENC_NA);
5638
5639 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, ENC_NA);
5640
5641 proto_tree_add_item(pdutree, hf_cflow_tcpflags, tvb, offset++, 1, ENC_NA);
5642
5643 offset = flow_process_textfield(pdutree, tvb, offset, 3, "padding");
5644
5645 offset = flow_process_textfield(pdutree, tvb, offset, 4, "reserved");
5646 } else {
5647 if (ver == 5)
5648 offset = flow_process_textfield(pdutree, tvb, offset, 1, "padding");
5649 else {
5650 proto_tree_add_item(pdutree, hf_cflow_flags, tvb, offset++, 1, ENC_NA);
5651 }
5652
5653 proto_tree_add_item(pdutree, hf_cflow_tcpflags, tvb, offset++, 1, ENC_NA);
5654
5655 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1, ENC_NA);
5656
5657 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, ENC_NA);
5658
5659 offset = flow_process_aspair(pdutree, tvb, offset);
5660
5661 mask = tvb_get_guint8(tvb, offset);
5662 proto_tree_add_text(pdutree, tvb, offset, 1,
5663 "SrcMask: %u (prefix: %s/%u)",
5664 mask, getprefix(&srcaddr, mask),
5665 mask != 0 ? mask : 32);
5666 hidden_item = proto_tree_add_uint(pdutree, hf_cflow_srcmask, tvb, offset++, 1, mask);
5667 PROTO_ITEM_SET_HIDDEN(hidden_item);
5668
5669 mask = tvb_get_guint8(tvb, offset);
5670 proto_tree_add_text(pdutree, tvb, offset, 1,
5671 "DstMask: %u (prefix: %s/%u)",
5672 mask, getprefix(&dstaddr, mask),
5673 mask != 0 ? mask : 32);
5674 hidden_item = proto_tree_add_uint(pdutree, hf_cflow_dstmask, tvb, offset++, 1, mask);
5675 PROTO_ITEM_SET_HIDDEN(hidden_item);
5676
5677 offset = flow_process_textfield(pdutree, tvb, offset, 2, "padding");
5678
5679 if (ver == 7) {
5680 proto_tree_add_item(pdutree, hf_cflow_routersc, tvb, offset, 4, ENC_NA);
5681 offset += 4;
5682 }
5683 }
5684
5685 return (offset - startoffset);
5686 }
5687
5688 static const gchar *
5689 getprefix(const guint32 *addr, int prefix)
5690 {
5691 guint32 gprefix;
5692
5693 gprefix = *addr & g_htonl((0xffffffff << (32 - prefix)));
5694
5695 return (ip_to_str((const guint8 *)&gprefix));
5696 }
5697
5698 /* Called whenever a new capture is loaded, a complete redissection is done, a pref is changed, & etc */
5699 static void
5700 netflow_init(void)
5701 {
5702 /* keys & values are "se allocated"; se memory is freed as part of the init sequence */
5703 if (v9_v10_tmplt_table != NULL) {
5704 g_hash_table_destroy(v9_v10_tmplt_table);
5705 }
5706 v9_v10_tmplt_table = g_hash_table_new(v9_v10_tmplt_table_hash, v9_v10_tmplt_table_equal);
5707 }
5708
5709 void
5710 proto_register_netflow(void)
5711 {
5712 static hf_register_info hf[] = {
5713 /*
5714 * flow header
5715 */
5716 {&hf_cflow_version,
5717 {"Version", "cflow.version",
5718 FT_UINT16, BASE_DEC, NULL, 0x0,
5719 "NetFlow Version", HFILL}
5720 },
5721 {&hf_cflow_len,
5722 {"Length", "cflow.len",
5723 FT_UINT16, BASE_DEC, NULL, 0x0,
5724 "Length of PDUs", HFILL}
5725 },
5726 {&hf_cflow_count,
5727 {"Count", "cflow.count",
5728 FT_UINT16, BASE_DEC, NULL, 0x0,
5729 "Count of PDUs", HFILL}
5730 },
5731 {&hf_cflow_sysuptime,
5732 {"SysUptime", "cflow.sysuptime",
5733 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
5734 "Time since router booted (in seconds)", HFILL}
5735 },
5736 {&hf_cflow_exporttime,
5737 {"ExportTime", "cflow.exporttime",
5738 FT_UINT32, BASE_DEC, NULL, 0x0,
5739 "Time when the flow has been exported", HFILL}
5740 },
5741 {&hf_cflow_timestamp,
5742 {"Timestamp", "cflow.timestamp",
5743 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
5744 "Current seconds since epoch", HFILL}
5745 },
5746 {&hf_cflow_unix_secs,
5747 {"CurrentSecs", "cflow.unix_secs",
5748 FT_UINT32, BASE_DEC, NULL, 0x0,
5749 "Current seconds since epoch", HFILL}
5750 },
5751 {&hf_cflow_unix_nsecs,
5752 {"CurrentNSecs", "cflow.unix_nsecs",
5753 FT_UINT32, BASE_DEC, NULL, 0x0,
5754 "Residual nanoseconds since epoch", HFILL}
5755 },
5756 {&hf_cflow_samplingmode,
5757 {"SamplingMode", "cflow.samplingmode",
5758 FT_UINT16, BASE_DEC, VALS(v5_sampling_mode), 0xC000,
5759 "Sampling Mode of exporter", HFILL}
5760 },
5761 {&hf_cflow_samplerate,
5762 {"SampleRate", "cflow.samplerate",
5763 FT_UINT16, BASE_DEC, NULL, 0x3FFF,
5764 "Sample Frequency of exporter", HFILL}
5765 },
5766
5767 /*
5768 * end version-agnostic header
5769 * version-specific flow header
5770 */
5771 {&hf_cflow_sequence,
5772 {"FlowSequence", "cflow.sequence",
5773 FT_UINT32, BASE_DEC, NULL, 0x0,
5774 "Sequence number of flows seen", HFILL}
5775 },
5776 {&hf_cflow_engine_type,
5777 {"EngineType", "cflow.engine_type",
5778 FT_UINT8, BASE_DEC, VALS(engine_type), 0x0,
5779 "Flow switching engine type", HFILL}
5780 },
5781 {&hf_cflow_engine_id,
5782 {"EngineId", "cflow.engine_id",
5783 FT_UINT8, BASE_DEC, NULL, 0x0,
5784 "Slot number of switching engine", HFILL}
5785 },
5786 {&hf_cflow_source_id,
5787 {"SourceId", "cflow.source_id",
5788 FT_UINT32, BASE_DEC, NULL, 0x0,
5789 "Identifier for export device", HFILL}
5790 },
5791 {&hf_cflow_aggmethod,
5792 {"AggMethod", "cflow.aggmethod",
5793 FT_UINT8, BASE_DEC|BASE_EXT_STRING, &v8_agg_ext, 0x0,
5794 "CFlow V8 Aggregation Method", HFILL}
5795 },
5796 {&hf_cflow_aggversion,
5797 {"AggVersion", "cflow.aggversion",
5798 FT_UINT8, BASE_DEC, NULL, 0x0,
5799 "CFlow V8 Aggregation Version", HFILL}
5800 },
5801 /*
5802 * end version specific header storage
5803 */
5804 /*
5805 * Version 9
5806 */
5807 {&hf_cflow_flowset_id,
5808 {"FlowSet Id", "cflow.flowset_id",
5809 FT_UINT16, BASE_RANGE_STRING | BASE_DEC, RVALS(rs_flowset_ids), 0x0,
5810 NULL, HFILL}
5811 },
5812 {&hf_cflow_flowset_length,
5813 {"FlowSet Length", "cflow.flowset_length",
5814 FT_UINT16, BASE_DEC, NULL, 0x0,
5815 NULL, HFILL}
5816 },
5817 {&hf_cflow_template_id,
5818 {"Template Id", "cflow.template_id",
5819 FT_UINT16, BASE_DEC, NULL, 0x0,
5820 NULL, HFILL}
5821 },
5822 {&hf_cflow_template_field_count,
5823 {"Field Count", "cflow.template_field_count",
5824 FT_UINT16, BASE_DEC, NULL, 0x0,
5825 "Template field count", HFILL}
5826 },
5827 {&hf_cflow_template_field_type,
5828 {"Type", "cflow.template_field_type",
5829 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v9_v10_template_types_ext, 0x0,
5830 "Template field type", HFILL}
5831 },
5832 {&hf_cflow_template_field_length,
5833 {"Length", "cflow.template_field_length",
5834 FT_UINT16, BASE_DEC, NULL, 0x0,
5835 "Template field length", HFILL}
5836 },
5837
5838 /* options */
5839 {&hf_cflow_option_scope_length,
5840 {"Option Scope Length", "cflow.option_scope_length",
5841 FT_UINT16, BASE_DEC, NULL, 0x0,
5842 NULL, HFILL}
5843 },
5844 {&hf_cflow_option_length,
5845 {"Option Length", "cflow.option_length",
5846 FT_UINT16, BASE_DEC, NULL, 0x0,
5847 NULL, HFILL}
5848 },
5849 {&hf_cflow_template_scope_field_type,
5850 {"Scope Type", "cflow.scope_field_type",
5851 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v9_scope_field_types_ext, 0x0,
5852 "Scope field type", HFILL}
5853 },
5854 {&hf_cflow_icmp_type,
5855 {"ICMP Type", "cflow.icmp_type",
5856 FT_UINT8, BASE_DEC, NULL, 0x0,
5857 NULL, HFILL}
5858 },
5859 {&hf_cflow_igmp_type,
5860 {"IGMP Type", "cflow.igmp_type",
5861 FT_UINT8, BASE_DEC, NULL, 0x0,
5862 NULL, HFILL}
5863 },
5864 {&hf_cflow_sampling_interval,
5865 {"Sampling interval", "cflow.sampling_interval",
5866 FT_UINT32, BASE_DEC, NULL, 0x0,
5867 NULL, HFILL}
5868 },
5869 {&hf_cflow_sampling_algorithm,
5870 {"Sampling algorithm", "cflow.sampling_algorithm",
5871 FT_UINT8, BASE_DEC, VALS(v5_sampling_mode), 0x0,
5872 NULL, HFILL}
5873 },
5874 {&hf_cflow_flow_active_timeout,
5875 {"Flow active timeout", "cflow.flow_active_timeout",
5876 FT_UINT16, BASE_DEC, NULL, 0x0,
5877 NULL, HFILL}
5878 },
5879 {&hf_cflow_flow_inactive_timeout,
5880 {"Flow inactive timeout", "cflow.flow_inactive_timeout",
5881 FT_UINT16, BASE_DEC, NULL, 0x0,
5882 NULL, HFILL}
5883 },
5884
5885 /*
5886 * begin pdu content storage
5887 */
5888 {&hf_cflow_srcaddr,
5889 {"SrcAddr", "cflow.srcaddr",
5890 FT_IPv4, BASE_NONE, NULL, 0x0,
5891 "Flow Source Address (IPv4)", HFILL}
5892 },
5893 {&hf_cflow_srcaddr_v6,
5894 {"SrcAddr", "cflow.srcaddrv6",
5895 FT_IPv6, BASE_NONE, NULL, 0x0,
5896 "Flow Source Address (IPv6)", HFILL}
5897 },
5898 {&hf_cflow_srcnet,
5899 {"SrcNet", "cflow.srcnet",
5900 FT_IPv4, BASE_NONE, NULL, 0x0,
5901 "Flow Source Network", HFILL}
5902 },
5903 {&hf_cflow_dstaddr,
5904 {"DstAddr", "cflow.dstaddr",
5905 FT_IPv4, BASE_NONE, NULL, 0x0,
5906 "Flow Destination Address (IPv4)", HFILL}
5907 },
5908 {&hf_cflow_dstaddr_v6,
5909 {"DstAddr", "cflow.dstaddrv6",
5910 FT_IPv6, BASE_NONE, NULL, 0x0,
5911 "Flow Destination Address (IPv6)", HFILL}
5912 },
5913 {&hf_cflow_dstnet,
5914 {"DstNet", "cflow.dstnet",
5915 FT_IPv4, BASE_NONE, NULL, 0x0,
5916 "Flow Destination Network", HFILL}
5917 },
5918 {&hf_cflow_nexthop,
5919 {"NextHop", "cflow.nexthop",
5920 FT_IPv4, BASE_NONE, NULL, 0x0,
5921 "Router nexthop (IPv4)", HFILL}
5922 },
5923 {&hf_cflow_nexthop_v6,
5924 {"NextHop", "cflow.nexthopv6",
5925 FT_IPv6, BASE_NONE, NULL, 0x0,
5926 "Router nexthop (IPv6)", HFILL}
5927 },
5928 {&hf_cflow_bgpnexthop,
5929 {"BGPNextHop", "cflow.bgpnexthop",
5930 FT_IPv4, BASE_NONE, NULL, 0x0,
5931 "BGP Router Nexthop (IPv4)", HFILL}
5932 },
5933 {&hf_cflow_bgpnexthop_v6,
5934 {"BGPNextHop", "cflow.bgpnexthopv6",
5935 FT_IPv6, BASE_NONE, NULL, 0x0,
5936 "BGP Router Nexthop (IPv6)", HFILL}
5937 },
5938 {&hf_cflow_inputint,
5939 {"InputInt", "cflow.inputint",
5940 FT_UINT32, BASE_DEC, NULL, 0x0,
5941 "Flow Input Interface", HFILL}
5942 },
5943 {&hf_cflow_outputint,
5944 {"OutputInt", "cflow.outputint",
5945 FT_UINT32, BASE_DEC, NULL, 0x0,
5946 "Flow Output Interface", HFILL}
5947 },
5948 {&hf_cflow_flows,
5949 {"Flows", "cflow.flows",
5950 FT_UINT32, BASE_DEC, NULL, 0x0,
5951 "Flows Aggregated in PDU", HFILL}
5952 },
5953 {&hf_cflow_flows64,
5954 {"Flows", "cflow.flows64",
5955 FT_UINT64, BASE_DEC, NULL, 0x0,
5956 "Flows Aggregated in PDU", HFILL}
5957 },
5958 {&hf_cflow_packets,
5959 {"Packets", "cflow.packets",
5960 FT_UINT32, BASE_DEC, NULL, 0x0,
5961 "Count of packets", HFILL}
5962 },
5963 {&hf_cflow_packets64,
5964 {"Packets", "cflow.packets64",
5965 FT_UINT64, BASE_DEC, NULL, 0x0,
5966 "Count of packets", HFILL}
5967 },
5968 {&hf_cflow_octets,
5969 {"Octets", "cflow.octets",
5970 FT_UINT32, BASE_DEC, NULL, 0x0,
5971 "Count of bytes", HFILL}
5972 },
5973 {&hf_cflow_octets64,
5974 {"Octets", "cflow.octets64",
5975 FT_UINT64, BASE_DEC, NULL, 0x0,
5976 "Count of bytes", HFILL}
5977 },
5978 {&hf_cflow_length_min,
5979 {"MinLength", "cflow.length_min",
5980 FT_UINT16, BASE_DEC, NULL, 0x0,
5981 "Packet Length Min", HFILL}
5982 },
5983 {&hf_cflow_length_max,
5984 {"MaxLength", "cflow.length_max",
5985 FT_UINT16, BASE_DEC, NULL, 0x0,
5986 "Packet Length Max", HFILL}
5987 },
5988 {&hf_cflow_length_min64,
5989 {"MinLength", "cflow.length_min",
5990 FT_UINT64, BASE_DEC, NULL, 0x0,
5991 "Packet Length Min", HFILL}
5992 },
5993 {&hf_cflow_length_max64,
5994 {"MaxLength", "cflow.length_max",
5995 FT_UINT64, BASE_DEC, NULL, 0x0,
5996 "Packet Length Max", HFILL}
5997 },
5998 {&hf_cflow_timedelta,
5999 {"Duration", "cflow.timedelta",
6000 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
6001 "Duration of flow sample (end - start)", HFILL}
6002 },
6003 {&hf_cflow_timestart,
6004 {"StartTime", "cflow.timestart",
6005 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
6006 "Uptime at start of flow", HFILL}
6007 },
6008 {&hf_cflow_timeend,
6009 {"EndTime", "cflow.timeend",
6010 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
6011 "Uptime at end of flow", HFILL}
6012 },
6013 {&hf_cflow_srcport,
6014 {"SrcPort", "cflow.srcport",
6015 FT_UINT16, BASE_DEC, NULL, 0x0,
6016 "Flow Source Port", HFILL}
6017 },
6018 {&hf_cflow_dstport,
6019 {"DstPort", "cflow.dstport",
6020 FT_UINT16, BASE_DEC, NULL, 0x0,
6021 "Flow Destination Port", HFILL}
6022 },
6023 {&hf_cflow_prot,
6024 {"Protocol", "cflow.protocol",
6025 FT_UINT8, BASE_DEC, NULL, 0x0,
6026 "IP Protocol", HFILL}
6027 },
6028 {&hf_cflow_tos,
6029 {"IP ToS", "cflow.tos",
6030 FT_UINT8, BASE_HEX, NULL, 0x0,
6031 "IP Type of Service", HFILL}
6032 },
6033 {&hf_cflow_flags,
6034 {"Export Flags", "cflow.flags",
6035 FT_UINT8, BASE_HEX, NULL, 0x0,
6036 "CFlow Flags", HFILL}
6037 },
6038 {&hf_cflow_tcpflags,
6039 {"TCP Flags", "cflow.tcpflags",
6040 FT_UINT8, BASE_HEX, NULL, 0x0,
6041 NULL, HFILL}
6042 },
6043 {&hf_cflow_srcas,
6044 {"SrcAS", "cflow.srcas",
6045 FT_UINT32, BASE_DEC, NULL, 0x0,
6046 "Source AS", HFILL}
6047 },
6048 {&hf_cflow_dstas,
6049 {"DstAS", "cflow.dstas",
6050 FT_UINT32, BASE_DEC, NULL, 0x0,
6051 "Destination AS", HFILL}
6052 },
6053 {&hf_cflow_srcmask,
6054 {"SrcMask", "cflow.srcmask",
6055 FT_UINT8, BASE_DEC, NULL, 0x0,
6056 "Source Prefix Mask", HFILL}
6057 },
6058 {&hf_cflow_srcmask_v6,
6059 {"SrcMask", "cflow.srcmaskv6",
6060 FT_UINT8, BASE_DEC, NULL, 0x0,
6061 "IPv6 Source Prefix Mask", HFILL}
6062 },
6063 {&hf_cflow_dstmask,
6064 {"DstMask", "cflow.dstmask",
6065 FT_UINT8, BASE_DEC, NULL, 0x0,
6066 "Destination Prefix Mask", HFILL}
6067 },
6068 {&hf_cflow_dstmask_v6,
6069 {"DstMask", "cflow.dstmaskv6",
6070 FT_UINT8, BASE_DEC, NULL, 0x0,
6071 "IPv6 Destination Prefix Mask", HFILL}
6072 },
6073 {&hf_cflow_routersc,
6074 {"Router Shortcut", "cflow.routersc",
6075 FT_IPv4, BASE_NONE, NULL, 0x0,
6076 "Router shortcut by switch", HFILL}
6077 },
6078 {&hf_cflow_mulpackets,
6079 {"MulticastPackets", "cflow.mulpackets",
6080 FT_UINT32, BASE_DEC, NULL, 0x0,
6081 "Count of multicast packets", HFILL}
6082 },
6083 {&hf_cflow_muloctets,
6084 {"MulticastOctets", "cflow.muloctets",
6085 FT_UINT32, BASE_DEC, NULL, 0x0,
6086 "Count of multicast octets", HFILL}
6087 },
6088 {&hf_cflow_octets_exp,
6089 {"OctetsExp", "cflow.octetsexp",
6090 FT_UINT32, BASE_DEC, NULL, 0x0,
6091 "Octets exported", HFILL}
6092 },
6093 {&hf_cflow_octets_exp64,
6094 {"OctetsExp", "cflow.octetsexp64",
6095 FT_UINT64, BASE_DEC, NULL, 0x0,
6096 "Octets exported", HFILL}
6097 },
6098 {&hf_cflow_packets_exp,
6099 {"PacketsExp", "cflow.packetsexp",
6100 FT_UINT32, BASE_DEC, NULL, 0x0,
6101 "Packets exported", HFILL}
6102 },
6103 {&hf_cflow_packets_exp64,
6104 {"PacketsExp", "cflow.packetsexp64",
6105 FT_UINT64, BASE_DEC, NULL, 0x0,
6106 "Packets exported", HFILL}
6107 },
6108 {&hf_cflow_flows_exp,
6109 {"FlowsExp", "cflow.flowsexp",
6110 FT_UINT32, BASE_DEC, NULL, 0x0,
6111 "Flows exported", HFILL}
6112 },
6113 {&hf_cflow_flows_exp64,
6114 {"FlowsExp", "cflow.flowsexp64",
6115 FT_UINT64, BASE_DEC, NULL, 0x0,
6116 "Flows exported", HFILL}
6117 },
6118 {&hf_cflow_srcprefix,
6119 {"SrcPrefix", "cflow.srcprefix",
6120 FT_IPv4, BASE_NONE, NULL, 0x0,
6121 "Flow Source Prefix", HFILL}
6122 },
6123 {&hf_cflow_dstprefix,
6124 {"DstPrefix", "cflow.dstprefix",
6125 FT_IPv4, BASE_NONE, NULL, 0x0,
6126 "Flow Destination Prefix", HFILL}
6127 },
6128 {&hf_cflow_mpls_top_label_type,
6129 {"TopLabelType", "cflow.toplabeltype",
6130 FT_UINT8, BASE_DEC, VALS(special_mpls_top_label_type), 0x0,
6131 "Top MPLS label Type", HFILL}
6132 },
6133 {&hf_cflow_mpls_pe_addr,
6134 {"TopLabelAddr", "cflow.toplabeladdr",
6135 FT_IPv4, BASE_NONE, NULL, 0x0,
6136 "Top MPLS label PE address", HFILL}
6137 },
6138 {&hf_cflow_sampler_id,
6139 {"SamplerID", "cflow.sampler_id",
6140 FT_UINT8, BASE_DEC, NULL, 0x0,
6141 "Flow Sampler ID", HFILL}
6142 },
6143 {&hf_cflow_sampler_mode,
6144 {"SamplerMode", "cflow.sampler_mode",
6145 FT_UINT8, BASE_DEC, VALS(v9_sampler_mode), 0x0,
6146 "Flow Sampler Mode", HFILL}
6147 },
6148 {&hf_cflow_sampler_random_interval,
6149 {"SamplerRandomInterval", "cflow.sampler_random_interval",
6150 FT_UINT32, BASE_DEC, NULL, 0x0,
6151 "Flow Sampler Random Interval", HFILL}
6152 },
6153 {&hf_cflow_flow_class,
6154 {"FlowClass", "cflow.flow_class",
6155 FT_UINT8, BASE_DEC, NULL, 0x0,
6156 "Flow Class", HFILL}
6157 },
6158 {&hf_cflow_ttl_minimum,
6159 {"MinTTL", "cflow.ttl_min",
6160 FT_UINT8, BASE_DEC, NULL, 0x0,
6161 "TTL minimum", HFILL}
6162 },
6163 {&hf_cflow_ttl_maximum,
6164 {"MaxTTL", "cflow.ttl_max",
6165 FT_UINT8, BASE_DEC, NULL, 0x0,
6166 "TTL maximum", HFILL}
6167 },
6168 {&hf_cflow_ipv4_id,
6169 {"IPv4Ident", "cflow.ipv4_ident",
6170 FT_UINT16, BASE_DEC, NULL, 0x0,
6171 "IPv4 Identifier", HFILL}
6172 },
6173 {&hf_cflow_ip_version,
6174 {"IPVersion", "cflow.ip_version",
6175 FT_BYTES, BASE_NONE, NULL, 0x0,
6176 "IP Version", HFILL}
6177 },
6178 {&hf_cflow_direction,
6179 {"Direction", "cflow.direction",
6180 FT_UINT8, BASE_DEC, VALS(v9_direction), 0x0,
6181 NULL, HFILL}
6182 },
6183 {&hf_cflow_if_name,
6184 {"IfName", "cflow.if_name",
6185 FT_STRINGZ/*FT_BYTES*/, BASE_NONE, NULL, 0x0,
6186 "SNMP Interface Name", HFILL}
6187 },
6188 {&hf_cflow_if_descr,
6189 {"IfDescr", "cflow.if_descr",
6190 FT_STRINGZ/*FT_BYTES*/, BASE_NONE, NULL, 0x0,
6191 "SNMP Interface Description", HFILL}
6192 },
6193 {&hf_cflow_sampler_name,
6194 {"SamplerName", "cflow.sampler_name",
6195 FT_STRINGZ/*FT_BYTES*/, BASE_NONE, NULL, 0x0,
6196 "Sampler Name", HFILL}
6197 },
6198 {&hf_cflow_forwarding_status,
6199 {"ForwdStat", "cflow.forwarding_status",
6200 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status), 0xC0,
6201 "Forwarding Status", HFILL}
6202 },
6203 {&hf_cflow_forwarding_status_unknown_code,
6204 {"ForwdCode", "cflow.forwarding_status_unknown_code",
6205 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status_unknown_code), 0x3F,
6206 NULL, HFILL}
6207 },
6208 {&hf_cflow_forwarding_status_forward_code,
6209 {"ForwdCode", "cflow.forwarding_status_foreward_code",
6210 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status_forward_code), 0x3F,
6211 NULL, HFILL}
6212 },
6213 {&hf_cflow_forwarding_status_drop_code,
6214 {"ForwdCode", "cflow.forwarding_status_drop_code",
6215 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status_drop_code), 0x3F,
6216 NULL, HFILL}
6217 },
6218 {&hf_cflow_forwarding_status_consume_code,
6219 {"ForwdCode", "cflow.forwarding_status_consume_code",
6220 FT_UINT8, BASE_DEC, VALS(v9_forwarding_status_consume_code), 0x3F,
6221 NULL, HFILL}
6222 },
6223 {&hf_cflow_nbar_appl_desc,
6224 {"ApplicationDesc", "cflow.appl_desc",
6225 FT_STRINGZ, BASE_NONE, NULL, 0x0,
6226 "Application Desc (NBAR)", HFILL}
6227 },
6228 {&hf_cflow_nbar_appl_id,
6229 {"ApplicationID", "cflow.appl_id",
6230 FT_UINT32, BASE_CUSTOM, nbar_fmt_id, 0x0,
6231 "Application ID (NBAR)", HFILL}
6232 },
6233 {&hf_cflow_nbar_appl_name,
6234 {"ApplicationName", "cflow.appl_name",
6235 FT_STRINGZ, BASE_NONE, NULL, 0x0,
6236 "Application Name (NBAR)", HFILL}
6237 },
6238 {&hf_cflow_peer_srcas,
6239 {"PeerSrcAS", "cflow.peer_srcas",
6240 FT_UINT32, BASE_DEC, NULL, 0x0,
6241 "Peer Source AS", HFILL}
6242 },
6243 {&hf_cflow_peer_dstas,
6244 {"PeerDstAS", "cflow.peer_dstas",
6245 FT_UINT32, BASE_DEC, NULL, 0x0,
6246 "Peer Destination AS", HFILL}
6247 },
6248 {&hf_cflow_flow_exporter,
6249 {"FlowExporter", "cflow.flow_exporter",
6250 FT_BYTES/*FT_IPv4*/, BASE_NONE, NULL, 0x0,
6251 NULL, HFILL}
6252 },
6253 {&hf_cflow_icmp_ipv4_type,
6254 {"IPv4 ICMP Type", "cflow.icmp_ipv4_type",
6255 FT_UINT8, BASE_DEC, NULL, 0x0,
6256 NULL, HFILL}
6257 },
6258 {&hf_cflow_icmp_ipv4_code,
6259 {"IPv4 ICMP Code", "cflow.icmp_ipv4_code",
6260 FT_UINT8, BASE_DEC, NULL, 0x0,
6261 NULL, HFILL}
6262 },
6263 {&hf_cflow_icmp_ipv6_type,
6264 {"IPv6 ICMP Type", "cflow.icmp_ipv6_type",
6265 FT_UINT8, BASE_DEC, NULL, 0x0,
6266 NULL, HFILL}
6267 },
6268 {&hf_cflow_icmp_ipv6_code,
6269 {"IPv6 ICMP Code", "cflow.icmp_ipv6_code",
6270 FT_UINT8, BASE_DEC, NULL, 0x0,
6271 NULL, HFILL}
6272 },
6273 {&hf_cflow_tcp_window_size,
6274 {"TCP Windows Size", "cflow.tcp_windows_size",
6275 FT_UINT16, BASE_DEC, NULL, 0x0,
6276 NULL, HFILL}
6277 },
6278 {&hf_cflow_ipv4_total_length,
6279 {"IPV4 Total Length", "cflow.ipv4_total_length",
6280 FT_UINT16, BASE_DEC, NULL, 0x0,
6281 NULL, HFILL}
6282 },
6283 {&hf_cflow_ip_ttl,
6284 {"IP TTL", "cflow.ip_ttl",
6285 FT_UINT8, BASE_DEC, NULL, 0x0,
6286 "IP time to live", HFILL}
6287 },
6288 {&hf_cflow_ip_tos,
6289 {"IP TOS", "cflow.ip_tos",
6290 FT_UINT8, BASE_DEC, NULL, 0x0,
6291 "IP type of service", HFILL}
6292 },
6293 {&hf_cflow_ip_dscp,
6294 {"DSCP", "cflow.ip_dscp",
6295 FT_UINT8, BASE_DEC, NULL, 0x0,
6296 NULL, HFILL}
6297 },
6298 {&hf_cflow_octets_squared64,
6299 {"OctetsSquared", "cflow.octets_squared",
6300 FT_UINT64, BASE_DEC, NULL, 0x0,
6301 NULL, HFILL}
6302 },
6303 {&hf_cflow_udp_length,
6304 {"UDP Length", "cflow.udp_length",
6305 FT_UINT16, BASE_DEC, NULL, 0x0,
6306 NULL, HFILL}
6307 },
6308 {&hf_cflow_is_multicast,
6309 {"IsMulticast", "cflow.is_multicast",
6310 FT_UINT8, BASE_DEC, NULL, 0x0,
6311 NULL, HFILL}
6312 },
6313 {&hf_cflow_ip_header_words,
6314 {"IPHeaderLen", "cflow.ip_header_words",
6315 FT_UINT8, BASE_DEC, NULL, 0x0,
6316 NULL, HFILL}
6317 },
6318 {&hf_cflow_option_map,
6319 {"OptionMap", "cflow.option_map",
6320 FT_BYTES, BASE_NONE, NULL, 0x0,
6321 NULL, HFILL}
6322 },
6323 {&hf_cflow_section_header,
6324 {"SectionHeader", "cflow.section_header",
6325 FT_BYTES, BASE_NONE, NULL, 0x0,
6326 "Header of Packet", HFILL}
6327 },
6328 {&hf_cflow_section_payload,
6329 {"SectionPayload", "cflow.section_payload",
6330 FT_BYTES, BASE_NONE, NULL, 0x0,
6331 "Payload of Packet", HFILL}
6332 },
6333 /* IPFIX Information Elements */
6334 {&hf_cflow_post_octets,
6335 {"Post Octets", "cflow.post_octets",
6336 FT_UINT32, BASE_DEC, NULL, 0x0,
6337 "Count of post bytes", HFILL}
6338 },
6339 {&hf_cflow_post_octets64,
6340 {"Post Octets", "cflow.post_octets64",
6341 FT_UINT64, BASE_DEC, NULL, 0x0,
6342 "Count of post bytes", HFILL}
6343 },
6344 {&hf_cflow_post_packets,
6345 {"Post Packets", "cflow.post_packets",
6346 FT_UINT32, BASE_DEC, NULL, 0x0,
6347 "Count of post packets", HFILL}
6348 },
6349 {&hf_cflow_post_packets64,
6350 {"Post Packets", "cflow.post_packets64",
6351 FT_UINT64, BASE_DEC, NULL, 0x0,
6352 "Count of post packets", HFILL}
6353 },
6354 {&hf_cflow_ipv6_flowlabel,
6355 {"ipv6FlowLabel", "cflow.ipv6flowlabel",
6356 FT_UINT32, BASE_DEC, NULL, 0x0,
6357 "IPv6 Flow Label", HFILL}
6358 },
6359 {&hf_cflow_ipv6_flowlabel24,
6360 {"ipv6FlowLabel", "cflow.ipv6flowlabel24",
6361 FT_UINT32, BASE_DEC, NULL, 0x0,
6362 "IPv6 Flow Label", HFILL}
6363 },
6364 {&hf_cflow_post_tos,
6365 {"Post IP ToS", "cflow.post_tos",
6366 FT_UINT8, BASE_HEX, NULL, 0x0,
6367 "Post IP Type of Service", HFILL}
6368 },
6369 {&hf_cflow_srcmac,
6370 {"Source Mac Address", "cflow.srcmac",
6371 FT_ETHER, BASE_NONE, NULL, 0x0,
6372 NULL, HFILL}
6373 },
6374 {&hf_cflow_post_dstmac,
6375 {"Post Destination Mac Address", "cflow.post_dstmac",
6376 FT_ETHER, BASE_NONE, NULL, 0x0,
6377 NULL, HFILL}
6378 },
6379 {&hf_cflow_vlanid,
6380 {"Vlan Id", "cflow.vlanid",
6381 FT_UINT16, BASE_DEC, NULL, 0x0,
6382 NULL, HFILL}
6383 },
6384 {&hf_cflow_post_vlanid,
6385 {"Post Vlan Id", "cflow.post_vlanid",
6386 FT_UINT16, BASE_DEC, NULL, 0x0,
6387 NULL, HFILL}
6388 },
6389 {&hf_cflow_ipv6_exthdr,
6390 {"IPv6 Extension Headers", "cflow.ipv6_exthdr",
6391 FT_UINT32, BASE_HEX, NULL, 0x0,
6392 NULL, HFILL}
6393 },
6394 {&hf_cflow_dstmac,
6395 {"Destination Mac Address", "cflow.dstmac",
6396 FT_ETHER, BASE_NONE, NULL, 0x0,
6397 NULL, HFILL}
6398 },
6399 {&hf_cflow_post_srcmac,
6400 {"Post Source Mac Address", "cflow.post_srcmac",
6401 FT_ETHER, BASE_NONE, NULL, 0x0,
6402 NULL, HFILL}
6403 },
6404 {&hf_cflow_permanent_packets,
6405 {"Permanent Packets", "cflow.permanent_packets",
6406 FT_UINT32, BASE_DEC, NULL, 0x0,
6407 "Running Count of packets for permanent flows", HFILL}
6408 },
6409 {&hf_cflow_permanent_packets64,
6410 {"Permanent Packets", "cflow.permanent_packets64",
6411 FT_UINT64, BASE_DEC, NULL, 0x0,
6412 "Running Count of packets for permanent flows", HFILL}
6413 },
6414 {&hf_cflow_permanent_octets,
6415 {"Permanent Octets", "cflow.permanent_octets",
6416 FT_UINT32, BASE_DEC, NULL, 0x0,
6417 "Running Count of bytes for permanent flows", HFILL}
6418 },
6419 {&hf_cflow_permanent_octets64,
6420 {"Permanent Octets", "cflow.permanent_octets64",
6421 FT_UINT64, BASE_DEC, NULL, 0x0,
6422 "Running Count of bytes for permanent flows", HFILL}
6423 },
6424 {&hf_cflow_fragment_offset,
6425 {"Fragment Offset", "cflow.fragment_offset",
6426 FT_UINT16, BASE_DEC, NULL, 0x0,
6427 NULL, HFILL}
6428 },
6429 {&hf_cflow_mpls_vpn_rd,
6430 {"MPLS VPN RD", "cflow.mpls_vpn_rd",
6431 FT_BYTES, BASE_NONE, NULL, 0x0,
6432 "MPLS VPN Route Distinguisher", HFILL}
6433 },
6434 {&hf_cflow_mpls_top_label_prefix_length,
6435 {"Mpls Top Label Prefix Length", "cflow.mpls_top_label_prefix_length",
6436 FT_UINT8, BASE_DEC, NULL, 0x0,
6437 NULL, HFILL}
6438 },
6439 {&hf_cflow_post_ip_diff_serv_code_point,
6440 {"Post Ip Diff Serv Code Point", "cflow.post_ip_diff_serv_code_point",
6441 FT_UINT8, BASE_DEC, NULL, 0x0,
6442 NULL, HFILL}
6443 },
6444 {&hf_cflow_multicast_replication_factor,
6445 {"Multicast Replication Factor", "cflow.multicast_replication_factor",
6446 FT_BYTES, BASE_NONE, NULL, 0x0,
6447 NULL, HFILL}
6448 },
6449 {&hf_cflow_exporter_addr,
6450 {"ExporterAddr", "cflow.exporter_addr",
6451 FT_IPv4, BASE_NONE, NULL, 0x0,
6452 "Flow Exporter Address", HFILL}
6453 },
6454 {&hf_cflow_exporter_addr_v6,
6455 {"ExporterAddr", "cflow.exporter_addr_v6",
6456 FT_IPv6, BASE_NONE, NULL, 0x0,
6457 "Flow Exporter Address", HFILL}
6458 },
6459 {&hf_cflow_drop_octets,
6460 {"Dropped Octets", "cflow.drop_octets",
6461 FT_UINT32, BASE_DEC, NULL, 0x0,
6462 "Count of dropped bytes", HFILL}
6463 },
6464 {&hf_cflow_drop_octets64,
6465 {"Dropped Octets", "cflow.drop_octets64",
6466 FT_UINT64, BASE_DEC, NULL, 0x0,
6467 "Count of dropped bytes", HFILL}
6468 },
6469 {&hf_cflow_drop_packets,
6470 {"Dropped Packets", "cflow.drop_packets",
6471 FT_UINT32, BASE_DEC, NULL, 0x0,
6472 "Count of dropped packets", HFILL}
6473 },
6474 {&hf_cflow_drop_packets64,
6475 {"Dropped Packets", "cflow.drop_packets64",
6476 FT_UINT64, BASE_DEC, NULL, 0x0,
6477 "Count of dropped packets", HFILL}
6478 },
6479 {&hf_cflow_drop_total_octets,
6480 {"Dropped Total Octets", "cflow.drop_total_octets",
6481 FT_UINT32, BASE_DEC, NULL, 0x0,
6482 "Count of total dropped bytes", HFILL}
6483 },
6484 {&hf_cflow_drop_total_octets64,
6485 {"Dropped Total Octets", "cflow.drop_total_octets64",
6486 FT_UINT64, BASE_DEC, NULL, 0x0,
6487 "Count of total dropped bytes", HFILL}
6488 },
6489 {&hf_cflow_drop_total_packets,
6490 {"Dropped Total Packets", "cflow.drop_total_packets",
6491 FT_UINT32, BASE_DEC, NULL, 0x0,
6492 "Count of total dropped packets", HFILL}
6493 },
6494 {&hf_cflow_drop_total_packets64,
6495 {"Dropped Total Packets", "cflow.drop_total_packets64",
6496 FT_UINT64, BASE_DEC, NULL, 0x0,
6497 "Count of total dropped packets", HFILL}
6498 },
6499 {&hf_cflow_flow_end_reason,
6500 {"Flow End Reason", "cflow.flow_end_reason",
6501 FT_UINT8, BASE_DEC, VALS(v9_flow_end_reason), 0x0,
6502 NULL, HFILL}
6503 },
6504 {&hf_cflow_common_properties_id,
6505 {"Common Properties Id", "cflow.common_properties_id",
6506 FT_UINT64, BASE_DEC, NULL, 0x0,
6507 NULL, HFILL}
6508 },
6509 {&hf_cflow_observation_point_id,
6510 {"Observation Point Id", "cflow.observation_point_id",
6511 FT_UINT32, BASE_DEC, NULL, 0x0,
6512 NULL, HFILL}
6513 },
6514 {&hf_cflow_mpls_pe_addr_v6,
6515 {"TopLabelAddr V6", "cflow.toplabeladdr_v6",
6516 FT_IPv6, BASE_NONE, NULL, 0x0,
6517 "Top MPLS label PE address IPv6", HFILL}
6518 },
6519 {&hf_cflow_port_id,
6520 {"Port Id", "cflow.port_id",
6521 FT_UINT32, BASE_DEC, NULL, 0x0,
6522 NULL, HFILL}
6523 },
6524 {&hf_cflow_mp_id,
6525 {"Metering Process Id", "cflow.mp_id",
6526 FT_UINT32, BASE_DEC, NULL, 0x0,
6527 NULL, HFILL}
6528 },
6529 {&hf_cflow_wlan_channel_id,
6530 {"Wireless LAN Channel Id", "cflow.wlan_channel_id",
6531 FT_UINT8, BASE_DEC, NULL, 0x0,
6532 NULL, HFILL}
6533 },
6534 {&hf_cflow_wlan_ssid,
6535 {"Wireless LAN SSId", "cflow.wlan_ssid",
6536 FT_STRING, BASE_NONE, NULL, 0x0,
6537 NULL, HFILL}
6538 },
6539 {&hf_cflow_flow_id,
6540 {"Flow Id", "cflow.flow_id",
6541 FT_UINT64, BASE_DEC, NULL, 0x0,
6542 NULL, HFILL}
6543 },
6544 {&hf_cflow_od_id,
6545 {"Observation Domain Id", "cflow.od_id",
6546 FT_UINT32, BASE_DEC, NULL, 0x0,
6547 "Identifier of an Observation Domain that is locally unique to an Exporting Process", HFILL}
6548 },
6549 {&hf_cflow_sys_init_time,
6550 {"System Init Time", "cflow.sys_init_time",
6551 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6552 NULL, HFILL}
6553 },
6554 {&hf_cflow_abstimestart,
6555 {"StartTime", "cflow.abstimestart",
6556 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6557 "Uptime at start of flow", HFILL}
6558 },
6559 {&hf_cflow_abstimeend,
6560 {"EndTime", "cflow.abstimeend",
6561 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6562 "Uptime at end of flow", HFILL}
6563 },
6564 {&hf_cflow_dstnet_v6,
6565 {"DstNet", "cflow.dstnetv6",
6566 FT_IPv6, BASE_NONE, NULL, 0x0,
6567 "Flow Destination Network (IPv6)", HFILL}
6568 },
6569 {&hf_cflow_srcnet_v6,
6570 {"SrcNet", "cflow.srcnetv6",
6571 FT_IPv6, BASE_NONE, NULL, 0x0,
6572 "Flow Source Network (IPv6)", HFILL}
6573 },
6574 {&hf_cflow_ignore_packets,
6575 {"Ignored Packets", "cflow.ignore_packets",
6576 FT_UINT32, BASE_DEC, NULL, 0x0,
6577 "Count of ignored packets", HFILL}
6578 },
6579 {&hf_cflow_ignore_packets64,
6580 {"Ignored Packets", "cflow.ignore_packets64",
6581 FT_UINT64, BASE_DEC, NULL, 0x0,
6582 "Count of ignored packets", HFILL}
6583 },
6584 {&hf_cflow_ignore_octets,
6585 {"Ignored Octets", "cflow.ignore_octets",
6586 FT_UINT32, BASE_DEC, NULL, 0x0,
6587 "Count of ignored octets", HFILL}
6588 },
6589 {&hf_cflow_ignore_octets64,
6590 {"Ignored Octets", "cflow.ignore_octets64",
6591 FT_UINT64, BASE_DEC, NULL, 0x0,
6592 "Count of ignored octets", HFILL}
6593 },
6594 {&hf_cflow_notsent_flows,
6595 {"Not Sent Flows", "cflow.notsent_flows",
6596 FT_UINT32, BASE_DEC, NULL, 0x0,
6597 "Count of not sent flows", HFILL}
6598 },
6599 {&hf_cflow_notsent_flows64,
6600 {"Not Sent Flows", "cflow.notsent_flows64",
6601 FT_UINT64, BASE_DEC, NULL, 0x0,
6602 "Count of not sent flows", HFILL}
6603 },
6604 {&hf_cflow_notsent_packets,
6605 {"Not Sent Packets", "cflow.notsent_packets",
6606 FT_UINT32, BASE_DEC, NULL, 0x0,
6607 "Count of not sent packets", HFILL}
6608 },
6609 {&hf_cflow_notsent_packets64,
6610 {"Not Sent Packets", "cflow.notsent_packets64",
6611 FT_UINT64, BASE_DEC, NULL, 0x0,
6612 "Count of not sent packets", HFILL}
6613 },
6614 {&hf_cflow_notsent_octets,
6615 {"Not Sent Octets", "cflow.notsent_octets",
6616 FT_UINT32, BASE_DEC, NULL, 0x0,
6617 "Count of not sent octets", HFILL}
6618 },
6619 {&hf_cflow_notsent_octets64,
6620 {"Not Sent Octets", "cflow.notsent_octets64",
6621 FT_UINT64, BASE_DEC, NULL, 0x0,
6622 "Count of not sent octets", HFILL}
6623 },
6624 {&hf_cflow_post_total_octets,
6625 {"Post Total Octets", "cflow.post_total_octets",
6626 FT_UINT32, BASE_DEC, NULL, 0x0,
6627 "Count of post total octets", HFILL}
6628 },
6629 {&hf_cflow_post_total_octets64,
6630 {"Post Total Octets", "cflow.post_total_octets64",
6631 FT_UINT64, BASE_DEC, NULL, 0x0,
6632 "Count of post total octets", HFILL}
6633 },
6634 {&hf_cflow_post_total_packets,
6635 {"Post Total Packets", "cflow.post_total_packets",
6636 FT_UINT32, BASE_DEC, NULL, 0x0,
6637 "Count of post total packets", HFILL}
6638 },
6639 {&hf_cflow_post_total_packets64,
6640 {"Post Total Packets", "cflow.post_total_packets64",
6641 FT_UINT64, BASE_DEC, NULL, 0x0,
6642 "Count of post total packets", HFILL}
6643 },
6644 {&hf_cflow_key,
6645 {"floKeyIndicator", "cflow.post_key",
6646 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
6647 "Flow Key Indicator", HFILL}
6648 },
6649 {&hf_cflow_post_total_mulpackets,
6650 {"Post Total Multicast Packets", "cflow.post_total_mulpackets",
6651 FT_UINT32, BASE_DEC, NULL, 0x0,
6652 "Count of post total multicast packets", HFILL}
6653 },
6654 {&hf_cflow_post_total_mulpackets64,
6655 {"Post Total Multicast Packets", "cflow.post_total_mulpackets64",
6656 FT_UINT64, BASE_DEC, NULL, 0x0,
6657 "Count of post total multicast packets", HFILL}
6658 },
6659 {&hf_cflow_post_total_muloctets,
6660 {"Post Total Multicast Octets", "cflow.post_total_muloctets",
6661 FT_UINT32, BASE_DEC, NULL, 0x0,
6662 "Count of post total multicast octets", HFILL}
6663 },
6664 {&hf_cflow_post_total_muloctets64,
6665 {"Post Total Multicast Octets", "cflow.post_total_muloctets64",
6666 FT_UINT64, BASE_DEC, NULL, 0x0,
6667 "Count of post total multicast octets", HFILL}
6668 },
6669 {&hf_cflow_tcp_seq_num,
6670 {"TCP Sequence Number", "cflow.tcp_seq_num",
6671 FT_UINT32, BASE_DEC, NULL, 0x0,
6672 NULL, HFILL}
6673 },
6674 {&hf_cflow_tcp_ack_num,
6675 {"TCP Acknowledgement Number", "cflow.tcp_ack_num",
6676 FT_UINT32, BASE_DEC, NULL, 0x0,
6677 NULL, HFILL}
6678 },
6679 {&hf_cflow_tcp_urg_ptr,
6680 {"TCP Urgent Pointer", "cflow.tcp_urg_ptr",
6681 FT_UINT32, BASE_DEC, NULL, 0x0,
6682 NULL, HFILL}
6683 },
6684 {&hf_cflow_tcp_header_length,
6685 {"TCP Header Length", "cflow.tcp_header_length",
6686 FT_UINT8, BASE_DEC, NULL, 0x0,
6687 NULL, HFILL}
6688 },
6689 {&hf_cflow_ip_header_length,
6690 {"IP Header Length", "cflow.ip_header_length",
6691 FT_UINT8, BASE_DEC, NULL, 0x0,
6692 NULL, HFILL}
6693 },
6694 {&hf_cflow_ipv6_payload_length,
6695 {"IPv6 Payload Length", "cflow.ipv6_payload_length",
6696 FT_UINT16, BASE_DEC, NULL, 0x0,
6697 NULL, HFILL}
6698 },
6699 {&hf_cflow_ipv6_next_hdr,
6700 {"IPv6 Next Header", "cflow.ipv6_next_hdr",
6701 FT_UINT8, BASE_DEC, NULL, 0x0,
6702 NULL, HFILL}
6703 },
6704 {&hf_cflow_ip_precedence,
6705 {"IP Precedence", "cflow.ip_precedence",
6706 FT_UINT8, BASE_DEC, NULL, 0x0,
6707 NULL, HFILL}
6708 },
6709 {&hf_cflow_ip_fragment_flags,
6710 {"IP Fragment Flags", "cflow.ip_fragment_flags",
6711 FT_UINT8, BASE_HEX, NULL, 0x0,
6712 NULL, HFILL}
6713 },
6714 {&hf_cflow_mpls_top_label_ttl,
6715 {"MPLS Top Label TTL", "cflow.mpls_top_label_ttl",
6716 FT_UINT8, BASE_DEC, NULL, 0x0,
6717 "MPLS top label time to live", HFILL}
6718 },
6719 {&hf_cflow_mpls_label_length,
6720 {"MPLS Label Stack Length", "cflow.mpls_label_length",
6721 FT_UINT32, BASE_DEC, NULL, 0x0,
6722 "The length of the MPLS label stac", HFILL}
6723 },
6724 {&hf_cflow_mpls_label_depth,
6725 {"MPLS Label Stack Depth", "cflow.mpls_label_depth",
6726 FT_UINT32, BASE_DEC, NULL, 0x0,
6727 "The number of labels in the MPLS label stack", HFILL}
6728 },
6729 {&hf_cflow_ip_payload_length,
6730 {"IP Payload Length", "cflow.ip_payload_length",
6731 FT_UINT32, BASE_DEC, NULL, 0x0,
6732 NULL, HFILL}
6733 },
6734 {&hf_cflow_mpls_top_label_exp,
6735 {"MPLS Top Label Exp", "cflow.mpls_top_label_exp",
6736 FT_UINT8, BASE_OCT, NULL, 0x0,
6737 NULL, HFILL}
6738 },
6739 {&hf_cflow_tcp_option_map,
6740 {"TCP OptionMap", "cflow.tcp_option_map",
6741 FT_BYTES, BASE_NONE, NULL, 0x0,
6742 "TCP Option Map", HFILL}
6743 },
6744 {&hf_cflow_collector_addr,
6745 {"CollectorAddr", "cflow.collector_addr",
6746 FT_IPv4, BASE_NONE, NULL, 0x0,
6747 "Flow Collector Address (IPv4)", HFILL}
6748 },
6749 {&hf_cflow_collector_addr_v6,
6750 {"CollectorAddr", "cflow.collector_addr_v6",
6751 FT_IPv6, BASE_NONE, NULL, 0x0,
6752 "Flow Collector Address (IPv6)", HFILL}
6753 },
6754 {&hf_cflow_export_interface,
6755 {"ExportInterface", "cflow.export_interface",
6756 FT_UINT32, BASE_DEC, NULL, 0x0,
6757 NULL, HFILL}
6758 },
6759 {&hf_cflow_export_protocol_version,
6760 {"ExportProtocolVersion", "cflow.export_protocol_version",
6761 FT_UINT8, BASE_DEC, NULL, 0x0,
6762 NULL, HFILL}
6763 },
6764 {&hf_cflow_export_prot,
6765 {"ExportTransportProtocol", "cflow.exporter_protocol",
6766 FT_UINT8, BASE_DEC, NULL, 0x0,
6767 "Transport Protocol used by the Exporting Process", HFILL}
6768 },
6769 {&hf_cflow_collector_port,
6770 {"CollectorPort", "cflow.collector_port",
6771 FT_UINT16, BASE_DEC, NULL, 0x0,
6772 "Flow Collector Port", HFILL}
6773 },
6774 {&hf_cflow_exporter_port,
6775 {"ExporterPort", "cflow.exporter_port",
6776 FT_UINT16, BASE_DEC, NULL, 0x0,
6777 "Flow Exporter Port", HFILL}
6778 },
6779 {&hf_cflow_total_tcp_syn,
6780 {"Total TCP syn", "cflow.total_tcp_syn",
6781 FT_UINT64, BASE_DEC, NULL, 0x0,
6782 "Count of total TCP syn", HFILL}
6783 },
6784 {&hf_cflow_total_tcp_fin,
6785 {"Total TCP fin", "cflow.total_tcp_fin",
6786 FT_UINT64, BASE_DEC, NULL, 0x0,
6787 "Count of total TCP fin", HFILL}
6788 },
6789 {&hf_cflow_total_tcp_rst,
6790 {"Total TCP rst", "cflow.total_tcp_rst",
6791 FT_UINT64, BASE_DEC, NULL, 0x0,
6792 "Count of total TCP rst", HFILL}
6793 },
6794 {&hf_cflow_total_tcp_psh,
6795 {"Total TCP psh", "cflow.total_tcp_psh",
6796 FT_UINT64, BASE_DEC, NULL, 0x0,
6797 "Count of total TCP psh", HFILL}
6798 },
6799 {&hf_cflow_total_tcp_ack,
6800 {"Total TCP ack", "cflow.total_tcp_ack",
6801 FT_UINT64, BASE_DEC, NULL, 0x0,
6802 "Count of total TCP ack", HFILL}
6803 },
6804 {&hf_cflow_total_tcp_urg,
6805 {"Total TCP urg", "cflow.total_tcp_urg",
6806 FT_UINT64, BASE_DEC, NULL, 0x0,
6807 "Count of total TCP urg", HFILL}
6808 },
6809 {&hf_cflow_ip_total_length,
6810 {"IP Total Length", "cflow.ip_total_length",
6811 FT_UINT64, BASE_DEC, NULL, 0x0,
6812 NULL, HFILL}
6813 },
6814 {&hf_cflow_post_natsource_ipv4_address,
6815 {"Post NAT Source IPv4 Address", "cflow.post_natsource_ipv4_address",
6816 FT_IPv4, BASE_NONE, NULL, 0x0,
6817 NULL, HFILL}
6818 },
6819 {&hf_cflow_post_natdestination_ipv4_address,
6820 {"Post NAT Destination IPv4 Address", "cflow.post_natdestination_ipv4_address",
6821 FT_IPv4, BASE_NONE, NULL, 0x0,
6822 NULL, HFILL}
6823 },
6824 {&hf_cflow_post_naptsource_transport_port,
6825 {"Post NAPT Source Transport Port", "cflow.post_naptsource_transport_port",
6826 FT_UINT16, BASE_DEC, NULL, 0x0,
6827 NULL, HFILL}
6828 },
6829 {&hf_cflow_post_naptdestination_transport_port,
6830 {"Post NAPT Destination Transport Port", "cflow.post_naptdestination_transport_port",
6831 FT_UINT16, BASE_DEC, NULL, 0x0,
6832 NULL, HFILL}
6833 },
6834 {&hf_cflow_nat_originating_address_realm,
6835 {"Nat Originating Address Realm", "cflow.nat_originating_address_realm",
6836 FT_UINT8, BASE_DEC, NULL, 0x0,
6837 NULL, HFILL}
6838 },
6839 {&hf_cflow_nat_event,
6840 {"Nat Event", "cflow.nat_event",
6841 FT_UINT8, BASE_DEC, NULL, 0x0,
6842 NULL, HFILL}
6843 },
6844 {&hf_cflow_initiator_octets,
6845 {"Initiator Octets", "cflow.initiator_octets",
6846 FT_UINT64, BASE_DEC, NULL, 0x0,
6847 NULL, HFILL}
6848 },
6849 {&hf_cflow_responder_octets,
6850 {"Responder Octets", "cflow.responder_octets",
6851 FT_UINT64, BASE_DEC, NULL, 0x0,
6852 NULL, HFILL}
6853 },
6854 {&hf_cflow_firewall_event,
6855 {"Firewall Event", "cflow.firewall_event",
6856 FT_UINT8, BASE_DEC, VALS(v9_firewall_event), 0x0,
6857 NULL, HFILL}
6858 },
6859 {&hf_cflow_ingress_vrfid,
6860 {"Ingress VRFID", "cflow.ingress_vrfid",
6861 FT_UINT32, BASE_DEC, NULL, 0x0,
6862 NULL, HFILL}
6863 },
6864 {&hf_cflow_egress_vrfid,
6865 {"Egress VRFID", "cflow.egress_vrfid",
6866 FT_UINT32, BASE_DEC, NULL, 0x0,
6867 NULL, HFILL}
6868 },
6869 {&hf_cflow_vrfname,
6870 {"VRFname", "cflow.vrfname",
6871 FT_STRING, BASE_NONE, NULL, 0x0,
6872 NULL, HFILL}
6873 },
6874 {&hf_cflow_post_mpls_top_label_exp,
6875 {"Post Mpls Top Label Exp", "cflow.post_mpls_top_label_exp",
6876 FT_UINT8, BASE_DEC, NULL, 0x0,
6877 NULL, HFILL}
6878 },
6879 {&hf_cflow_tcp_window_scale,
6880 {"Tcp Window Scale", "cflow.tcp_window_scale",
6881 FT_UINT16, BASE_DEC, NULL, 0x0,
6882 NULL, HFILL}
6883 },
6884 {&hf_cflow_biflow_direction,
6885 {"Biflow Direction", "cflow.biflow_direction",
6886 FT_UINT8, BASE_DEC, VALS(v9_biflow_direction), 0x0,
6887 NULL, HFILL}
6888 },
6889 {&hf_cflow_ethernet_header_length,
6890 {"Ethernet Header Length", "cflow.ethernet_header_length",
6891 FT_UINT8, BASE_DEC, NULL, 0x0,
6892 NULL, HFILL}
6893 },
6894 {&hf_cflow_ethernet_payload_length,
6895 {"Ethernet Payload Length", "cflow.ethernet_payload_length",
6896 FT_UINT16, BASE_DEC, NULL, 0x0,
6897 NULL, HFILL}
6898 },
6899 {&hf_cflow_ethernet_total_length,
6900 {"Ethernet Total Length", "cflow.ethernet_total_length",
6901 FT_UINT16, BASE_DEC, NULL, 0x0,
6902 NULL, HFILL}
6903 },
6904 {&hf_cflow_dot1q_vlan_id,
6905 {"Dot1q Vlan Id", "cflow.dot1q_vlan_id",
6906 FT_UINT16, BASE_DEC, NULL, 0x0,
6907 NULL, HFILL}
6908 },
6909 {&hf_cflow_dot1q_priority,
6910 {"Dot1q Priority", "cflow.dot1q_priority",
6911 FT_UINT8, BASE_DEC, NULL, 0x0,
6912 NULL, HFILL}
6913 },
6914 {&hf_cflow_dot1q_customer_vlan_id,
6915 {"Dot1q Customer Vlan Id", "cflow.dot1q_customer_vlan_id",
6916 FT_UINT16, BASE_DEC, NULL, 0x0,
6917 NULL, HFILL}
6918 },
6919 {&hf_cflow_dot1q_customer_priority,
6920 {"Dot1q Customer Priority", "cflow.dot1q_customer_priority",
6921 FT_UINT8, BASE_DEC, NULL, 0x0,
6922 NULL, HFILL}
6923 },
6924 {&hf_cflow_metro_evc_id,
6925 {"Metro Evc Id", "cflow.metro_evc_id",
6926 FT_STRING, BASE_NONE, NULL, 0x0,
6927 NULL, HFILL}
6928 },
6929 {&hf_cflow_metro_evc_type,
6930 {"Metro Evc Type", "cflow.metro_evc_type",
6931 FT_UINT8, BASE_DEC, NULL, 0x0,
6932 NULL, HFILL}
6933 },
6934 {&hf_cflow_pseudo_wire_id,
6935 {"Pseudo Wire Id", "cflow.pseudo_wire_id",
6936 FT_UINT32, BASE_DEC, NULL, 0x0,
6937 NULL, HFILL}
6938 },
6939 {&hf_cflow_pseudo_wire_type,
6940 {"Pseudo Wire Type", "cflow.pseudo_wire_type",
6941 FT_UINT16, BASE_DEC, NULL, 0x0,
6942 NULL, HFILL}
6943 },
6944 {&hf_cflow_pseudo_wire_control_word,
6945 {"Pseudo Wire Control Word", "cflow.pseudo_wire_control_word",
6946 FT_UINT32, BASE_DEC, NULL, 0x0,
6947 NULL, HFILL}
6948 },
6949 {&hf_cflow_ingress_physical_interface,
6950 {"Ingress Physical Interface", "cflow.ingress_physical_interface",
6951 FT_UINT32, BASE_DEC, NULL, 0x0,
6952 NULL, HFILL}
6953 },
6954 {&hf_cflow_egress_physical_interface,
6955 {"Egress Physical Interface", "cflow.egress_physical_interface",
6956 FT_UINT32, BASE_DEC, NULL, 0x0,
6957 NULL, HFILL}
6958 },
6959 {&hf_cflow_post_dot1q_vlan_id,
6960 {"Post Dot1q Vlan Id", "cflow.post_dot1q_vlan_id",
6961 FT_UINT16, BASE_DEC, NULL, 0x0,
6962 NULL, HFILL}
6963 },
6964 {&hf_cflow_post_dot1q_customer_vlan_id,
6965 {"Post Dot1q Customer Vlan Id", "cflow.post_dot1q_customer_vlan_id",
6966 FT_UINT16, BASE_DEC, NULL, 0x0,
6967 NULL, HFILL}
6968 },
6969 {&hf_cflow_ethernet_type,
6970 {"Ethernet Type", "cflow.ethernet_type",
6971 FT_UINT16, BASE_DEC, NULL, 0x0,
6972 NULL, HFILL}
6973 },
6974 {&hf_cflow_post_ip_precedence,
6975 {"Post Ip Precedence", "cflow.post_ip_precedence",
6976 FT_UINT8, BASE_DEC, NULL, 0x0,
6977 NULL, HFILL}
6978 },
6979 {&hf_cflow_collection_time_milliseconds,
6980 {"Collection Time Milliseconds", "cflow.collection_time_milliseconds",
6981 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6982 NULL, HFILL}
6983 },
6984 {&hf_cflow_export_sctp_stream_id,
6985 {"Export Sctp Stream Id", "cflow.export_sctp_stream_id",
6986 FT_UINT16, BASE_DEC, NULL, 0x0,
6987 NULL, HFILL}
6988 },
6989 {&hf_cflow_max_export_seconds,
6990 {"Max Export Seconds", "cflow.max_export_seconds",
6991 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6992 NULL, HFILL}
6993 },
6994 {&hf_cflow_max_flow_end_seconds,
6995 {"Max Flow End Seconds", "cflow.max_flow_end_seconds",
6996 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
6997 NULL, HFILL}
6998 },
6999 {&hf_cflow_message_md5_checksum,
7000 {"Message MD5 Checksum", "cflow.message_md5_checksum",
7001 FT_BYTES, BASE_NONE, NULL, 0x0,
7002 NULL, HFILL}
7003 },
7004 {&hf_cflow_message_scope,
7005 {"Message Scope", "cflow.message_scope",
7006 FT_UINT8, BASE_DEC, NULL, 0x0,
7007 NULL, HFILL}
7008 },
7009 {&hf_cflow_min_export_seconds,
7010 {"Min Export Seconds", "cflow.min_export_seconds",
7011 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7012 NULL, HFILL}
7013 },
7014 {&hf_cflow_min_flow_start_seconds,
7015 {"Min Flow Start Seconds", "cflow.min_flow_start_seconds",
7016 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7017 NULL, HFILL}
7018 },
7019 {&hf_cflow_opaque_octets,
7020 {"Opaque Octets", "cflow.opaque_octets",
7021 FT_BYTES, BASE_NONE, NULL, 0x0,
7022 NULL, HFILL}
7023 },
7024 {&hf_cflow_session_scope,
7025 {"Session Scope", "cflow.session_scope",
7026 FT_UINT8, BASE_DEC, NULL, 0x0,
7027 NULL, HFILL}
7028 },
7029 {&hf_cflow_max_flow_end_microseconds,
7030 {"Max Flow End Microseconds", "cflow.max_flow_end_microseconds",
7031 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
7032 NULL, HFILL}
7033 },
7034 {&hf_cflow_max_flow_end_milliseconds,
7035 {"Max Flow End Milliseconds", "cflow.max_flow_end_milliseconds",
7036 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7037 NULL, HFILL}
7038 },
7039 {&hf_cflow_max_flow_end_nanoseconds,
7040 {"Max Flow End Nanoseconds", "cflow.max_flow_end_nanoseconds",
7041 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
7042 NULL, HFILL}
7043 },
7044 {&hf_cflow_min_flow_start_microseconds,
7045 {"Min Flow Start Microseconds", "cflow.min_flow_start_microseconds",
7046 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
7047 NULL, HFILL}
7048 },
7049 {&hf_cflow_min_flow_start_milliseconds,
7050 {"Min Flow Start Milliseconds", "cflow.min_flow_start_milliseconds",
7051 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7052 NULL, HFILL}
7053 },
7054 {&hf_cflow_min_flow_start_nanoseconds,
7055 {"Min Flow Start Nanoseconds", "cflow.min_flow_start_nanoseconds",
7056 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
7057 NULL, HFILL}
7058 },
7059 {&hf_cflow_collector_certificate,
7060 {"Collector Certificate", "cflow.collector_certificate",
7061 FT_BYTES, BASE_NONE, NULL, 0x0,
7062 NULL, HFILL}
7063 },
7064 {&hf_cflow_exporter_certificate,
7065 {"Exporter Certificate", "cflow.exporter_certificate",
7066 FT_BYTES, BASE_NONE, NULL, 0x0,
7067 NULL, HFILL}
7068 },
7069 {&hf_cflow_selection_sequence_id,
7070 {"Selection Sequence Id", "cflow.selection_sequence_id",
7071 FT_UINT64, BASE_DEC, NULL, 0x0,
7072 NULL, HFILL}
7073 },
7074 {&hf_cflow_selector_id,
7075 {"Selector Id", "cflow.selector_id",
7076 FT_UINT16, BASE_DEC, NULL, 0x0,
7077 NULL, HFILL}
7078 },
7079 {&hf_cflow_information_element_id,
7080 {"Information Element Id", "cflow.information_element_id",
7081 FT_UINT16, BASE_DEC, NULL, 0x0,
7082 NULL, HFILL}
7083 },
7084 {&hf_cflow_selector_algorithm,
7085 {"Selector Algorithm", "cflow.selector_algorithm",
7086 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &selector_algorithm_ext, 0x0,
7087 NULL, HFILL}
7088 },
7089 {&hf_cflow_sampling_packet_interval,
7090 {"Sampling Packet Interval", "cflow.sampling_packet_interval",
7091 FT_UINT32, BASE_DEC, NULL, 0x0,
7092 NULL, HFILL}
7093 },
7094 {&hf_cflow_sampling_packet_space,
7095 {"Sampling Packet Space", "cflow.sampling_packet_space",
7096 FT_UINT32, BASE_DEC, NULL, 0x0,
7097 NULL, HFILL}
7098 },
7099 {&hf_cflow_sampling_time_interval,
7100 {"Sampling Time Interval", "cflow.sampling_time_interval",
7101 FT_UINT32, BASE_DEC, NULL, 0x0,
7102 NULL, HFILL}
7103 },
7104 {&hf_cflow_sampling_time_space,
7105 {"Sampling Time Space", "cflow.sampling_time_space",
7106 FT_UINT32, BASE_DEC, NULL, 0x0,
7107 NULL, HFILL}
7108 },
7109 {&hf_cflow_sampling_size,
7110 {"Sampling Size", "cflow.sampling_size",
7111 FT_UINT32, BASE_DEC, NULL, 0x0,
7112 NULL, HFILL}
7113 },
7114 {&hf_cflow_sampling_population,
7115 {"Sampling Population", "cflow.sampling_population",
7116 FT_UINT32, BASE_DEC, NULL, 0x0,
7117 NULL, HFILL}
7118 },
7119 {&hf_cflow_sampling_probability,
7120 {"Sampling Probability", "cflow.sampling_probability",
7121 FT_FLOAT, BASE_NONE, NULL, 0x0,
7122 NULL, HFILL}
7123 },
7124 {&hf_cflow_mpls_label_stack_section,
7125 {"Mpls Label Stack Section", "cflow.mpls_label_stack_section",
7126 FT_BYTES, BASE_NONE, NULL, 0x0,
7127 NULL, HFILL}
7128 },
7129 {&hf_cflow_mpls_payload_packet_section,
7130 {"Mpls Payload Packet Section", "cflow.mpls_payload_packet_section",
7131 FT_BYTES, BASE_NONE, NULL, 0x0,
7132 NULL, HFILL}
7133 },
7134 {&hf_cflow_selector_id_total_pkts_observed,
7135 {"Selector Id Total Pkts Observed", "cflow.selector_id_total_pkts_observed",
7136 FT_UINT64, BASE_DEC, NULL, 0x0,
7137 NULL, HFILL}
7138 },
7139 {&hf_cflow_selector_id_total_pkts_selected,
7140 {"Selector Id Total Pkts Selected", "cflow.selector_id_total_pkts_selected",
7141 FT_UINT64, BASE_DEC, NULL, 0x0,
7142 NULL, HFILL}
7143 },
7144 {&hf_cflow_absolute_error,
7145 {"Absolute Error", "cflow.absolute_error",
7146 FT_FLOAT, BASE_NONE, NULL, 0x0,
7147 NULL, HFILL}
7148 },
7149 {&hf_cflow_relative_error,
7150 {"Relative Error", "cflow.relative_error",
7151 FT_FLOAT, BASE_NONE, NULL, 0x0,
7152 NULL, HFILL}
7153 },
7154 {&hf_cflow_observation_time_seconds,
7155 {"Observation Time Seconds", "cflow.observation_time_seconds",
7156 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7157 NULL, HFILL}
7158 },
7159 {&hf_cflow_observation_time_milliseconds,
7160 {"Observation Time Milliseconds", "cflow.observation_time_milliseconds",
7161 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7162 NULL, HFILL}
7163 },
7164 {&hf_cflow_observation_time_microseconds,
7165 {"Observation Time Microseconds", "cflow.observation_time_microseconds",
7166 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
7167 NULL, HFILL}
7168 },
7169 {&hf_cflow_observation_time_nanoseconds,
7170 {"Observation Time Nanoseconds", "cflow.observation_time_nanoseconds",
7171 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0,
7172 NULL, HFILL}
7173 },
7174 {&hf_cflow_digest_hash_value,
7175 {"Digest Hash Value", "cflow.digest_hash_value",
7176 FT_UINT64, BASE_DEC, NULL, 0x0,
7177 NULL, HFILL}
7178 },
7179 {&hf_cflow_hash_ippayload_offset,
7180 {"Hash IPPayload Offset", "cflow.hash_ippayload_offset",
7181 FT_UINT64, BASE_DEC, NULL, 0x0,
7182 NULL, HFILL}
7183 },
7184 {&hf_cflow_hash_ippayload_size,
7185 {"Hash IPPayload Size", "cflow.hash_ippayload_size",
7186 FT_UINT64, BASE_DEC, NULL, 0x0,
7187 NULL, HFILL}
7188 },
7189 {&hf_cflow_hash_output_range_min,
7190 {"Hash Output Range Min", "cflow.hash_output_range_min",
7191 FT_UINT64, BASE_DEC, NULL, 0x0,
7192 NULL, HFILL}
7193 },
7194 {&hf_cflow_hash_output_range_max,
7195 {"Hash Output Range Max", "cflow.hash_output_range_max",
7196 FT_UINT64, BASE_DEC, NULL, 0x0,
7197 NULL, HFILL}
7198 },
7199 {&hf_cflow_hash_selected_range_min,
7200 {"Hash Selected Range Min", "cflow.hash_selected_range_min",
7201 FT_UINT64, BASE_DEC, NULL, 0x0,
7202 NULL, HFILL}
7203 },
7204 {&hf_cflow_hash_selected_range_max,
7205 {"Hash Selected Range Max", "cflow.hash_selected_range_max",
7206 FT_UINT64, BASE_DEC, NULL, 0x0,
7207 NULL, HFILL}
7208 },
7209 {&hf_cflow_hash_digest_output,
7210 {"Hash Digest Output", "cflow.hash_digest_output",
7211 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
7212 NULL, HFILL}
7213 },
7214 {&hf_cflow_hash_initialiser_value,
7215 {"Hash Initialiser Value", "cflow.hash_initialiser_value",
7216 FT_UINT64, BASE_DEC, NULL, 0x0,
7217 NULL, HFILL}
7218 },
7219 {&hf_cflow_selector_name,
7220 {"Selector Name", "cflow.selector_name",
7221 FT_STRING, BASE_NONE, NULL, 0x0,
7222 NULL, HFILL}
7223 },
7224 {&hf_cflow_upper_cilimit,
7225 {"Upper CILimit", "cflow.upper_cilimit",
7226 FT_FLOAT, BASE_NONE, NULL, 0x0,
7227 NULL, HFILL}
7228 },
7229 {&hf_cflow_lower_cilimit,
7230 {"Lower CILimit", "cflow.lower_cilimit",
7231 FT_FLOAT, BASE_NONE, NULL, 0x0,
7232 NULL, HFILL}
7233 },
7234 {&hf_cflow_confidence_level,
7235 {"Confidence Level", "cflow.confidence_level",
7236 FT_FLOAT, BASE_NONE, NULL, 0x0,
7237 NULL, HFILL}
7238 },
7239 {&hf_cflow_information_element_data_type,
7240 {"Information Element Data Type", "cflow.information_element_data_type",
7241 FT_UINT8, BASE_DEC, NULL, 0x0,
7242 NULL, HFILL}
7243 },
7244 {&hf_cflow_information_element_description,
7245 {"Information Element Description", "cflow.information_element_description",
7246 FT_STRING, BASE_NONE, NULL, 0x0,
7247 NULL, HFILL}
7248 },
7249 {&hf_cflow_information_element_name,
7250 {"Information Element Name", "cflow.information_element_name",
7251 FT_STRING, BASE_NONE, NULL, 0x0,
7252 NULL, HFILL}
7253 },
7254 {&hf_cflow_information_element_range_begin,
7255 {"Information Element Range Begin", "cflow.information_element_range_begin",
7256 FT_UINT64, BASE_DEC, NULL, 0x0,
7257 NULL, HFILL}
7258 },
7259 {&hf_cflow_information_element_range_end,
7260 {"Information Element Range End", "cflow.information_element_range_end",
7261 FT_UINT64, BASE_DEC, NULL, 0x0,
7262 NULL, HFILL}
7263 },
7264 {&hf_cflow_information_element_semantics,
7265 {"Information Element Semantics", "cflow.information_element_semantics",
7266 FT_UINT8, BASE_DEC, NULL, 0x0,
7267 NULL, HFILL}
7268 },
7269 {&hf_cflow_information_element_units,
7270 {"Information Element Units", "cflow.information_element_units",
7271 FT_UINT16, BASE_DEC, NULL, 0x0,
7272 NULL, HFILL}
7273 },
7274 {&hf_cflow_private_enterprise_number,
7275 {"Private Enterprise Number", "cflow.private_enterprise_number",
7276 FT_UINT32, BASE_DEC, NULL, 0x0,
7277 NULL, HFILL}
7278 },
7279 /*
7280 * end pdu content storage
7281 */
7282 {&hf_cflow_scope_system,
7283 {"ScopeSystem", "cflow.scope_system",
7284 FT_BYTES, BASE_NONE, NULL, 0x0,
7285 "Option Scope System", HFILL}
7286 },
7287 {&hf_cflow_scope_interface,
7288 {"ScopeInterface", "cflow.scope_interface",
7289 FT_UINT32, BASE_DEC, NULL, 0x0,
7290 "Option Scope Interface", HFILL}
7291 },
7292 {&hf_cflow_scope_linecard,
7293 {"ScopeLinecard", "cflow.scope_linecard",
7294 FT_BYTES, BASE_NONE, NULL, 0x0,
7295 "Option Scope Linecard", HFILL}
7296 },
7297 {&hf_cflow_scope_cache,
7298 {"ScopeCache", "cflow.scope_cache",
7299 FT_BYTES, BASE_NONE, NULL, 0x0,
7300 "Option Scope Cache", HFILL}
7301 },
7302 {&hf_cflow_scope_template,
7303 {"ScopeTemplate", "cflow.scope_template",
7304 FT_BYTES, BASE_NONE, NULL, 0x0,
7305 "Option Scope Template", HFILL}
7306 },
7307
7308 /* IPFIX */
7309 {&hf_cflow_unknown_field_type,
7310 {"Unknown Field Type", "cflow.unknown_field_type",
7311 FT_BYTES, BASE_NONE, NULL, 0x0,
7312 NULL, HFILL}
7313 },
7314 {&hf_cflow_template_ipfix_total_field_count,
7315 {"Total Field Count", "cflow.template_ipfix_total_field_count",
7316 FT_UINT16, BASE_DEC, NULL, 0x0,
7317 "IPFIX Options Template Total Field Count", HFILL}
7318 },
7319 {&hf_cflow_template_ipfix_scope_field_count,
7320 {"Scope Field Count", "cflow.template_ipfix_scope_field_count",
7321 FT_UINT16, BASE_DEC, NULL, 0x0,
7322 "IPFIX Options Template Scope Field Count", HFILL}
7323 },
7324 {&hf_cflow_template_ipfix_pen_provided,
7325 {"Pen provided", "cflow.template_ipfix_pen_provided",
7326 FT_BOOLEAN, 16, TFS(&tfs_yes_no), 0x8000,
7327 "Is Template Enterprise Specific", HFILL}
7328 },
7329 {&hf_cflow_template_ipfix_field_type,
7330 {"Type", "cflow.template_ipfix_field_type",
7331 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v9_v10_template_types_ext, 0x7FFF,
7332 "Template field type", HFILL}
7333 },
7334 {&hf_cflow_template_plixer_field_type,
7335 {"Type", "cflow.template_plixer_field_type",
7336 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v10_template_types_plixer_ext, 0x7FFF,
7337 "Template field type", HFILL}
7338 },
7339 {&hf_cflow_template_ntop_field_type,
7340 {"Type", "cflow.template_ntop_field_type",
7341 FT_UINT16, BASE_DEC|BASE_EXT_STRING, &v10_template_types_ntop_ext, 0x7FFF,
7342 "Template field type", HFILL}
7343 },
7344 {&hf_cflow_template_ipfix_field_type_enterprise,
7345 {"Type", "cflow.template_ipfix_field_type_enterprise",
7346 FT_UINT16, BASE_DEC, NULL, 0x7FFF,
7347 "Template field type", HFILL}
7348 },
7349 {&hf_cflow_template_ipfix_field_pen,
7350 {"PEN",
7351 "cflow.template_ipfix_field_pen",
7352 FT_UINT32, BASE_DEC, NULL, 0x0,
7353 "IPFIX Private Enterprise Number", HFILL}
7354 },
7355 {&hf_cflow_cts_sgt_source_tag,
7356 {"Source SGT",
7357 "cflow.source_sgt_tag",
7358 FT_UINT16, BASE_DEC, NULL, 0x0,
7359 NULL, HFILL}
7360 },
7361 {&hf_cflow_cts_sgt_destination_tag,
7362 {"Destination SGT",
7363 "cflow.destination_sgt_tag",
7364 FT_UINT16, BASE_DEC, NULL, 0x0,
7365 NULL, HFILL}
7366 },
7367 {&hf_cflow_cts_sgt_source_name,
7368 {"Source SGT Name",
7369 "cflow.source_sgt_name",
7370 FT_STRING, BASE_NONE, NULL, 0x0,
7371 NULL, HFILL}
7372 },
7373 {&hf_cflow_cts_sgt_destination_name,
7374 {"Destination SGT Name",
7375 "cflow.destination_sgt_name",
7376 FT_STRING, BASE_NONE, NULL, 0x0,
7377 NULL, HFILL}
7378 },
7379 {&hf_cflow_packets_dropped,
7380 {"Packets Dropped",
7381 "cflow.packets_dropped",
7382 FT_UINT32, BASE_DEC, NULL, 0x0,
7383 NULL, HFILL}
7384 },
7385 {&hf_cflow_byte_rate,
7386 {"Byte Rate",
7387 "cflow.byte_rate",
7388 FT_UINT32, BASE_DEC, NULL, 0x0,
7389 NULL, HFILL}
7390 },
7391 {&hf_cflow_application_media_bytes,
7392 {"Media Bytes",
7393 "cflow.application_media_bytes",
7394 FT_UINT32, BASE_DEC, NULL, 0x0,
7395 NULL, HFILL}
7396 },
7397 {&hf_cflow_application_media_byte_rate,
7398 {"Media Byte Rate",
7399 "cflow.media_byte_rate",
7400 FT_UINT32, BASE_DEC, NULL, 0x0,
7401 NULL, HFILL}
7402 },
7403 {&hf_cflow_application_media_packets,
7404 {"Media Packets",
7405 "cflow.application_media_packets",
7406 FT_UINT32, BASE_DEC, NULL, 0x0,
7407 NULL, HFILL}
7408 },
7409 {&hf_cflow_application_media_packet_rate,
7410 {"Media Packet Rate",
7411 "cflow.media_packet_rate",
7412 FT_UINT32, BASE_DEC, NULL, 0x0,
7413 NULL, HFILL}
7414 },
7415 {&hf_cflow_application_media_event,
7416 {"Media Event",
7417 "cflow.application_media_event",
7418 FT_UINT8, BASE_DEC, NULL, 0x0,
7419 NULL, HFILL}
7420 },
7421 {&hf_cflow_monitor_event,
7422 {"Monitor Event",
7423 "cflow.monitor_event",
7424 FT_UINT8, BASE_DEC, NULL, 0x0,
7425 NULL, HFILL}
7426 },
7427 {&hf_cflow_timestamp_interval,
7428 {"Timestamp Interval",
7429 "cflow.timestamp_interval",
7430 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7431 NULL, HFILL}
7432 },
7433 {&hf_cflow_transport_packets_expected,
7434 {"Transport Packets Expected",
7435 "cflow.transport_packets_expected",
7436 FT_UINT32, BASE_DEC, NULL, 0x0,
7437 NULL, HFILL}
7438 },
7439 {&hf_cflow_transport_round_trip_time_string,
7440 {"Transport Round-Trip-Time",
7441 "cflow.transport_rtt",
7442 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7443 NULL, HFILL}
7444 },
7445 {&hf_cflow_transport_round_trip_time,
7446 {"Transport Round-Trip-Time",
7447 "cflow.transport_rtt",
7448 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
7449 NULL, HFILL}
7450 },
7451 {&hf_cflow_transport_event_packet_loss,
7452 {"Transport Packet Loss Events",
7453 "cflow.transport_packet_loss_event",
7454 FT_UINT32, BASE_DEC, NULL, 0x0,
7455 NULL, HFILL}
7456 },
7457 {&hf_cflow_transport_packets_lost,
7458 {"Transport Packets Lost",
7459 "cflow.transport_packets_lost",
7460 FT_UINT32, BASE_DEC, NULL, 0x0,
7461 NULL, HFILL}
7462 },
7463 {&hf_cflow_transport_packets_lost_string,
7464 {"Transport Packets Lost",
7465 "cflow.transport_packets_lost",
7466 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7467 NULL, HFILL}
7468 },
7469 {&hf_cflow_transport_packets_lost_rate,
7470 {"Transport Packet Loss Rate",
7471 "cflow.transport_packet_loss_rate",
7472 FT_UINT32, BASE_DEC, NULL, 0x0,
7473 NULL, HFILL}
7474 },
7475 {&hf_cflow_transport_packets_lost_rate_string,
7476 {"Transport Packet Loss Rate",
7477 "cflow.transport_packet_loss_rate",
7478 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials) , 0x0,
7479 NULL, HFILL}
7480 },
7481 {&hf_cflow_transport_rtp_ssrc,
7482 {"RTP SSRC",
7483 "cflow.transport_rtp_ssrc",
7484 FT_UINT32, BASE_DEC, NULL, 0x0,
7485 NULL, HFILL}
7486 },
7487 {&hf_cflow_transport_rtp_jitter_mean,
7488 {"RTP Mean Jitter",
7489 "cflow.transport_jitter_mean",
7490 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
7491 NULL, HFILL}
7492 },
7493 {&hf_cflow_transport_rtp_jitter_mean_string,
7494 {"RTP Mean Jitter",
7495 "cflow.transport_jitter_mean",
7496 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7497 NULL, HFILL}
7498 },
7499 {&hf_cflow_transport_rtp_jitter_min,
7500 {"RTP Min Jitter",
7501 "cflow.transport_jitter_min",
7502 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
7503 NULL, HFILL}
7504 },
7505 {&hf_cflow_transport_rtp_jitter_min_string,
7506 {"RTP Min Jitter",
7507 "cflow.transport_jitter_min",
7508 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7509 NULL, HFILL}
7510 },
7511 {&hf_cflow_transport_rtp_jitter_max,
7512 {"RTP Max Jitter",
7513 "cflow.transport_jitter_max",
7514 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
7515 NULL, HFILL}
7516 },
7517 {&hf_cflow_transport_rtp_jitter_max_string,
7518 {"RTP Max Jitter",
7519 "cflow.transport_jitter_max",
7520 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7521 NULL, HFILL}
7522 },
7523
7524 {&hf_cflow_transport_rtp_payload_type,
7525 {"RTP Payload Type",
7526 "cflow.rtp_payload_type",
7527 FT_UINT8, BASE_DEC, NULL, 0x0,
7528 NULL, HFILL}
7529 },
7530 {&hf_cflow_transport_rtp_payload_type_string,
7531 {"RTP Payload Type",
7532 "cflow.rtp_payload_type",
7533 FT_UINT8, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7534 NULL, HFILL}
7535 },
7536 {&hf_cflow_transport_bytes_out_of_order,
7537 {"Transport Bytes Out of Order",
7538 "cflow.transport_bytes_out_of_ordera",
7539 FT_UINT64, BASE_DEC, NULL, 0x0,
7540 NULL, HFILL}
7541 },
7542 #if 0
7543 {&hf_cflow_transport_packets_out_of_order,
7544 {"Transport Packets Out of Order",
7545 "cflow.transport_packets_out_of_order",
7546 FT_UINT32, BASE_DEC, NULL, 0x0,
7547 NULL, HFILL}
7548 },
7549 #endif
7550 {&hf_cflow_transport_packets_out_of_order_string,
7551 {"Transport Packets Out of Order",
7552 "cflow.transport_packets_out_of_order",
7553 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7554 NULL, HFILL}
7555 },
7556 {&hf_cflow_transport_tcp_window_size_min,
7557 {"Transport TCP Window Size Min",
7558 "cflow.transport_tcp_window_size_min",
7559 FT_UINT32, BASE_DEC, NULL, 0x0,
7560 NULL, HFILL}
7561 },
7562 {&hf_cflow_transport_tcp_window_size_min_string,
7563 {"Transport TCP Window Size Min",
7564 "cflow.transport_tcp_window_size_min",
7565 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7566 NULL, HFILL}
7567 },
7568 {&hf_cflow_transport_tcp_window_size_max,
7569 {"Transport TCP Window Size Max",
7570 "cflow.transport_tcp_window_size_max",
7571 FT_UINT32, BASE_DEC, NULL, 0x0,
7572 NULL, HFILL}
7573 },
7574 {&hf_cflow_transport_tcp_window_size_max_string,
7575 {"Transport TCP Window Size Max",
7576 "cflow.transport_tcp_window_size_max",
7577 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7578 NULL, HFILL}
7579 },
7580 {&hf_cflow_transport_tcp_window_size_mean,
7581 {"Transport TCP Window Size Mean",
7582 "cflow.transport_tcp_window_size_mean",
7583 FT_UINT32, BASE_DEC, NULL, 0x0,
7584 NULL, HFILL}
7585 },
7586 {&hf_cflow_transport_tcp_window_size_mean_string,
7587 {"Transport TCP Window Size Mean",
7588 "cflow.transport_tcp_window_size_mean",
7589 FT_UINT32, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7590 NULL, HFILL}
7591 },
7592 {&hf_cflow_transport_tcp_maximum_segment_size,
7593 {"Transport TCP Maximum Segment Size",
7594 "cflow.transport_tcp_maximum_segment_size",
7595 FT_UINT16, BASE_DEC, NULL, 0x0,
7596 NULL, HFILL}
7597 },
7598 {&hf_cflow_transport_tcp_maximum_segment_size_string,
7599 {"Transport TCP Maximum Segment Size",
7600 "cflow.transport_tcp_maximum_segment_size",
7601 FT_UINT16, BASE_HEX, VALS(performance_monitor_specials), 0x0,
7602 NULL, HFILL}
7603 },
7604 /* Ericsson SE NAT Logging */
7605 {&hf_cflow_nat_context_id,
7606 {"NAT Context ID", "cflow.nat_context_id",
7607 FT_UINT32, BASE_DEC, NULL, 0x0,
7608 "Internal context ID", HFILL}
7609 },
7610 {&hf_cflow_nat_context_name,
7611 {"NAT Context Name", "cflow.nat_context_name",
7612 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7613 "Zero terminated context Name", HFILL}
7614 },
7615 {&hf_cflow_nat_assign_time,
7616 {"NAT Assign Time", "cflow.nat_assign_time",
7617 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7618 "Seconds of UNIX timestamp for assign", HFILL}
7619 },
7620 {&hf_cflow_nat_unassign_time,
7621 {"NAT Unassign Time", "cflow.nat_unassign_time",
7622 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
7623 "Seconds of UNIX timestamp for unassign", HFILL}
7624 },
7625 {&hf_cflow_nat_int_addr,
7626 {"Internal IPv4 address", "cflow.nat_int_addr",
7627 FT_IPv4, BASE_NONE, NULL, 0x0,
7628 NULL, HFILL}
7629 },
7630 {&hf_cflow_nat_ext_addr,
7631 {"External IPv4 address", "cflow.nat_ext_addr",
7632 FT_IPv4, BASE_NONE, NULL, 0x0,
7633 NULL, HFILL}
7634 },
7635 {&hf_cflow_nat_ext_port_first,
7636 {"NAT port start", "cflow.nat_ext_port_first",
7637 FT_UINT16, BASE_DEC, NULL, 0x0,
7638 "External L4 port start", HFILL}
7639 },
7640 {&hf_cflow_nat_ext_port_last,
7641 {"NAT port end", "cflow.nat_ext_port_last",
7642 FT_UINT16, BASE_DEC, NULL, 0x0,
7643 "External L4 port end", HFILL}
7644 },
7645 /* Cisco ASA 5500 Series */
7646 {&hf_cflow_ingress_acl_id,
7647 {"Ingress ACL ID", "cflow.ingress_acl_id",
7648 FT_BYTES, BASE_NONE, NULL, 0x0,
7649 NULL, HFILL}
7650 },
7651 {&hf_cflow_egress_acl_id,
7652 {"Egress ACL ID", "cflow.egress_acl_id",
7653 FT_BYTES, BASE_NONE, NULL, 0x0,
7654 NULL, HFILL}
7655 },
7656 {&hf_cflow_fw_ext_event,
7657 {"Extended firewall event code", "cflow.fw_ext_event",
7658 FT_UINT16, BASE_DEC, VALS(v9_extended_firewall_event), 0x0,
7659 NULL, HFILL}
7660 },
7661 {&hf_cflow_aaa_username,
7662 {"AAA username", "cflow.aaa_username",
7663 FT_STRING, BASE_NONE, NULL, 0x0,
7664 NULL, HFILL}
7665 },
7666
7667 {&hf_ipfix_enterprise_private_entry,
7668 {"Enterprise Private entry", "cflow.enterprise_private_entry",
7669 FT_BYTES, BASE_NONE, NULL, 0x0,
7670 NULL, HFILL}
7671 },
7672 /* Private Information Elements */
7673
7674 /* CACE Technologies, 32622 / 0 */
7675 {&hf_pie_cace_local_ipv4_address,
7676 {"Local IPv4 Address", "cflow.pie.cace.localaddr4",
7677 FT_IPv4, BASE_NONE, NULL, 0x0,
7678 "Local IPv4 Address (caceLocalIPv4Address)", HFILL}
7679 },
7680 /* CACE Technologies, 32622 / 1 */
7681 {&hf_pie_cace_remote_ipv4_address,
7682 {"Remote IPv4 Address", "cflow.pie.cace.remoteaddr4",
7683 FT_IPv4, BASE_NONE, NULL, 0x0,
7684 "Remote IPv4 Address (caceRemoteIPv4Address)", HFILL}
7685 },
7686 /* CACE Technologies, 32622 / 2 */
7687 {&hf_pie_cace_local_ipv6_address,
7688 {"Local IPv6 Address", "cflow.pie.cace.localaddr6",
7689 FT_IPv6, BASE_NONE, NULL, 0x0,
7690 "Local IPv6 Address (caceLocalIPv6Address)", HFILL}
7691 },
7692 /* CACE Technologies, 32622 / 3 */
7693 {&hf_pie_cace_remote_ipv6_address,
7694 {"Remote IPv6 Address", "cflow.pie.cace.remoteaddr6",
7695 FT_IPv6, BASE_NONE, NULL, 0x0,
7696 "Remote IPv6 Address (caceRemoteIPv6Address)", HFILL}
7697 },
7698 /* CACE Technologies, 32622 / 4 */
7699 {&hf_pie_cace_local_port,
7700 {"Local Port", "cflow.pie.cace.localport",
7701 FT_UINT16, BASE_DEC, NULL, 0x0,
7702 "Local Transport Port (caceLocalTransportPort)", HFILL}
7703 },
7704 /* CACE Technologies, 32622 / 5 */
7705 {&hf_pie_cace_remote_port,
7706 {"Remote Port", "cflow.pie.cace.remoteport",
7707 FT_UINT16, BASE_DEC, NULL, 0x0,
7708 "Remote Transport Port (caceRemoteTransportPort)", HFILL}
7709 },
7710 /* CACE Technologies, 32622 / 6 */
7711 {&hf_pie_cace_local_ipv4_id,
7712 {"Local IPv4 ID", "cflow.pie.cace.localip4id",
7713 FT_UINT16, BASE_DEC, NULL, 0x0,
7714 "The IPv4 identification header field from a locally-originated packet (caceLocalIPv4id)", HFILL}
7715 },
7716 /* CACE Technologies, 32622 / 7 */
7717 {&hf_pie_cace_local_icmp_id,
7718 {"Local ICMP ID", "cflow.pie.cace.localicmpid",
7719 FT_UINT16, BASE_DEC, NULL, 0x0,
7720 "The ICMP identification header field from a locally-originated ICMPv4 or ICMPv6 echo request (caceLocalICMPid)", HFILL}
7721 },
7722 /* CACE Technologies, 32622 / 8 */
7723 {&hf_pie_cace_local_uid,
7724 {"Local User ID", "cflow.pie.cace.localuid",
7725 FT_UINT32, BASE_DEC, NULL, 0x0,
7726 "Local User ID (caceLocalProcessUserId)", HFILL}
7727 },
7728 /* CACE Technologies, 32622 / 9 */
7729 {&hf_pie_cace_local_pid,
7730 {"Local Process ID", "cflow.pie.cace.localpid",
7731 FT_UINT32, BASE_DEC, NULL, 0x0,
7732 "Local Process ID (caceLocalProcessId)", HFILL}
7733 },
7734 /* CACE Technologies, 32622 / 10 */
7735 {&hf_pie_cace_local_username_len,
7736 {"Local Username Length", "cflow.pie.cace.localusernamelen",
7737 FT_UINT8, BASE_DEC, NULL, 0x0,
7738 "Local User Name Length (caceLocalProcessUserName)", HFILL}
7739 },
7740 /* CACE Technologies, 32622 / 10 */
7741 {&hf_pie_cace_local_username,
7742 {"Local User Name", "cflow.pie.cace.localusername",
7743 FT_STRING, BASE_NONE, NULL, 0x0,
7744 "Local User Name (caceLocalProcessUserName)", HFILL}
7745 },
7746 /* CACE Technologies, 32622 / 11 */
7747 {&hf_pie_cace_local_cmd_len,
7748 {"Local Command Length", "cflow.pie.cace.localcmdlen",
7749 FT_UINT8, BASE_DEC, NULL, 0x0,
7750 "Local Command Length (caceLocalProcessCommand)", HFILL}
7751 },
7752 /* CACE Technologies, 32622 / 11 */
7753 {&hf_pie_cace_local_cmd,
7754 {"Local Command", "cflow.pie.cace.localcmd",
7755 FT_STRING, BASE_NONE, NULL, 0x0,
7756 "Local Command (caceLocalProcessCommand)", HFILL}
7757 },
7758 /* ntop, 35632 / 80 */
7759 {&hf_pie_ntop_fragmented,
7760 {"Fragmented","cflow.pie.ntop.fragmented",
7761 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
7762 NULL, HFILL}
7763 },
7764 /* ntop, 35632 / 81 */
7765 {&hf_pie_ntop_fingerprint,
7766 {"Fingerprint","cflow.pie.ntop.fingerprint",
7767 FT_UINT32, BASE_DEC, NULL, 0x0,
7768 NULL, HFILL}
7769 },
7770 /* ntop, 35632 / 82 */
7771 {&hf_pie_ntop_client_nw_delay_sec,
7772 {"Client_nw_delay_sec","cflow.pie.ntop.client_nw_delay_sec",
7773 FT_UINT32, BASE_DEC, NULL, 0x0,
7774 NULL, HFILL}
7775 },
7776 /* ntop, 35632 / 83 */
7777 {&hf_pie_ntop_client_nw_delay_usec,
7778 {"Client_nw_delay_usec","cflow.pie.ntop.client_nw_delay_usec",
7779 FT_UINT32, BASE_DEC, NULL, 0x0,
7780 NULL, HFILL}
7781 },
7782 /* ntop, 35632 / 84 */
7783 {&hf_pie_ntop_server_nw_delay_sec,
7784 {"Server_nw_delay_sec","cflow.pie.ntop.server_nw_delay_sec",
7785 FT_UINT32, BASE_DEC, NULL, 0x0,
7786 NULL, HFILL}
7787 },
7788 /* ntop, 35632 / 85 */
7789 {&hf_pie_ntop_server_nw_delay_usec,
7790 {"Server_nw_delay_usec","cflow.pie.ntop.server_nw_delay_usec",
7791 FT_UINT32, BASE_DEC, NULL, 0x0,
7792 NULL, HFILL}
7793 },
7794 /* ntop, 35632 / 86 */
7795 {&hf_pie_ntop_appl_latency_sec,
7796 {"Appl_latency_sec","cflow.pie.ntop.appl_latency_sec",
7797 FT_UINT32, BASE_DEC, NULL, 0x0,
7798 NULL, HFILL}
7799 },
7800 /* ntop, 35632 / 98 */
7801 {&hf_pie_ntop_icmp_flags,
7802 {"Icmp_flags","cflow.pie.ntop.icmp_flags",
7803 FT_UINT16, BASE_DEC, NULL, 0x0,
7804 NULL, HFILL}
7805 },
7806 /* ntop, 35632 / 101 */
7807 {&hf_pie_ntop_src_ip_country,
7808 {"Src_ip_country","cflow.pie.ntop.src_ip_country",
7809 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7810 NULL, HFILL}
7811 },
7812 /* ntop, 35632 / 102 */
7813 {&hf_pie_ntop_src_ip_city,
7814 {"Src_ip_city","cflow.pie.ntop.src_ip_city",
7815 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7816 NULL, HFILL}
7817 },
7818 /* ntop, 35632 / 103 */
7819 {&hf_pie_ntop_dst_ip_country,
7820 {"Dst_ip_country","cflow.pie.ntop.dst_ip_country",
7821 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7822 NULL, HFILL}
7823 },
7824 /* ntop, 35632 / 104 */
7825 {&hf_pie_ntop_dst_ip_city,
7826 {"Dst_ip_city","cflow.pie.ntop.dst_ip_city",
7827 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7828 NULL, HFILL}
7829 },
7830 /* ntop, 35632 / 105 */
7831 {&hf_pie_ntop_flow_proto_port,
7832 {"Flow_proto_port","cflow.pie.ntop.flow_proto_port",
7833 FT_UINT16, BASE_DEC, NULL, 0x0,
7834 NULL, HFILL}
7835 },
7836 /* ntop, 35632 / 106 */
7837 {&hf_pie_ntop_tunnel_id,
7838 {"Tunnel_id","cflow.pie.ntop.tunnel_id",
7839 FT_UINT32, BASE_DEC, NULL, 0x0,
7840 NULL, HFILL}
7841 },
7842 /* ntop, 35632 / 107 */
7843 {&hf_pie_ntop_longest_flow_pkt,
7844 {"Longest_flow_pkt","cflow.pie.ntop.longest_flow_pkt",
7845 FT_UINT32, BASE_DEC, NULL, 0x0,
7846 NULL, HFILL}
7847 },
7848 /* ntop, 35632 / 108 */
7849 {&hf_pie_ntop_shortest_flow_pkt,
7850 {"Shortest_flow_pkt","cflow.pie.ntop.shortest_flow_pkt",
7851 FT_UINT32, BASE_DEC, NULL, 0x0,
7852 NULL, HFILL}
7853 },
7854 /* ntop, 35632 / 109 */
7855 {&hf_pie_ntop_retransmitted_in_pkts,
7856 {"Retransmitted_in_pkts","cflow.pie.ntop.retransmitted_in_pkts",
7857 FT_UINT32, BASE_DEC, NULL, 0x0,
7858 NULL, HFILL}
7859 },
7860 /* ntop, 35632 / 110 */
7861 {&hf_pie_ntop_retransmitted_out_pkts,
7862 {"Retransmitted_out_pkts","cflow.pie.ntop.retransmitted_out_pkts",
7863 FT_UINT32, BASE_DEC, NULL, 0x0,
7864 NULL, HFILL}
7865 },
7866 /* ntop, 35632 / 111 */
7867 {&hf_pie_ntop_ooorder_in_pkts,
7868 {"Ooorder_in_pkts","cflow.pie.ntop.ooorder_in_pkts",
7869 FT_UINT32, BASE_DEC, NULL, 0x0,
7870 NULL, HFILL}
7871 },
7872 /* ntop, 35632 / 112 */
7873 {&hf_pie_ntop_ooorder_out_pkts,
7874 {"Ooorder_out_pkts","cflow.pie.ntop.ooorder_out_pkts",
7875 FT_UINT32, BASE_DEC, NULL, 0x0,
7876 NULL, HFILL}
7877 },
7878 /* ntop, 35632 / 113 */
7879 {&hf_pie_ntop_untunneled_protocol,
7880 {"Untunneled_protocol","cflow.pie.ntop.untunneled_protocol",
7881 FT_UINT8, BASE_DEC, NULL, 0x0,
7882 NULL, HFILL}
7883 },
7884 /* ntop, 35632 / 114 */
7885 {&hf_pie_ntop_untunneled_ipv4_src_addr,
7886 {"Untunneled_ipv4_src_addr","cflow.pie.ntop.untunneled_ipv4_src_addr",
7887 FT_IPv4, BASE_NONE, NULL, 0x0,
7888 NULL, HFILL}
7889 },
7890 /* ntop, 35632 / 115 */
7891 {&hf_pie_ntop_untunneled_l4_src_port,
7892 {"Untunneled_l4_src_port","cflow.pie.ntop.untunneled_l4_src_port",
7893 FT_UINT16, BASE_DEC, NULL, 0x0,
7894 NULL, HFILL}
7895 },
7896 /* ntop, 35632 / 116 */
7897 {&hf_pie_ntop_untunneled_ipv4_dst_addr,
7898 {"Untunneled_ipv4_dst_addr","cflow.pie.ntop.untunneled_ipv4_dst_addr",
7899 FT_IPv4, BASE_NONE, NULL, 0x0,
7900 NULL, HFILL}
7901 },
7902 /* ntop, 35632 / 117 */
7903 {&hf_pie_ntop_untunneled_l4_dst_port,
7904 {"Untunneled_l4_dst_port","cflow.pie.ntop.untunneled_l4_dst_port",
7905 FT_UINT16, BASE_DEC, NULL, 0x0,
7906 NULL, HFILL}
7907 },
7908
7909 /* ntop, 35632 / 110 */
7910 {&hf_pie_ntop_dump_path,
7911 {"Dump_path","cflow.pie.ntop.dump_path",
7912 FT_STRINGZ, BASE_NONE, NULL, 0x0,
7913 NULL, HFILL}
7914 },
7915 /* ntop, 35632 / 130 */
7916 {&hf_pie_ntop_sip_call_id,
7917 {"Sip_call_id","cflow.pie.ntop.sip_call_id",
7918 FT_STRING, BASE_NONE, NULL, 0x0,
7919 NULL, HFILL}
7920 },
7921 /* ntop, 35632 / 131 */
7922 {&hf_pie_ntop_sip_calling_party,
7923 {"Sip_calling_party","cflow.pie.ntop.sip_calling_party",
7924 FT_STRING, BASE_NONE, NULL, 0x0,
7925 NULL, HFILL}
7926 },
7927 /* ntop, 35632 / 132 */
7928 {&hf_pie_ntop_sip_called_party,
7929 {"Sip_called_party","cflow.pie.ntop.sip_called_party",
7930 FT_STRING, BASE_NONE, NULL, 0x0,
7931 NULL, HFILL}
7932 },
7933 /* ntop, 35632 / 133 */
7934 {&hf_pie_ntop_sip_rtp_codecs,
7935 {"Sip_rtp_codecs","cflow.pie.ntop.sip_rtp_codecs",
7936 FT_STRING, BASE_NONE, NULL, 0x0,
7937 NULL, HFILL}
7938 },
7939 /* ntop, 35632 / 134 */
7940 {&hf_pie_ntop_sip_invite_time,
7941 {"Sip_invite_time","cflow.pie.ntop.sip_invite_time",
7942 FT_UINT32, BASE_DEC, NULL, 0x0,
7943 NULL, HFILL}
7944 },
7945 /* ntop, 35632 / 135 */
7946 {&hf_pie_ntop_sip_trying_time,
7947 {"Sip_trying_time","cflow.pie.ntop.sip_trying_time",
7948 FT_UINT32, BASE_DEC, NULL, 0x0,
7949 NULL, HFILL}
7950 },
7951 /* ntop, 35632 / 136 */
7952 {&hf_pie_ntop_sip_ringing_time,
7953 {"Sip_ringing_time","cflow.pie.ntop.sip_ringing_time",
7954 FT_UINT32, BASE_DEC, NULL, 0x0,
7955 NULL, HFILL}
7956 },
7957 /* ntop, 35632 / 137 */
7958 {&hf_pie_ntop_sip_ok_time,
7959 {"Sip_ok_time","cflow.pie.ntop.sip_ok_time",
7960 FT_UINT32, BASE_DEC, NULL, 0x0,
7961 NULL, HFILL}
7962 },
7963 /* ntop, 35632 / 138 */
7964 {&hf_pie_ntop_sip_bye_time,
7965 {"Sip_bye_time","cflow.pie.ntop.sip_bye_time",
7966 FT_UINT32, BASE_DEC, NULL, 0x0,
7967 NULL, HFILL}
7968 },
7969 /* ntop, 35632 / 139 */
7970 {&hf_pie_ntop_sip_rtp_src_ip,
7971 {"Sip_rtp_src_ip","cflow.pie.ntop.sip_rtp_src_ip",
7972 FT_IPv4, BASE_NONE, NULL, 0x0,
7973 NULL, HFILL}
7974 },
7975 /* ntop, 35632 / 140 */
7976 {&hf_pie_ntop_sip_rtp_src_port,
7977 {"Sip_rtp_src_port","cflow.pie.ntop.sip_rtp_src_port",
7978 FT_UINT16, BASE_DEC, NULL, 0x0,
7979 NULL, HFILL}
7980 },
7981 /* ntop, 35632 / 141 */
7982 {&hf_pie_ntop_sip_rtp_dst_ip,
7983 {"Sip_rtp_dst_ip","cflow.pie.ntop.sip_rtp_dst_ip",
7984 FT_IPv4, BASE_NONE, NULL, 0x0,
7985 NULL, HFILL}
7986 },
7987 /* ntop, 35632 / 142 */
7988 {&hf_pie_ntop_sip_rtp_dst_port,
7989 {"Sip_rtp_dst_port","cflow.pie.ntop.sip_rtp_dst_port",
7990 FT_UINT16, BASE_DEC, NULL, 0x0,
7991 NULL, HFILL}
7992 },
7993 /* ntop, 35632 / 150 */
7994 {&hf_pie_ntop_rtp_first_ssrc,
7995 {"Rtp_first_ssrc","cflow.pie.ntop.rtp_first_ssrc",
7996 FT_UINT32, BASE_DEC, NULL, 0x0,
7997 NULL, HFILL}
7998 },
7999 /* ntop, 35632 / 151 */
8000 {&hf_pie_ntop_rtp_first_ts,
8001 {"Rtp_first_ts","cflow.pie.ntop.rtp_first_ts",
8002 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
8003 NULL, HFILL}
8004 },
8005 /* ntop, 35632 / 152 */
8006 {&hf_pie_ntop_rtp_last_ssrc,
8007 {"Rtp_last_ssrc","cflow.pie.ntop.rtp_last_ssrc",
8008 FT_UINT32, BASE_DEC, NULL, 0x0,
8009 NULL, HFILL}
8010 },
8011 /* ntop, 35632 / 153 */
8012 {&hf_pie_ntop_rtp_last_ts,
8013 {"Rtp_last_ts","cflow.pie.ntop.rtp_last_ts",
8014 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
8015 NULL, HFILL}
8016 },
8017 /* ntop, 35632 / 154 */
8018 {&hf_pie_ntop_rtp_in_jitter,
8019 {"Rtp_in_jitter","cflow.pie.ntop.rtp_in_jitter",
8020 FT_UINT32, BASE_DEC, NULL, 0x0,
8021 NULL, HFILL}
8022 },
8023 /* ntop, 35632 / 155 */
8024 {&hf_pie_ntop_rtp_out_jitter,
8025 {"Rtp_out_jitter","cflow.pie.ntop.rtp_out_jitter",
8026 FT_UINT32, BASE_DEC, NULL, 0x0,
8027 NULL, HFILL}
8028 },
8029 /* ntop, 35632 / 156 */
8030 {&hf_pie_ntop_rtp_in_pkt_lost,
8031 {"Rtp_in_pkt_lost","cflow.pie.ntop.rtp_in_pkt_lost",
8032 FT_UINT32, BASE_DEC, NULL, 0x0,
8033 NULL, HFILL}
8034 },
8035 /* ntop, 35632 / 157 */
8036 {&hf_pie_ntop_rtp_out_pkt_lost,
8037 {"Rtp_out_pkt_lost","cflow.pie.ntop.rtp_out_pkt_lost",
8038 FT_UINT32, BASE_DEC, NULL, 0x0,
8039 NULL, HFILL}
8040 },
8041 /* ntop, 35632 / 158 */
8042 {&hf_pie_ntop_rtp_out_payload_type,
8043 {"Rtp_out_payload_type","cflow.pie.ntop.rtp_out_payload_type",
8044 FT_UINT32, BASE_DEC, NULL, 0x0,
8045 NULL, HFILL}
8046 },
8047 /* ntop, 35632 / 159 */
8048 {&hf_pie_ntop_rtp_in_max_delta,
8049 {"Rtp_in_max_delta","cflow.pie.ntop.rtp_in_max_delta",
8050 FT_UINT32, BASE_DEC, NULL, 0x0,
8051 NULL, HFILL}
8052 },
8053 /* ntop, 35632 / 160 */
8054 {&hf_pie_ntop_rtp_out_max_delta,
8055 {"Rtp_out_max_delta","cflow.pie.ntop.rtp_out_max_delta",
8056 FT_UINT32, BASE_DEC, NULL, 0x0,
8057 NULL, HFILL}
8058 },
8059 /* ntop, 35632 / 168 */
8060 {&hf_pie_ntop_proc_id,
8061 {"Proc_id","cflow.pie.ntop.proc_id",
8062 FT_UINT32, BASE_DEC, NULL, 0x0,
8063 NULL, HFILL}
8064 },
8065 /* ntop, 35632 / 169 */
8066 {&hf_pie_ntop_proc_name,
8067 {"Proc_name","cflow.pie.ntop.proc_name",
8068 FT_STRING, BASE_NONE, NULL, 0x0,
8069 NULL, HFILL}
8070 },
8071 /* ntop, 35632 / 180 */
8072 {&hf_pie_ntop_http_url,
8073 {"Http_url","cflow.pie.ntop.http_url",
8074 FT_STRING, BASE_NONE, NULL, 0x0,
8075 NULL, HFILL}
8076 },
8077 /* ntop, 35632 / 181 */
8078 {&hf_pie_ntop_http_ret_code,
8079 {"Http_ret_code","cflow.pie.ntop.http_ret_code",
8080 FT_UINT16, BASE_DEC, NULL, 0x0,
8081 NULL, HFILL}
8082 },
8083 /* ntop, 35632 / 185 */
8084 {&hf_pie_ntop_smtp_mail_from,
8085 {"Smtp_mail_from","cflow.pie.ntop.smtp_mail_from",
8086 FT_STRING, BASE_NONE, NULL, 0x0,
8087 NULL, HFILL}
8088 },
8089 /* ntop, 35632 / 186 */
8090 {&hf_pie_ntop_smtp_rcpt_to,
8091 {"Smtp_rcpt_to","cflow.pie.ntop.smtp_rcpt_to",
8092 FT_STRING, BASE_NONE, NULL, 0x0,
8093 NULL, HFILL}
8094 },
8095 /* ntop, 35632 / 195 */
8096 {&hf_pie_ntop_mysql_server_version,
8097 {"Mysql_server_version","cflow.pie.ntop.mysql_server_version",
8098 FT_STRING, BASE_NONE, NULL, 0x0,
8099 NULL, HFILL}
8100 },
8101 /* ntop, 35632 / 196 */
8102 {&hf_pie_ntop_mysql_username,
8103 {"Mysql_username","cflow.pie.ntop.mysql_username",
8104 FT_STRING, BASE_NONE, NULL, 0x0,
8105 NULL, HFILL}
8106 },
8107 /* ntop, 35632 / 197 */
8108 {&hf_pie_ntop_mysql_db,
8109 {"Mysql_db","cflow.pie.ntop.mysql_db",
8110 FT_STRING, BASE_NONE, NULL, 0x0,
8111 NULL, HFILL}
8112 },
8113 /* ntop, 35632 / 198 */
8114 {&hf_pie_ntop_mysql_query,
8115 {"Mysql_query","cflow.pie.ntop.mysql_query",
8116 FT_STRING, BASE_NONE, NULL, 0x0,
8117 NULL, HFILL}
8118 },
8119 /* ntop, 35632 / 199 */
8120 {&hf_pie_ntop_mysql_response,
8121 {"Mysql_response","cflow.pie.ntop.mysql_response",
8122 FT_UINT16, BASE_DEC, NULL, 0x0,
8123 NULL, HFILL}
8124 },
8125
8126 /* plixer, 13745 / 100 */
8127 {&hf_pie_plixer_client_ip_v4,
8128 {"client_ip_v4","cflow.pie.plixer.client.ip_v4",
8129 FT_IPv4, BASE_NONE, NULL, 0x0,
8130 NULL, HFILL}
8131 },
8132 {&hf_pie_plixer_client_hostname,
8133 /* plixer, 13745 / 101 */
8134 {"client_hostname","cflow.pie.plixer.client_hostname",
8135 FT_STRING, BASE_NONE, NULL, 0x0,
8136 NULL, HFILL}
8137 },
8138 /* plixer, 13745 / 102 */
8139 {&hf_pie_plixer_partner_name,
8140 {"Partner_name","cflow.pie.plixer.partner_name",
8141 FT_STRING, BASE_NONE, NULL, 0x0,
8142 NULL, HFILL}
8143 },
8144 /* plixer, 13745 / 103 */
8145 {&hf_pie_plixer_server_hostname,
8146 {"Server_hostname","cflow.pie.plixer.server_hostname",
8147 FT_STRING, BASE_NONE, NULL, 0x0,
8148 NULL, HFILL}
8149 },
8150 /* plixer, 13745 / 104 */
8151 {&hf_pie_plixer_server_ip_v4,
8152 {"Server_ip_v4","cflow.pie.plixer.server_ip_v4",
8153 FT_IPv4, BASE_NONE, NULL, 0x0,
8154 NULL, HFILL}
8155 },
8156 /* plixer, 13745 / 105 */
8157 {&hf_pie_plixer_recipient_address,
8158 {"Recipient_address","cflow.pie.plixer.recipient_address",
8159 FT_STRING, BASE_NONE, NULL, 0x0,
8160 NULL, HFILL}
8161 },
8162 /* plixer, 13745 / 106 */
8163 {&hf_pie_plixer_event_id,
8164 {"Event_id","cflow.pie.plixer.event_id",
8165 FT_UINT32, BASE_DEC, NULL, 0x0,
8166 NULL, HFILL}
8167 },
8168 /* plixer, 13745 / 107 */
8169 {&hf_pie_plixer_msgid,
8170 {"Msgid","cflow.pie.plixer.msgid",
8171 FT_STRING, BASE_NONE, NULL, 0x0,
8172 NULL, HFILL}
8173 },
8174 /* plixer, 13745 / 108 */
8175 {&hf_pie_plixer_priority,
8176 {"Priority","cflow.pie.plixer_priority",
8177 FT_UINT32, BASE_DEC, NULL, 0x0,
8178 NULL, HFILL}
8179 },
8180 /* plixer, 13745 / 109 */
8181 {&hf_pie_plixer_recipient_report_status,
8182 {"Recipient_report_status","cflow.pie.plixer.recipient_report_status",
8183 FT_UINT32, BASE_DEC, NULL, 0x0,
8184 NULL, HFILL}
8185 },
8186 /* plixer, 13745 / 110 */
8187 {&hf_pie_plixer_number_recipients,
8188 {"Number_recipients","cflow.pie.plixer.number_recipients",
8189 FT_UINT32, BASE_DEC, NULL, 0x0,
8190 NULL, HFILL}
8191 },
8192 /* plixer, 13745 / 111 */
8193 {&hf_pie_plixer_origination_time,
8194 {"Origination_time","cflow.pie.plixer.origination_time",
8195 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
8196 NULL, HFILL}
8197 },
8198 /* plixer, 13745 / 112 */
8199 {&hf_pie_plixer_encryption,
8200 {"Cncryption","cflow.pie.plixer.encryption",
8201 FT_UINT32, BASE_DEC, NULL, 0x0,
8202 NULL, HFILL}
8203 },
8204 /* plixer, 13745 / 113 */
8205 {&hf_pie_plixer_service_version,
8206 {"Service_version","cflow.pie.plixer.service_version",
8207 FT_STRING, BASE_NONE, NULL, 0x0,
8208 NULL, HFILL}
8209 },
8210 /* plixer, 13745 / 114 */
8211 {&hf_pie_plixer_linked_msgid,
8212 {"Linked_msgid","cflow.pie.plixer.linked_msgid",
8213 FT_STRING, BASE_NONE, NULL, 0x0,
8214 NULL, HFILL}
8215 },
8216 /* plixer, 13745 / 115 */
8217 {&hf_pie_plixer_message_subject,
8218 {"Message_subject","cflow.pie.plixer.message_subject",
8219 FT_STRING, BASE_NONE, NULL, 0x0,
8220 NULL, HFILL}
8221 },
8222 /* plixer, 13745 / 116 */
8223 {&hf_pie_plixer_sender_address,
8224 {"Sender_address","cflow.pie.plixer.sender_address",
8225 FT_STRING, BASE_NONE, NULL, 0x0,
8226 NULL, HFILL}
8227 },
8228 /* plixer, 13745 / 117 */
8229 {&hf_pie_plixer_date_time,
8230 {"Date_time","cflow.pie.plixer.date_time",
8231 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
8232 NULL, HFILL}
8233 },
8234
8235 {&hf_string_len_short,
8236 {"String_len_short","cflow.string_len_short",
8237 FT_UINT8, BASE_DEC, NULL, 0x0,
8238 NULL, HFILL}
8239 },
8240 {&hf_string_len_long,
8241 {"String_len_short","cflow.string_len_long",
8242 FT_UINT8, BASE_DEC, NULL, 0x0,
8243 NULL, HFILL}
8244 }
8245
8246 };
8247
8248 static gint *ett[] = {
8249 &ett_netflow,
8250 &ett_unixtime,
8251 &ett_flow,
8252 &ett_flowtime,
8253 &ett_str_len,
8254 &ett_template,
8255 &ett_field,
8256 &ett_dataflowset,
8257 &ett_fwdstat
8258 };
8259
8260 static ei_register_info ei[] = {
8261 { &ei_cflow_flowset_length, { "cflow.flowset_length.invalid", PI_MALFORMED, PI_WARN, "Length invalid", EXPFILL }},
8262 { &ei_cflow_no_flow_information, { "cflow.no_flow_information", PI_MALFORMED, PI_WARN, "No flow information", EXPFILL }},
8263 { &ei_cflow_template_ipfix_scope_field_count, { "cflow.template_ipfix_scope_field_count.none", PI_MALFORMED, PI_WARN, "No scope fields", EXPFILL }},
8264 { &ei_cflow_template_ipfix_scope_field_count_too_many, { "cflow.template_ipfix_scope_field_count.too_many", PI_MALFORMED, PI_WARN, "More scope fields than fields", EXPFILL }},
8265 { &ei_cflow_options, { "cflow.options.too_many", PI_UNDECODED, PI_WARN, "More options than we can handle.", EXPFILL }},
8266 { &ei_cflow_scopes, { "cflow.scopes.too_many", PI_UNDECODED, PI_WARN, "More scopes than we can handle [template won't be used].", EXPFILL }},
8267 { &ei_cflow_entries, { "cflow.entries.too_many", PI_UNDECODED, PI_WARN, "More entries than we can handle [template won't be used]", EXPFILL }},
8268 };
8269
8270 module_t *netflow_module;
8271 expert_module_t* expert_netflow;
8272
8273 proto_netflow = proto_register_protocol("Cisco NetFlow/IPFIX", "CFLOW", "cflow");
8274
8275 proto_register_field_array(proto_netflow, hf, array_length(hf));
8276 proto_register_subtree_array(ett, array_length(ett));
8277 expert_netflow = expert_register_protocol(proto_netflow);
8278 expert_register_field_array(expert_netflow, ei, array_length(ei));
8279
8280 /* Register our configuration options for NetFlow */
8281 netflow_module = prefs_register_protocol(proto_netflow, proto_reg_handoff_netflow);
8282
8283 /* Set default Netflow port(s) */
8284 range_convert_str(&global_netflow_ports,NETFLOW_UDP_PORTS, MAX_UDP_PORT);
8285 range_convert_str(&global_ipfix_ports, IPFIX_UDP_PORTS, MAX_UDP_PORT);
8286
8287 prefs_register_obsolete_preference(netflow_module, "udp.port");
8288
8289 prefs_register_range_preference(netflow_module, "netflow.ports",
8290 "NetFlow UDP Port(s)",
8291 "Set the port(s) for NetFlow messages"
8292 " (default: " NETFLOW_UDP_PORTS ")",
8293 &global_netflow_ports, MAX_UDP_PORT);
8294
8295 prefs_register_range_preference(netflow_module, "ipfix.ports",
8296 "IPFIX UDP/TCP/SCTP Port(s)",
8297 "Set the port(s) for IPFIX messages"
8298 " (default: " IPFIX_UDP_PORTS ")",
8299 &global_ipfix_ports, MAX_UDP_PORT);
8300
8301 prefs_register_uint_preference(netflow_module, "max_template_fields",
8302 "Maximum number of fields allowed in a template",
8303 "Set the number of fields allowed in a template. "
8304 "Use 0 (zero) for unlimited. "
8305 " (default: " G_STRINGIFY(V9TEMPLATE_MAX_FIELDS_DEF) ")",
8306 10, &v9_tmplt_max_fields);
8307
8308 register_init_routine(&netflow_init);
8309 }
8310
8311
8312 /*
8313 * protocol/port association
8314 */
8315 static void
8316 ipfix_delete_callback(guint32 port)
8317 {
8318 if ( port ) {
8319 dissector_delete_uint("udp.port", port, netflow_handle);
8320 dissector_delete_uint("tcp.port", port, netflow_handle);
8321 dissector_delete_uint("sctp.port", port, netflow_handle);
8322 }
8323 }
8324
8325 static void
8326 ipfix_add_callback(guint32 port)
8327 {
8328 if ( port ) {
8329 dissector_add_uint("udp.port", port, netflow_handle);
8330 dissector_add_uint("tcp.port", port, netflow_handle);
8331 dissector_add_uint("sctp.port", port, netflow_handle);
8332 }
8333 }
8334
8335 void
8336 proto_reg_handoff_netflow(void)
8337 {
8338 static gboolean netflow_prefs_initialized = FALSE;
8339 static range_t *netflow_ports;
8340 static range_t *ipfix_ports;
8341
8342 if (!netflow_prefs_initialized) {
8343 netflow_handle = new_create_dissector_handle(dissect_netflow, proto_netflow);
8344 netflow_prefs_initialized = TRUE;
8345 dissector_add_uint("wtap_encap", WTAP_ENCAP_RAW_IPFIX, netflow_handle);
8346 } else {
8347 dissector_delete_uint_range("udp.port", netflow_ports, netflow_handle);
8348 g_free(netflow_ports);
8349 range_foreach(ipfix_ports, ipfix_delete_callback);
8350 g_free(ipfix_ports);
8351 }
8352
8353 netflow_ports = range_copy(global_netflow_ports);
8354 ipfix_ports = range_copy(global_ipfix_ports);
8355
8356 dissector_add_uint_range("udp.port", netflow_ports, netflow_handle);
8357 range_foreach(ipfix_ports, ipfix_add_callback);
8358 }
8359
8360 /*
8361 * Editor modelines
8362 *
8363 * Local Variables:
8364 * c-basic-offset: 4
8365 * tab-width: 8
8366 * indent-tabs-mode: nil
8367 * End:
8368 *
8369 * ex: set shiftwidth=4 tabstop=8 expandtab:
8370 * :indentSize=4:tabSize=8:noTabs=true:
8371 */