diff options
author | Uli Heilmeier <uh@heilmeier.eu> | 2017-07-25 22:12:52 +0200 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2017-07-31 11:19:41 +0000 |
commit | 6cff9c8da6a8190258f3b392312297ca2ac11e33 (patch) | |
tree | bed90f63abb4da9c052e06fa324ac093e69ade04 /epan | |
parent | 38b7660eeddbda98d406dd130f2a3bda08ca1977 (diff) |
Netflow: Reassemble flows spanning multiple PDUs
Flows records can span multiple PDUs (e.g when using TCP).
This commit adds the preference to reassemble flows.
Bug: 13915
Change-Id: I10eb0d9ee5ff5cc06ff52d0d0c8c468140e0273b
Reviewed-on: https://code.wireshark.org/review/22792
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-netflow.c | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/epan/dissectors/packet-netflow.c b/epan/dissectors/packet-netflow.c index 0ba6011d70..d14c99564f 100644 --- a/epan/dissectors/packet-netflow.c +++ b/epan/dissectors/packet-netflow.c @@ -161,6 +161,7 @@ void proto_reg_handoff_netflow(void); #define IPFIX_UDP_PORTS "4739" #define REVPEN 29305 static dissector_handle_t netflow_handle; +static dissector_handle_t netflow_tcp_handle; /* If you want sort of safely to send enterprise specific element IDs using v9 you need to stake a claim in the wilds with the high bit @@ -177,6 +178,8 @@ static range_t *global_netflow_ports = NULL; */ static range_t *global_ipfix_ports = NULL; +static gboolean netflow_preference_desegment = TRUE; + /* * Flowset (template) ID's */ @@ -16629,11 +16632,36 @@ proto_register_netflow(void) " (default: " G_STRINGIFY(V9_TMPLT_MAX_FIELDS_DEF) ")", 10, &v9_tmplt_max_fields); + prefs_register_bool_preference(netflow_module, "desegment", "Reassemble Netflow v10 messages spanning multiple TCP segments.", "Whether the Netflow/Ipfix dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", &netflow_preference_desegment); + v9_v10_tmplt_table = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), v9_v10_tmplt_table_hash, v9_v10_tmplt_table_equal); netflow_sequence_analysis_domain_hash = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), g_direct_hash, g_direct_equal); netflow_sequence_analysis_result_hash = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), g_direct_hash, g_direct_equal); } +static guint +get_netflow_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_) +{ + unsigned int ver; + guint16 plen; + + ver = tvb_get_ntohs(tvb, offset); + if (ver == 10) { + plen = tvb_get_ntohs(tvb, offset+2); + } else { + plen = tvb_reported_length(tvb); + } + + return plen; +} + +static int +dissect_tcp_netflow(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data) +{ + tcp_dissect_pdus(tvb, pinfo, tree, netflow_preference_desegment, 4, get_netflow_pdu_len, + dissect_netflow, data); + return tvb_reported_length(tvb); +} /* * protocol/port association @@ -16665,9 +16693,10 @@ proto_reg_handoff_netflow(void) if (!netflow_prefs_initialized) { netflow_handle = create_dissector_handle(dissect_netflow, proto_netflow); + netflow_tcp_handle = create_dissector_handle(dissect_tcp_netflow, proto_netflow); netflow_prefs_initialized = TRUE; dissector_add_uint("wtap_encap", WTAP_ENCAP_RAW_IPFIX, netflow_handle); - dissector_add_uint_range_with_preference("tcp.port", IPFIX_UDP_PORTS, netflow_handle); + dissector_add_uint_range_with_preference("tcp.port", IPFIX_UDP_PORTS, netflow_tcp_handle); } else { dissector_delete_uint_range("udp.port", netflow_ports, netflow_handle); wmem_free(wmem_epan_scope(), netflow_ports); |