[Nfdump-discuss] bug in flowcache printing

Mon, 19 May 2014 09:40:45 -0700 

Hi Peter,
  if I aggregate according the netmask I receive wrong results. Probably
all nfdump versions are affected (tested with 1.6.12, 1.6.11, 1.6.10)
The bug is however not connected with aggregation but with printing the
flow cache.

Example:
nfcapd.test contains one flow:
141.3.120.67:38098 ->     12.30.26.218:25507

Nothing is printed with the following command:
nfdump -r nfcapd.test -A srcip4/24

This command works:
nfdump -r nfcapd.test -A srcip4/16
Src IP Addr   Packets
141.3.0.0         1


I have been digging around the source code and I believe, that a
condition for flowcache iteration is wrong in nfstat.c PrintFlowTable().
In the rare case, where the flow record is in the last position in the
cache (the index has the same value as the FlowTable.IndexMask), you
will not print the record, because you iterate the table with following
code:

for ( i=0; i<FlowTable->IndexMask; i++ ) {
}

The condition should be probably:
i <= FlowTable->IndexMask

Patch solving the issue is attached. Hope you will find it useful.

Sincerely,
  Matej

Attachment: nfcapd.test
Description: Binary data

--- nfstat.c	2014-02-16 13:59:29.000000000 +0100
+++ nfstat-new.c	2014-05-19 17:37:56.000000000 +0200
@@ -1445,7 +1445,7 @@
 		}
 
 		// preset SortList table - still unsorted
-		for ( i=0; i<FlowTable->IndexMask; i++ ) {
+		for ( i=0; i<=FlowTable->IndexMask; i++ ) {
 			r = FlowTable->bucket[i];
 			if ( !r ) 
 				continue;
@@ -1529,7 +1529,7 @@
 	} else {
 		// print them as they came
 		c = 0;
-		for ( i=0; i<FlowTable->IndexMask; i++ ) {
+		for ( i=0; i<=FlowTable->IndexMask; i++ ) {
 			r = FlowTable->bucket[i];
 			while ( r ) {
 				master_record_t	*flow_record;

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to