2023-04-22 10:32 (UTC-0700),
neil....@inmon.com:
> In the XDR encoding that sFlow uses, unsigned int is always encoded on the
> wire in network byte order (big endian). So if there were a tcp_flags
> field indicating ACK+SYN+FIN then I would expect to see an integer with the
> value 16 + 2 + 1 = 19 = 0x13.
So would I, thanks for confirming.
> And on the wire I would expect to see the hex byes 00-00-00-13.
> In [3] this looks like it would be read correctly.
> I'm not sure what will happen in [2].
Yes, sorry, looking at sflowtool ([3]) code more closely,
I now see that it works according to the spec.
> This structure is very rarely used. It was only defined in the standard
> for an agent that, for some reason, is unable to export the original
> packet header.
This is surprising to hear.
Don't collectors benefit from not having to parse L3/L4 headers?
> Do you have an example where it appears but is populated incorrectly?
> Or does the problem lie with decoders [2] and/or [3]?
We are trying to implement an sFlow exporter.
It exports TCP flags 0x10 = ACK as 00 00 00 10
and ToS 0x70 = DSCP 28 as 00 00 00 70.
Wireshark ([2]) shows this as no TCP flags set (0) and no ToS (0),
because it expects the values to be in the first octet of each field
as they are on the wire ("tcp_flags 00 00 00" and "tos 00 00 00").
I'm attaching the capture (IP addresses redacted) and the dissection.
So Wireshark is wrong that their dissector is buggy?