Skip to content

layers/netflow: NFv9/10 flow record type fix#4813

Merged
gpotter2 merged 6 commits intosecdev:masterfrom
msune:fix_4810_netflow_fieldtypes
Mar 14, 2026
Merged

layers/netflow: NFv9/10 flow record type fix#4813
gpotter2 merged 6 commits intosecdev:masterfrom
msune:fix_4810_netflow_fieldtypes

Conversation

@msune
Copy link
Contributor

@msune msune commented Aug 6, 2025

This commit fixes the Python types of a number of fields defined in Netflowv9/10 for the following pre-defined fields (mostly the ones in RFC3954 https://datatracker.ietf.org/doc/html/rfc3954).

It appears that in absence of an assigned field type, it defaults to BytesField instead of IntField. Fields:

  • IN_BYTES, IN_PKTS, OUT_BYTES, OUT_PKTS: IntField (4 bytes). Please note code doesn't seem to support the larget 8byte optional length.
  • MUL_DST_PKTS, MUL_DST_BYTES: same as above
  • INPUT_SNMP, OUTPUT_SNMP: ShortField (2 bytes), iface index. Note: code doesn't seem to support optional larger values (undefined max. length, but 8 bytes might be sufficient).

Note there are many other field types defined that are not part of the spec / unknown without field type and length.

Fixes #4810

@msune
Copy link
Contributor Author

msune commented Aug 6, 2025
edited
Loading

This comes from #4810. I've revised a number of fields.

A couple of thoughts:

  • I didn't test the changes, I am just opening this Draft PR for discussion.
  • I assumed this was the case, but I'd like someone to confirm:

It appears that in absence of an assigned field type, it defaults to BytesField instead of IntField. Fields:

  • I am not sure which coverage exists for this layer, and where should that coverage be added (not familiar with Scapy's testing approach). Some directions might help here.

cc @gpotter2

gpotter2
gpotter2 reviewed Aug 7, 2025
View reviewed changes
Copy link
Member

@gpotter2 gpotter2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into this, we likely should try to adapt the code so that it supports NBytesField to support integer values of arbitrary lengths. Right now this code likely won't work.

@msune
Copy link
Contributor Author

msune commented Aug 7, 2025

we likely should try to adapt the code so that it supports NBytesField to support integer values of arbitrary lengths. Right now this code likely won't work.

Ack. It would be good to support the 8bytes counters, as this is a commonly used thing.

@gpotter2 gpotter2 self-assigned this Oct 4, 2025
@gpotter2 gpotter2 added this to the 2.7.0 milestone Oct 4, 2025
@gpotter2 gpotter2 modified the milestones: 2.7.0, next Dec 26, 2025
msune and others added 3 commits March 14, 2026 19:50
@msune @gpotter2
layers/netflow: NFv9/10 flow record type fix
b35b9fe 
This commit fixes the Python types of a number of fields defined
in Netflowv9/10 for the following pre-defined fields (mostly
the ones in RFC3954 https://datatracker.ietf.org/doc/html/rfc3954).

It appears that in absence of an assigned field type, it defaults
to BytesField instead of IntField. Fields:

* IN_BYTES, IN_PKTS, OUT_BYTES, OUT_PKTS: IntField (4 bytes). Please note
  code doesn't seem to support the larget 8byte optional length.
* MUL_DST_PKTS, MUL_DST_BYTES: same as above
* INPUT_SNMP, OUTPUT_SNMP: ShortField (2 bytes), iface index. Note: code
  doesn't seem to support optional larger values (undefined max. length,
  but 8 bytes might be sufficient).

Note there are _many_ other field types defined that are not part
of the spec / unknown without field type and length.

Fixes secdev#4810

Signed-off-by: Marc Sune <marcdevel@gmail.com>
@msune @gpotter2
layers/netflow: delete print() _GenNetflowRecordV9
35d8b10 
Remove unnecessary `print()` in _GenNetflowRecordV9().

Fixes secdev#4810

Signed-off-by: Marc Sune <marcdevel@gmail.com>
@gpotter2
Update to support isint parameter
bef46f3
@gpotter2 gpotter2 marked this pull request as ready for review March 14, 2026 18:51
@gpotter2 gpotter2 force-pushed the fix_4810_netflow_fieldtypes branch from fa89ccb to cd72cb2 Compare March 14, 2026 19:06
@gpotter2 gpotter2 enabled auto-merge (squash) March 14, 2026 19:34
@gpotter2
Copy link
Member

gpotter2 commented Mar 14, 2026

Thanks again a lot for the PR and sorry for the gazillion years of wait...

@gpotter2 gpotter2 disabled auto-merge March 14, 2026 19:58
@gpotter2 gpotter2 merged commit 2cb8101 into secdev:master Mar 14, 2026
22 of 23 checks passed
@codecov
Copy link

codecov bot commented Mar 14, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.28%. Comparing base (e3273c4) to head (dc12582).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #4813   +/-   ##
=======================================
  Coverage   80.27%   80.28%           
=======================================
  Files         375      375           
  Lines       92476    92480    +4     
=======================================
+ Hits        74238    74245    +7     
+ Misses      18238    18235    -3
Files with missing lines Coverage Δ
scapy/layers/netflow.py 90.57% <100.00%> (+0.11%) ⬆️

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpotter2 gpotter2 gpotter2 approved these changes

Assignees

@gpotter2 gpotter2

Labels

bug

Projects

None yet

Milestone

next

Development

Successfully merging this pull request may close these issues.

Netflowv9 flowrecord serializes IN_PKTS=0,IN_BYTES=0

2 participants

@msune @gpotter2