Skip to content

Netflowv9 flowrecord serializes IN_PKTS=0,IN_BYTES=0 #4810

New issue
New issue
Open
#4813
Open
Netflowv9 flowrecord serializes IN_PKTS=0,IN_BYTES=0#4810
#4813
Labels
bug
@msune

Description

@msune
msune
opened on Aug 1, 2025

Brief description

Hello,

While working on some testing code for pmacct using scapy I found what appears to be a bug serializing v9 netflow flow records.

The TL;DR IN_BYTES and IN_PKTS (OUT_ too) are always serialized to a value of 0. The interesting bit is that show() prints the right values set, but when show2() is invoked the resulting 8 first bytes are 0.

Scapy version

2.6.1

Python version

3.13.3

Operating system

Debian trixie (testing)

Additional environment information

No response

How to reproduce

Here is a simple repro:

>>>         template_flowset = NetflowFlowsetV9(
...:             flowSetID=0,
...:             templates=[
...:                 NetflowTemplateV9(
...:                     templateID=256,
...:                     fieldCount=5,
...:                     template_fields=[
...:                         NetflowTemplateFieldV9(fieldType="IN_BYTES", fieldLength=4),
...:                         NetflowTemplateFieldV9(fieldType="IN_PKTS", fieldLength=4),
...:                         NetflowTemplateFieldV9(fieldType="PROTOCOL", fieldLength=1),
...:                         NetflowTemplateFieldV9(fieldType="IPV4_SRC_ADDR", fieldLength=4),
...:                         NetflowTemplateFieldV9(fieldType="IPV4_DST_ADDR", fieldLength=4),
...:                     ]
...:                 )
...:             ]
...:         )
...: 
...:         recordClass = GetNetflowRecordV9(template_flowset)
...:         dataflowset = NetflowDataflowsetV9(
...:             templateID=256,
...:             records=[
...:                 recordClass(
...:                     IN_BYTES=0x1234,
...:                     IN_PKTS=0xABC,
...:                     PROTOCOL=6,
...:                     IPV4_SRC_ADDR="192.168.0.10",
...:                     IPV4_DST_ADDR="192.168.0.11"
...:                 ),
...:             ],
...:         )
...: 
4 {'enum': </etc/protocols - 56 elements>}
8 {}
12 {}
>>> dataflowset.show()
###[ Netflow DataFlowSet V9/10 ]###
  templateID= 256
  length    = None
  \records   \
   |###[ Netflow DataFlowset Record V9/10 ]###
   |  IN_BYTES  = 4660
   |  IN_PKTS   = 2748
   |  PROTOCOL  = tcp
   |  IPV4_SRC_ADDR= 192.168.0.10
   |  IPV4_DST_ADDR= 192.168.0.11

>>> dataflowset.show2()
###[ Netflow DataFlowSet V9/10 ]###
  templateID= 256
  length    = 24
  \records   \
   |###[ Netflow DataFlowset Record V9/10 ]###
   |  fieldValue= b'\x00\x00\x00\x00\x00\x00\x00\x00\x06\xc0\xa8\x00\n\xc0\xa8\x00\x0b\x00\x00\x00'

>>>

Worth noting, there is some weird output:

4 {'enum': </etc/protocols - 56 elements>}
8 {}
12 {}

Actual result

No response

Expected result

No response

Related resources

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions