Found out, that real netflow can't be parsed without unnecessary error. If there are template FlowSet along with data FlowSet, there is a bug: parser expects the same number of flowsets as in the header.count, but it's incorrect.
On documentation in Figure 2 we can see the example of netflow packet consists of template and data flowset. Header.count here shows the number of data flows + template flow.
Wireshark with netflow data analysis shows the same behaviour.
I slightly changed parse method of flowsets to achieve the same result
Found out, that real
netflowcan't be parsed without unnecessary error. If there are template FlowSet along with data FlowSet, there is a bug: parser expects the same number of flowsets as in theheader.count, but it's incorrect.On documentation in Figure 2 we can see the example of netflow packet consists of template and data flowset.
Header.counthere shows the number of data flows + template flow.Wireshark with netflow data analysis shows the same behaviour.
I slightly changed parse method of
flowsetsto achieve the same result