[netflow-tools] flowd-reader export

Florian Weimer fw at deneb.enyo.de
Sat Apr 1 01:11:25 EST 2006

* Yann Berthier:

> On Tue, 28 Mar 2006, at 14:00, Florian Weimer wrote:
>> * Murray Shields:
>> > Makes sense to me. Any holes in this logic?
>> It might be a very long connection which results in multiple flows.
>> In this case, the first packet in the two flows is not sent by the
>> client.
>> In general, it is quite difficult to reconstruct the roles without TCP
>> flags export (and the way it is done by some vendors is not really
>> helpful, either).
>    Even when you are lucky enough to have the flags, it not that
>    helpful: as flags are ORed, you end up for a 'complete' tcp
>    'session' with both uni-directional flows having at least SAF set -
>    no way to distinguish the client (in an ip sense) from the server
>    Or do i minsunderstand you ?

I would expect a configuration tweak to break the netflow spec and
transmit the flag of the *first* segment. 8-) The SAF combo is not
very useful indeed.

More information about the netflow-tools mailing list