[netflow-tools] flowd-reader export
Florian Weimer
fw at deneb.enyo.de
Sat Apr 1 01:11:25 EST 2006
* Yann Berthier:
> On Tue, 28 Mar 2006, at 14:00, Florian Weimer wrote:
>
>> * Murray Shields:
>>
>> > Makes sense to me. Any holes in this logic?
>>
>> It might be a very long connection which results in multiple flows.
>> In this case, the first packet in the two flows is not sent by the
>> client.
>>
>>
>> In general, it is quite difficult to reconstruct the roles without TCP
>> flags export (and the way it is done by some vendors is not really
>> helpful, either).
>
> Even when you are lucky enough to have the flags, it not that
> helpful: as flags are ORed, you end up for a 'complete' tcp
> 'session' with both uni-directional flows having at least SAF set -
> no way to distinguish the client (in an ip sense) from the server
>
> Or do i minsunderstand you ?
I would expect a configuration tweak to break the netflow spec and
transmit the flag of the *first* segment. 8-) The SAF combo is not
very useful indeed.
More information about the netflow-tools
mailing list