[netflow-tools] flowd-reader export
Nathan Einwechter
nathan at inorb.com
Sat Mar 25 11:04:47 EST 2006
Along the same lines of this question; when NetFlow lists something as
being the "Source", for TCP connections, does this mean the full
connection source (within the context of a TCP connection,
three-way-handshake etc), or just where that specific set of packets is
going to/coming from?
i.e. if I'm looking at web traffic, will it look like this
Source Dest SrcPort DstPort Prot
A B 1064 80 6
Or this:
Source Dest SrcPort DstPort Prot
A B 1064 80 6
B A 80 1064 6
?
Thanks for everyone's assistance in clarifying this.
Yours truly,
Nathan
-----Original Message-----
From: netflow-tools-bounces+nathan=inorb.com at mindrot.org
[mailto:netflow-tools-bounces+nathan=inorb.com at mindrot.org] On Behalf Of
Murray Shields
Sent: March 23, 2006 9:47 PM
To: netflow-tools at mindrot.org
Subject: [netflow-tools] flowd-reader export
Is there any documentation on the export as generated by flowd-reader?
For example, what are the possible values and meanings for proto (I know
6 is TCP)? What is the most accurate way of matching bi-directional
packets (is it simply a specific port number range)?
Can I simply assume that the LOWER port number is the port, and the
higher is for matching?
I have tried all of the README files, installed documentation and
Googled, but can find nothing on this. I have also grepped a downloaded
copy of the mailing list archive.
Can anyone help?
Thanks.
Murray.
_______________________________________________
netflow-tools mailing list
netflow-tools at mindrot.org
http://www.mindrot.org/mailman/listinfo/netflow-tools
More information about the netflow-tools
mailing list