[netflow-tools] flowd-reader export
Murray Shields
murray.shields at netoptions.com.au
Mon Mar 27 14:51:51 EST 2006
Florian Weimer wrote:
> * Murray Shields:
>
>
>> Is there any documentation on the export as generated by flowd-reader?
>> For example, what are the possible values and meanings for proto (I know
>> 6 is TCP)? What is the most accurate way of matching bi-directional
>> packets (is it simply a specific port number range)?
>>
>
> You can match the connection quadruple (twice IP address and port).
> They are the same for both directions, except that sender and receiver
> are swapped.
>
When you perform this match (I will have to add the received time into
this equation as I am getting repeats at different times) this will give
me a bi-directional pair for a request/response flow of traffic.
THEREFORE can I use the destination port from the FIRST of these two
records, and use it as the port identifying the type of traffic?
For instance, the following matched pair:
[192.168.2.1]:45223 => [192.168.1.1]:80
[192.168.1.1]:80 => [192.168.2.1]:45223
means:
192.168.2.1 used port 54223 to send a packet request a web server on
192.168.1.1 using port 80.
192.168.1.1 used port 80 to send a response to 192.168.2.1 using port 54223.
Therefore the port indicating the traffic type is 80 (the first
destination).
Makes sense to me. Any holes in this logic?
Murray.
More information about the netflow-tools
mailing list