[netflow-tools] flowd-reader export
Yann Berthier
yb at bashibuzuk.net
Wed Mar 29 00:45:51 EST 2006
On Tue, 28 Mar 2006, at 14:00, Florian Weimer wrote:
> * Murray Shields:
>
> > Makes sense to me. Any holes in this logic?
>
> It might be a very long connection which results in multiple flows.
> In this case, the first packet in the two flows is not sent by the
> client.
>
>
> In general, it is quite difficult to reconstruct the roles without TCP
> flags export (and the way it is done by some vendors is not really
> helpful, either).
Even when you are lucky enough to have the flags, it not that
helpful: as flags are ORed, you end up for a 'complete' tcp
'session' with both uni-directional flows having at least SAF set -
no way to distinguish the client (in an ip sense) from the server
Or do i minsunderstand you ?
More information about the netflow-tools
mailing list