[netflow-tools] flow_start and flow_finish
Brian Lindauer
brian.lindauer at counterstorm.com
Wed Nov 22 09:32:19 EST 2006
I'm confused about the flow_start and flow_finish fields of
store_flow_complete. The values that I'm getting don't seem to
correspond to unix timestamps (even after running them through ntohl).
The store_format_flow() function formats them as intervals, but that
doesn't make sense either. Is this a bug in netflow parsing?
process_flow: ACCEPT flow FLOW recv_time 2006-11-20T23:35:38.901867
proto 6 tcpflags 00 tos 80 agent [172.16.1.150] src [172.16.1.154]:40534
dst [172.16.2.251]:443 gateway [0.0.0.0] packets 8 octets 1193 in_if 110
out_if 90 sys_uptime_ms 3w1d7h43m27s.204 time_sec 2006-11-20T23:35:38
time_nanosec 0 netflow ver 7 flow_start 3w1d7h38m18s.067 flow_finish
3w1d7h38m19s.218 src_AS 0 src_masklen 0 dst_AS 0 dst_masklen 0
engine_type 0 engine_id 0 seq 1025263 source 0 crc32 00000000
Thanks,
Brian
--
This email message is for the sole use of the intended recipient/s
and may contain confidential and privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message. If you
are the intended recipient, please be advised that the content of
this message is subject to access, review and disclosure by the
sender's Email System Administrator.
More information about the netflow-tools
mailing list