[netflow-tools] Simple netflow probe for linux
Damien Miller
djm at mindrot.org
Mon Aug 24 17:19:32 EST 2009
On Mon, 24 Aug 2009, Koteswar wrote:
> Hi
> In sofflowd, If I select track level as "ip" (softflowd -T ip) then it is
> filling other fields like protocol, src port, dst port, tcp flags to 0 and
> sending data flow set. But this is not correct behavior. It should not add
> these fields to data flow set or template flow set so that we can reduce
> exported flow data volume and network load (RFC3957).
> Please clarify if I am wrong?
The tracking level (-T flag) defines how much of the packets are inspected.
You setting of "ip" is the bare minimum, and does not include Layer-3
information like the protocol and protocol ports. Normally you would only
select this option if you were uninterested in this information.
If you do want to see source/destination ports and the protocol in use then
I suggest that you specify "-T full" or just leave the -T flag off, since
"full" is the default anyway.
-d
More information about the netflow-tools
mailing list