[netflow-tools] Weird duplicate netflow records
Csillag Tamas
cstamas at digitus.itk.ppke.hu
Mon Jan 5 12:13:21 EST 2009
On Mon, Jan 05, 2009 at 12:14:58AM +0100, Franz Böhm wrote:
> Please have a look at the following netflow records. Sometimes I get
> double records like the samples below.
> They were generated with pfflowd, collected with nfcapd and viewed with
> nfdump.
>
> 2009-01-04 11:00:26.556 5167.000 TCP 10.0.3.34:4147 ->
> 80.140.195.57:30730 8118 9.4 M 1
> 2009-01-04 11:00:26.556 5167.000 TCP 80.140.195.57:30730 ->
> 10.0.3.34:4147 4583 188560 1
> 2009-01-04 11:00:25.990 5178.000 TCP 10.0.3.34:4147 ->
> 80.140.195.57:30730 8118 9.4 M 1
> 2009-01-04 11:00:25.990 5178.000 TCP 80.140.195.57:30730 ->
> 10.0.3.34:4147 4583 188560 1
>
> 2009-01-04 14:25:26.720 800.000 TCP 10.0.3.50:1942 ->
> 87.248.217.89:80 19858 802352 1
> 2009-01-04 14:25:26.720 800.000 TCP 87.248.217.89:80 ->
> 10.0.3.50:1942 38147 53.9 M 1
> 2009-01-04 14:25:25.720 801.000 TCP 10.0.3.50:1942 ->
> 87.248.217.89:80 19858 802352 1
> 2009-01-04 14:25:25.720 801.000 TCP 87.248.217.89:80 ->
> 10.0.3.50:1942 38147 53.9 M 1
>
> I would be very thankful if someone has a hint for me.
Just guessing:
Are the states bound to one interface or two interfaces?
Regards,
cstamas
--
CSILLAG Tamas (cstamas) - http://digitus.itk.ppke.hu/~cstamas
The present need for security products far exceeds the number of individuals
capable of designing secure systems. Consequently, industry has resorted to
employing folks and purchasing "solutions" from vendors that shouldn't be let
near a project involving securing a system. -- Lucky Green
More information about the netflow-tools
mailing list