[netflow-tools] convert pcap to netflow with softflowd
Damien Miller
djm at mindrot.org
Thu Jul 9 17:53:18 EST 2009
On Sat, 4 Jul 2009, Simon wrote:
> Hi everyone,
>
> I am trying to use softflowd and nfcapd to turn a pcap into neflow data.
>
> I am starting nfcapd by running: nfcapd -p 12345 -l netflow/
> and softflowd by running: softflowd -n localhost:12345 -r singleflow.pcap
>
> This is the pcap I am trying to convert
>
> No. Time Source Destination Protocol
> Info
> 1 0.000000 192.168.1.73 74.86.135.174 TCP
> 2 0.149059 74.86.135.174 192.168.1.73 TCP
> 3 0.149170 192.168.1.73 74.86.135.174 TCP
> 4 0.149322 192.168.1.73 74.86.135.174 HTTP
> 5 0.200823 192.168.1.73 74.86.135.174 TCP
> 6 0.299411 74.86.135.174 192.168.1.73 TCP
> 7 0.319394 74.86.135.174 192.168.1.73 HTTP
> 8 0.319474 192.168.1.73 74.86.135.174 TCP
> 9 0.376528 74.86.135.174 192.168.1.73 TCP
> 10 0.376569 192.168.1.73 74.86.135.174 TCP
>
> This shows the pcap contains a single flow. However when I run nfdump on
> the produced nfcap file, I get: -
Correct, it shows the pcap contains a single _TCP_ flow.
[snip]
> Which shows there are two flows. Every time I try and convert a pcap to
> netflow I get double the number of flows I expect. Can anyone tell me why
> this is, and what I can do to correct it?
Netflow flow records are unidirectional, so each TCP flow will yield two
netflow flows; one for each direction.
-d
More information about the netflow-tools
mailing list