[netflow-tools] Duplicate flow entry
Jason Dixon
jason at dixongroup.net
Sat May 21 07:06:22 EST 2005
On May 20, 2005, at 2:02 PM, Jason Dixon wrote:
> I'm working on a script which uses Flowd::read_flow (0.8.5 w/FIFO
> patches) to read in and then dump everything to a database.
> Everything looks fine, except I noticed a duplication of one entry
> during testing. The flow was a 10MB zeroes file scp'd from my laptop
> (192.168.0.14) to a server (10.0.0.104) binatted behind a PF box
> (192.168.0.22). You can see the duplication of this flow on lines
> 13-16 of the ascii table at:
>
> http://www.dixongroup.net/netmon.txt
>
> Any idea what might have caused this duplication? I see no other
> signs of duplication in the database.
I've updated the page to reflect my more recent findings. It appears
that this behavior has something to do with state being created on both
interfaces. That is to say, for connections that do NOT get routed
through the firewall (in this case, binat), I am only seeing one set of
flows (in/out) for each connection. However, if the connection is
passing from one network to the other, I see duplicate entries for each
flow. Obviously, a "SELECT DISTINCT" is a sufficient workaround, but I
would like to understand why this is happening.
http://www.dixongroup.net/netmon.txt (updated)
P.S. DJM is probably en route to the hackathon, so I'd be curious if
anyone else in the community has any ideas.
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
More information about the netflow-tools
mailing list