From fw at deneb.enyo.de Sat Apr 1 01:11:25 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Fri, 31 Mar 2006 16:11:25 +0200 Subject: [netflow-tools] flowd-reader export In-Reply-To: <20060328134551.GG1122@bashibuzuk.net> (Yann Berthier's message of "Tue, 28 Mar 2006 15:45:51 +0200") References: <44235DBB.1040401@netoptions.com.au> <87r74rimi7.fsf@mid.deneb.enyo.de> <44276157.4040508@netoptions.com.au> <87hd5ipyml.fsf@mid.deneb.enyo.de> <20060328134551.GG1122@bashibuzuk.net> Message-ID: <87wteaemb6.fsf@mid.deneb.enyo.de> * Yann Berthier: > On Tue, 28 Mar 2006, at 14:00, Florian Weimer wrote: > >> * Murray Shields: >> >> > Makes sense to me. Any holes in this logic? >> >> It might be a very long connection which results in multiple flows. >> In this case, the first packet in the two flows is not sent by the >> client. >> >> >> In general, it is quite difficult to reconstruct the roles without TCP >> flags export (and the way it is done by some vendors is not really >> helpful, either). > > Even when you are lucky enough to have the flags, it not that > helpful: as flags are ORed, you end up for a 'complete' tcp > 'session' with both uni-directional flows having at least SAF set - > no way to distinguish the client (in an ip sense) from the server > > Or do i minsunderstand you ? I would expect a configuration tweak to break the netflow spec and transmit the flag of the *first* segment. 8-) The SAF combo is not very useful indeed. From nd at u4eatech.com Tue Apr 11 22:14:50 2006 From: nd at u4eatech.com (Neil) Date: Tue, 11 Apr 2006 13:14:50 +0100 Subject: [netflow-tools] softflowd netflow V9 export bug In-Reply-To: <443B9D14.6000407@u4eatech.com> References: <443B9D14.6000407@u4eatech.com> Message-ID: <443B9DBA.70106@u4eatech.com> Hi, > > I've been looking at softflowd. I was looking at the netflowV9 export > , I was decoding it as CFLOW using ethereal. I noticed that ethereal > with telling me that it was expecting more flowsets than there > actually were. I looked int netflow9.c file and found that the code > is incrementing the flowset count for every flow that is being sent. > So if, for example, you are sending a packet with a template flow set > and a data flow set the count should only be 2, not the number of > flows sent in the data flowset. This only applies to V9 of netflow. > The bug is pretty simple to fix. > > nf9->flows > > should only be incremented when a template flowset or data flowset is > added to the packet. > > Hope this helps. > > Cheers, > > Neil. >