[netflow-tools] flowd-reader export

Damien Miller djm at mindrot.org
Sat Mar 25 11:12:54 EST 2006


On Fri, 24 Mar 2006, Nathan Einwechter wrote:

> 
> Along the same lines of this question; when NetFlow lists something as
> being the "Source", for TCP connections, does this mean the full
> connection source (within the context of a TCP connection,
> three-way-handshake etc), or just where that specific set of packets is
> going to/coming from?

The latter, unfortunately.

NetFlow's design shows its lineage as part of Cisco's old forwarding
cache - it doesn't have any conceptions of bidirectionality. Even
NetFlow v.9 has not addressed this problem.

Maybe IPFIX (IETF flow export) will, but I haven't looked at the 
drafts for a while. 

-d




More information about the netflow-tools mailing list