[netflow-tools] flowd-reader export
djm at mindrot.org
Sat Mar 25 11:12:54 EST 2006
On Fri, 24 Mar 2006, Nathan Einwechter wrote:
> Along the same lines of this question; when NetFlow lists something as
> being the "Source", for TCP connections, does this mean the full
> connection source (within the context of a TCP connection,
> three-way-handshake etc), or just where that specific set of packets is
> going to/coming from?
The latter, unfortunately.
NetFlow's design shows its lineage as part of Cisco's old forwarding
cache - it doesn't have any conceptions of bidirectionality. Even
NetFlow v.9 has not addressed this problem.
Maybe IPFIX (IETF flow export) will, but I haven't looked at the
drafts for a while.
More information about the netflow-tools