[netflow-tools] flowd-reader export

[Murray Shields]

Jean-Philippe Luiggi wrote:
> Hello,
>
> On Fri, Mar 24, 2006 at 12:47:23PM +1000, Murray Shields wrote:
>   
>> Is there any documentation on the export as generated by flowd-reader? 
>> For example, what are the possible values and meanings for proto (I know 
>> 6 is TCP)? What is the most accurate way of matching bi-directional 
>> packets (is it simply a specific port number range)?
>>     
>
> About protocols : less /etc/protocols (Unix) or "www.iana.org" 
> and for "bi-directional matching": on the server's side, there's one defined
> port but from client's point of vue, it's not true.
>
>   
>> Can I simply assume that the LOWER port number is the port, and the 
>> higher is for matching?
>>     
>
> I'm not sure to understand what do you want to say ?
>   
UDP packets are easy: in the test feed I am currently looking at the 
source has a port of zero (0) and the destination 771. For example:

[192.168.1.1]:0 => [192.168.2.254]:771

But for unidirectional we are effectively getting two port numbers via 
two matching flow records. For example:

[192.168.2.1]:45223 => [192.168.1.1]:80
[192.168.1.1]:80 => [192.168.2.1]:45223

For my purposes I do not need to match these two lines as this is for an 
ISP billing system (and they only bill for outgoing, not incoming). I 
also need to allocate the traffic to services via the ip address (eg, 
group port 80 web traffic on the bill).

Looking at a single line in isolation the other port (45223) is 
significantly higher that the port for web traffic (80) that I am 
interested in. So to rephrase the question: can I assume that the port 
number that I need to look at is ALWAYS the lower of the two port 
numbers? That is, discard the higher number (45223) and assume that the 
traffic relates to the lower port (in this instance, port 80)? Is there 
a circumstance where this would fail me?

Regards,

Murray.
> Best regards.
>
>