Murray Shields murray.shields at netoptions.com.au
Mon Mar 27 14:51:51 EST 2006

Florian Weimer wrote:
> * Murray Shields:
>> Is there any documentation on the export as generated by flowd-reader? 
>> For example, what are the possible values and meanings for proto (I know 
>> 6 is TCP)? What is the most accurate way of matching bi-directional 
>> packets (is it simply a specific port number range)?
> You can match the connection quadruple (twice IP address and port).
> They are the same for both directions, except that sender and receiver
> are swapped.
When you perform this match (I will have to add the received time into 
this equation as I am getting repeats at different times) this will give 
me a bi-directional pair for a request/response flow of traffic. 
THEREFORE can I use the destination port from the FIRST of these two 
records, and use it as the port identifying the type of traffic?

For instance, the following matched pair:

[]:45223 => []:80
[]:80 => []:45223

means: used port 54223 to send a packet request a web server on using port 80. used port 80 to send a response to using port 54223.

Therefore the port indicating the traffic type is 80 (the first 

Makes sense to me. Any holes in this logic?


