[netflow-tools] flowd-reader export

Murray Shields murray.shields at netoptions.com.au
Mon Mar 27 14:51:51 EST 2006


Florian Weimer wrote:
> * Murray Shields:
>
>   
>> Is there any documentation on the export as generated by flowd-reader? 
>> For example, what are the possible values and meanings for proto (I know 
>> 6 is TCP)? What is the most accurate way of matching bi-directional 
>> packets (is it simply a specific port number range)?
>>     
>
> You can match the connection quadruple (twice IP address and port).
> They are the same for both directions, except that sender and receiver
> are swapped.
>   
When you perform this match (I will have to add the received time into 
this equation as I am getting repeats at different times) this will give 
me a bi-directional pair for a request/response flow of traffic. 
THEREFORE can I use the destination port from the FIRST of these two 
records, and use it as the port identifying the type of traffic?

For instance, the following matched pair:


[192.168.2.1]:45223 => [192.168.1.1]:80
[192.168.1.1]:80 => [192.168.2.1]:45223

means:

192.168.2.1 used port 54223 to send a packet request a web server on 
192.168.1.1 using port 80.
192.168.1.1 used port 80 to send a response to 192.168.2.1 using port 54223.

Therefore the port indicating the traffic type is 80 (the first 
destination).

Makes sense to me. Any holes in this logic?


Murray.




More information about the netflow-tools mailing list