[netflow-tools] flowd-reader export

Nathan Einwechter nathan at inorb.com
Wed Mar 29 03:15:53 EST 2006

Yann Said:
   Even when you are lucky enough to have the flags, it not that
   helpful: as flags are ORed, you end up for a 'complete' tcp
   'session' with both uni-directional flows having at least SAF set -
   no way to distinguish the client (in an ip sense) from the server

   Or do i minsunderstand you 


Okay - here's what I'm doing now as a test and want to see if this will
work as I anticipate. For TCP connections, I'm filtering only those that
are active connections (in my case, I don't care about those that aren't
full fledged connections) using the flags ala:
tcp_flags mask 0x12 equals 0x12

This creates a situation where the true connection source and
destinations are reversed in the log, due to the stage of communications
that these flags are set.

So, when I export them using my perl exporter, I simply invert them once
again to get the true source and destination for my final processing.

Does this work as I anticipate? Would this give me the actual source and
destinations? From what I've seen it does, but there may be exceptions.

Also, you mention, in a later message, that connections separated by
significant time will not be aggregated into a single entry. Any idea
how long this is etc? That becomes important. I have a long and memory
intensive process to remove these duplicates, but if I could have a
timeframe after which duplicate entries are not inserted, then I could
reduce the inefficiency of this process.

Thanks again.

-- Nathan

More information about the netflow-tools mailing list