From AndreasRuetten at gmx.de Tue Jan 15 05:00:29 2008 From: AndreasRuetten at gmx.de (Andreas =?UTF-8?B?UsO8dHRlbg==?=) Date: Mon, 14 Jan 2008 19:00:29 +0100 Subject: [netflow-tools] Confusion on Packet Size Message-ID: <20080114190029.5c49d33a@elba.inselnet.intern> Hello list, I have some NetFlows collected with softflowd and I need some information about the meaning of some fields. The Flows I have are TCP connections with 1 packet by 46 or 60 Bytes. What will be counted for the field "bytes"? A Ethernet Paket have to be at least by 72 bytes. 64 for the minimum Ethernet Frame and 8 for Pr?ambel and SFD. So it couldn't be the hole Packet. The Ethernet Payload has a minimum of 46 Bytes, so maybe a single TCP ACK or SYN Packet can be the one I have captured? 20 Bytes IP Header + 20 TCP Header + 6 Bytes X But then what are these 6 Bytes for? And what Packets are typical for 60 bytes? Thanks for any hint. Andreas -- Andreas R?tten mailto : AndreasRuetten at gmx.de PGP DSA/1024, C1CC335C, A655 0268 CEA6 A3DA 30AA D356 A450 30BD C1CC 335C -- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/netflow-tools/attachments/20080114/65eeb3b7/attachment.bin From djm at mindrot.org Wed Jan 23 03:03:24 2008 From: djm at mindrot.org (Damien Miller) Date: Wed, 23 Jan 2008 03:03:24 +1100 (EST) Subject: [netflow-tools] Confusion on Packet Size In-Reply-To: <20080114190029.5c49d33a@elba.inselnet.intern> References: <20080114190029.5c49d33a@elba.inselnet.intern> Message-ID: On Mon, 14 Jan 2008, Andreas R?tten wrote: > > Hello list, > > I have some NetFlows collected with softflowd and I need some information > about the meaning of some fields. > > The Flows I have are TCP connections with 1 packet by 46 or 60 Bytes. > What will be counted for the field "bytes"? > > A Ethernet Paket have to be at least by 72 bytes. 64 for the minimum > Ethernet Frame and 8 for Pr?ambel and SFD. > So it couldn't be the hole Packet. > > The Ethernet Payload has a minimum of 46 Bytes, so maybe a single TCP ACK > or SYN Packet can be the one I have captured? > 20 Bytes IP Header + 20 TCP Header + 6 Bytes X > > But then what are these 6 Bytes for? > And what Packets are typical for 60 bytes? The are probably TCP packets with options. 20 bytes IP header + 20 bytes TCP header + Timestamp (10 bytes) + SACK (min 10 bytes) = 60 bytes You can check for sure by tcpdumping the actual traffic that softflowd is reporting and comparing (use "tcpdump -vvv" to see all the TCP bits). -d From Heath at snookmz.com Wed Jan 30 11:56:53 2008 From: Heath at snookmz.com (Heath Snoek) Date: Wed, 30 Jan 2008 11:56:53 +1100 Subject: [netflow-tools] logsock functionality failing Message-ID: <479FCB55.8080905@snookmz.com> G'day I am trying to run flowd in logsock mode. Everything appears to be working fine when I output in logfile mode, but I am receiving the following error in logsock mode: hugo:~# flowd -d read_config: entering child_get_config: entering drop_privs: dropping privs without chroot send_config: entering fd = 4 send_config: done child_get_config: child config done recv_config: entering fd = 3 recv_config: ready to receive config Listener for [127.0.0.1]:12345 fd = 3 Increased socket receive buffer from 109568 to 524288 Setting socket send buf to 1024 Listener for [::1]:12345 fd = 4 Increased socket receive buffer from 109568 to 524288 Setting socket send buf to 1024 Listener for [192.168.100.27]:99 fd = 5 Increased socket receive buffer from 109568 to 524288 Setting socket send buf to 1024 privsep_init: entering drop_privs: dropping privs with chroot init_pfd: entering (num_fds = 0) init_pfd: done (num_fds = 4) client_open_socket: entering answer_open_socket: entering connect to logsock: No such file or directory receive_fd: recvmsg: expected received 1 got 0 hugo:~# hugo:~# touch /var/run/flowd.sock hugo:~# flowd -d read_config: entering child_get_config: entering drop_privs: dropping privs without chroot send_config: entering fd = 4 send_config: done child_get_config: child config done recv_config: entering fd = 3 recv_config: ready to receive config Listener for [127.0.0.1]:12345 fd = 3 Increased socket receive buffer from 109568 to 524288 Setting socket send buf to 1024 Listener for [::1]:12345 fd = 4 Increased socket receive buffer from 109568 to 524288 Setting socket send buf to 1024 Listener for [192.168.100.27]:99 fd = 5 Increased socket receive buffer from 109568 to 524288 Setting socket send buf to 1024 privsep_init: entering drop_privs: dropping privs with chroot init_pfd: entering (num_fds = 0) init_pfd: done (num_fds = 4) client_open_socket: entering answer_open_socket: entering connect to logsock: Connection refused receive_fd: recvmsg: expected received 1 got 0 hugo:~# Any ideas as to what I might be doing wrong? I'm running flowd version 0.9, offloading using a Cisco 877 router in netflow version 9 and running flowd under linux kernel 2.6. From Heath at snookmz.com Thu Jan 31 16:00:59 2008 From: Heath at snookmz.com (Heath Snoek) Date: Thu, 31 Jan 2008 16:00:59 +1100 Subject: [netflow-tools] mailing list suggestions Message-ID: <47A1560B.3020505@snookmz.com> Hi list I have been playing around with flowd over the last couple of days, so I would firstly like to give my thanks and congratulations to all those involved in the project (thanks Damien!). I wonder if I could be so bold as to make a couple of observations/suggestions? Because of the robots.txt file within the netflow-tools mailing list, it appears that Google is respecting the 'Disallow' tag and not indexing the mailing list archive. Being that there is no search function, and no indexing from Google, it is difficult to search the list for persistent problems/questions. My 'quick' work around: wget -m -erobots=off http://lists.mindrot.org/pipermail/netflow-tools/ grep * Would it be worthwhile creating a FAQ, and removing indexing/adding a search function, a wiki for tutorials etc? Two questions that I need to find the answer to have been asked previously, the first of the two has been asked twice already (not including my post the other day): The logsock error: connect to logsock: No such file or directory Discussed in: http://lists.mindrot.org/pipermail/netflow-tools/2006-May/000198.html http://lists.mindrot.org/pipermail/netflow-tools/2006-November/000242.html and my question http://lists.mindrot.org/pipermail/netflow-tools/2008-January/000355.html And a further question, asked once previously: http://lists.mindrot.org/pipermail/netflow-tools/2006-November/000244.html I've run into some issues trying to work out some of the fields that flowd is returning, specifically: flow_start and flow_finish. flow_start 4d10m5s.348 flow_finish 4d10m5s.272 Firstly, why is flow_start LATER than flow_finish, and what exactly is that time format (*confused*)? I have been searching around and have come up with a document from Cisco.com describing netflow version 9 datagram, which can be found here: http://tinyurl.com/24jvyz http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html But it doesn't appear to describe flow_start or flow_finish, so perhaps this is a flowd specific naming convention? Cheers Heath