[netflow-tools] Simple netflow probe for linux
Koteswar
koti.kelam at gmail.com
Mon Aug 24 17:59:23 EST 2009
But while sending template record better not to add the unwanted fields like
protocol and port. And in case of sending data record also donot add the
fields protocol and ports if track level "ip" is selected. In softflowd we
are sending all the fields independent of track level but setting unwanted
fields to 0.
Regards
Koteswar
On Mon, Aug 24, 2009 at 12:49 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 24 Aug 2009, Koteswar wrote:
>
> > Hi
> > In sofflowd, If I select track level as "ip" (softflowd -T ip) then it is
> > filling other fields like protocol, src port, dst port, tcp flags to 0
> and
> > sending data flow set. But this is not correct behavior. It should not
> add
> > these fields to data flow set or template flow set so that we can reduce
> > exported flow data volume and network load (RFC3957).
> > Please clarify if I am wrong?
>
> The tracking level (-T flag) defines how much of the packets are inspected.
> You setting of "ip" is the bare minimum, and does not include Layer-3
> information like the protocol and protocol ports. Normally you would only
> select this option if you were uninterested in this information.
>
> If you do want to see source/destination ports and the protocol in use then
> I suggest that you specify "-T full" or just leave the -T flag off, since
> "full" is the default anyway.
>
> -d
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20090824/8a9effc3/attachment.html>
More information about the netflow-tools
mailing list