How is the flgs field derived?
Richard Rothwell via Argus-info
argus-info at lists.andrew.cmu.edu
Wed Apr 27 03:06:31 EDT 2016
Hi Carter,
The GLORIAD software I have inherited is converting all flags fields into “Netflow”.
This is because the flags field as sent by rabins contains just “N”.
Flags is call just flgs in a netflow record.
The data processing chain I have in place has router(IPFIX) -> nprobe(Netflow9) -> radium (Argus) -> rabins.
I have looked at the output of nprobe and that seems to be OK.
I use nfcapd and nfdump together to inspect the output of nprobe.
A record output from nprobe looks like:
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 72
first = 1461737035 [2016-04-27 06:03:55]
last = 1461737035 [2016-04-27 06:03:55]
msec_first = 304
msec_last = 304
src addr = ***.***.***.***
dst addr = ***.***.***.***
src port = 27878
dst port = 443
fwd status = 0
tcp flags = 0x18 .AP...
proto = 6 TCP
(src)tos = 0
(in)packets = 2
(in)bytes = 193
input = 824
output = 644
src as = 10148
dst as = 32934
So the question is where have tcp flags gone in the conversion between netflow and Argus records.
Is this expected behaviour??
Regards from Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160427/8031984d/attachment.html>
More information about the argus
mailing list