[flow-tools] flow-capture and CISCO Spec.
Mike Haberman
mikeh@ncsa.uiuc.edu
Fri, 31 Jan 2003 08:12:23 -0600
Yes, we too need to process the raw udp packets from file rather
than off the wire. It would be great if you could specify a directory
or a list of raw cisco files to use as input rather than assuming
they're coming off a socket.
mike haberman
NCSA
On Fri, Jan 31, 2003 at 02:17:41PM +0100, Kyle Caine wrote:
> Hello,
>
> I'm working on some tools to process NetFlow data from my companies
> intranet and found flow-tools quite comftable. Unfortunately the files
> generated by flow-capture doesn't conform to the specs, CISCO release for
> NetFlow flows.
> Eg. flow-capture exported files (V5) have a 96 Byte header containing
> fields like hostname etc. and then flow records with additional paddings
> and size of 64 bytes, whereas CISCO describes a 24 bytes header und 48
> bytes record format in their white papers.
>
> Now my questions:
> - What was the intention of using this noncomforming format within
> flow-tools?
>
> - Is there a possibility to tell flow-capture to export the received
> packages in raw format?
>
> - Is it likely that this internal format will change in future versions of
> flow-tools?
>
> Thanks, Kyle
>
>
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools