[flow-tools] flow-capture and CISCO Spec.
Mark Fullmer
maf@eng.oar.net
Fri, 31 Jan 2003 10:30:06 -0500
The specifications from Cisco are for wire format. The wire format is not
a good choice for a disk format for a variety of reasons, including
inability to support compression and metadata such as exporter IP address,
counters like flows lost the period, etc.
That said, flow-export will export wire format to disk, and flow-import
will read wire format from disk. The flow-import implementation was
done after the 0.63 snapshot, if you want to test it before the next
one let me know.
mark
On Fri, Jan 31, 2003 at 02:17:41PM +0100, Kyle Caine wrote:
> Hello,
>
> I'm working on some tools to process NetFlow data from my companies
> intranet and found flow-tools quite comftable. Unfortunately the files
> generated by flow-capture doesn't conform to the specs, CISCO release for
> NetFlow flows.
> Eg. flow-capture exported files (V5) have a 96 Byte header containing
> fields like hostname etc. and then flow records with additional paddings
> and size of 64 bytes, whereas CISCO describes a 24 bytes header und 48
> bytes record format in their white papers.
>
> Now my questions:
> - What was the intention of using this noncomforming format within
> flow-tools?
>
> - Is there a possibility to tell flow-capture to export the received
> packages in raw format?
>
> - Is it likely that this internal format will change in future versions of
> flow-tools?
>
> Thanks, Kyle
>
>
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools