[flow-tools] How to deal with Different flow versions in one report

Mark Fullmer maf at eng.oar.net
Mon Oct 21 21:34:06 EDT 2002 

You'll lose the router_sc field.  AFAIK unless there are multiple routers
providing shortcut paths to the switching module this field will never change.

On Mon, Oct 21, 2002 at 10:00:52AM -0500, Poetzel, Christopher J. wrote:
> If I take version 7 flows and use a flow-capture line like
> 
> flow-capture -V 5 0/0/*** -w /blah/blah/blah 
> 
> do I lose any important information??
> 
> Thanks,
> 
> Chris poetzel
> Argonne National Labratory
> 
> -----Original Message-----
> From: Mark Fullmer [mailto:maf at eng.oar.net] 
> Sent: Sunday, October 20, 2002 11:21 AM
> To: Poetzel, Christopher J.
> Cc: flow-tools at splintered.net
> Subject: Re: [flow-tools] How to deal with Different flow versions in one
> report
> 
> The easiest way to deal with this is use the -V flag with flow-capture to
> store everything as v5.  flow-xlate can be used to translate existing
> flow-files.
> 
> On Fri, Oct 18, 2002 at 10:33:57AM -0500, Poetzel, Christopher J. wrote:
> > I was wondering if there was a way to mix different flow version records
> > into the same report.
> > When I try and flow-cat or flow-merge files with different flow versions
> > I get the following message 
> > 
> > flow-cat /proj/netflow/FSW/2002/2002-10/2002-10-18/
> > /proj/netflow/FRT/2002/2002-10/2002-10-18/ | flow-stat -f10
> > flow-cat: data version or sub version changed!
> > 
> > In the above case flow-cat will just skip the entire FRT entry because it
> is
> > a different version record.
> > 
> > For every box in my network that we are collecting netflow from
> > I am running a separate flow-capture process on its own port.
> > 
> > On our 6509's with catos on the switch and ios on the router
> > I am sending the netflow from the switch(Version 7) to a separate
> > Flow-capture process that the router (Version 5). 
> > We have two border routers, a 6513 exported version 7 and a 12008
> > GSR exporting a version 5.  I have not figured out a way to mix these
> > Different flow versions.
> > 
> > Was I wrong in separating each box to its own flow-capture process?
> > If anyone has any ideas they would be appreciated.
> > 
> > Thank you,
> > 
> > Chris poetzel
> > Argonne National Lab
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > flow-tools at splintered.net
> > http://www.splintered.net/sw/flow-tools

More information about the Flow-tools mailing list