[Flow-tools] Question about Netflow operation for In/Out traffic
Joe Loiacono
jloiacon at csc.com
Thu Sep 27 09:12:29 EDT 2007
flow-tools-bounces at list.splintered.net wrote on 09/27/2007 03:28:40 AM:
> Hi,
>
> I'm surely not in the right mailling list but I think you have an
answer
> for my question ;-)
>
> I'm trying to write a small script, using flow-tools, to convert
Netscreen
> syslog output into flows to analyse them with Netflow Analyser. But as
I'm
> new to netflow, I have a problem...
>
> for example, if I connect to www.google.com I'll get the following line
in
> my log :
> Sep 27 09:19:53 (traffic): start_time="2007-09-27 09:18:50" duration=67
> sent=3100 rcvd=10046 src=192.168.0.2 dst=64.233.183.104 src_port=1960
> dst_port=80
>
> I miss the number of packet transmited, but it's not really a problem (I
> just want to know witch protocols are used on my network).
>
> The problem is that I get a number of sent octets AND a number of
received
> octets. But in a flow there is only something like transmited octets ...
Treat your firewall as a two-interface router. Map the 'sent' bytes from
above as input into the 'local' interface of your router, and map the
'rcvd' bytes as input into the 'Internet' interface. For flows in the
opposite direction, do the opposite. This will simulate a router exporting
netflow, since (typically) the router collects netflow as input bytes only
to interfaces.
> So this is my question. How Netflow identify the In and Out traffic ?
Unless you're using a very modern IOS, netflow will only collect and
export *input* data to each interface on which you are running netflow.
Output data can be examined by filtering on all data with an 'outbound'
interface equal to the one you're interested in.
> Is there, for a tcp connection, 2 flows : one by direction ? If it's
that, how
> Netflow identify that these 2 flows are for the same TCP connection ?
Netflow ignores connections and only looks at input traffic.
HTH,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20070927/6207c39c/attachment.htm
More information about the Flow-tools
mailing list