[Flow-tools] Question about Netflow operation for In/Out traffic

Julien Nury julien at nury.fr
Thu Sep 27 09:32:08 EDT 2007 

On Thu, 27 Sep 2007 09:12:29 -0400, Joe Loiacono <jloiacon at csc.com> wrote:
> flow-tools-bounces at list.splintered.net wrote on 09/27/2007 03:28:40 AM:
> 
>> Hi,
>>
>>    I'm surely not in the right mailling list but I think you have an
> answer
>> for my question ;-)
>>
>> I'm trying to write a small script, using flow-tools, to convert
> Netscreen
>> syslog output into flows to analyse them with Netflow Analyser. But as
> I'm
>> new to netflow, I have a problem...
>>
>> for example, if I connect to www.google.com I'll get the following line
> in
>> my log :
>> Sep 27 09:19:53 (traffic): start_time="2007-09-27 09:18:50" duration=67
>> sent=3100 rcvd=10046 src=192.168.0.2 dst=64.233.183.104 src_port=1960
>> dst_port=80
>>
>> I miss the number of packet transmited, but it's not really a problem (I
>> just want to know witch protocols are used on my network).
>>
>> The problem is that I get a number of sent octets AND a number of
> received
>> octets. But in a flow there is only something like transmited octets ...
> 
> Treat your firewall as a two-interface router. Map the 'sent' bytes from
> above as input into the 'local' interface of your router, and map the
> 'rcvd' bytes as input into the 'Internet' interface. For flows in the
> opposite direction, do the opposite. This will simulate a router
exporting
> netflow, since (typically) the router collects netflow as input bytes
only
> to interfaces.
> 
>> So this is my question. How Netflow identify the In and Out traffic ?
> 
> Unless you're using a very modern IOS, netflow will only collect and
> export *input* data to each interface on which you are running netflow.
> Output data can be examined by filtering on all data with an 'outbound'
> interface equal to the one you're interested in.
> 
>> Is there, for a tcp connection, 2 flows : one by direction ? If it's
> that, how
>> Netflow identify that these 2 flows are for the same TCP connection ?
> 
> Netflow ignores connections and only looks at input traffic.
> 
> HTH,
> 
> Joe

Thank you very much for these informations.

I'll modify my script to generate 2 flows per log line :

one with an interface SNMP index as INPUT and the send traffic
one with another interface SNMP index as OUTPUT and the rcvd traffic

and invert the src/dst of the second flow.

Best regards

Julien Nury

More information about the Flow-tools mailing list