[Flow-tools] flow-extract (was: Archived code)
Ed Ravin
eravin at panix.com
Thu Jan 31 14:18:38 EST 2008
On Thu, Jan 31, 2008 at 02:01:08PM -0500, Ed Ravin wrote:
> On Thu, Jan 31, 2008 at 10:30:37AM -0600, Andy Terrel wrote:
> > I am brand new to using flow-tools but have been pointed at flow-tools
> > by some people using it for security. And have just started using the
> > code (0.680 from the debian package.
> >
> > The code I wanted to use on top of flow-tools is the UofC package
> > flow-extract ( http://security.uchicago.edu/tools/net-forensics/ )
> > linked to off the splintered.net page. The READMe in the code says it
> > needs some things from flow-tools 0.32.
>
> Don't believe everything you read in a README. Take a closer look at the
> directory after it's unpacked - all the files mentioned in the README
> as being needed from flow-tools 0.32 are thankfully already included.
>
> > Is there a better place to grab either the flow-tools 0.32 or even
> > better a version of flow-extract?
>
> flow-extract seems pretty old, and I'm not sure what the advantages of it
> are over flow-cat | flow-filter | flow-print. Well, OK, maybe the
> advantage is you don't have to use a pipeline.
Much better than that - automatic resolution of DNS names and port numbers
when dumping out flow files, and textual display of the TCP flags in the
flow. Definitely useful for reviewing flow data.
More information about the Flow-tools
mailing list