[Flow-tools] More details about flow-export

Joe Loiacono jloiacon at csc.com
Wed May 14 10:20:41 EDT 2008 

The times are a little tricky.

Here's an example:

1205337599,477621174,3920562904,198.119.56.66,1,64,3920554564,3920554566,172.16.22.83,192.168.56.66,94,0,0,2048,1,0
^^^^^^^^^^ ^^^^^^^^^ ^^^^^^^^^^                    ^^^^^^^^^^ ^^^^^^^^^^
unix_secs,unix_nsecs,sysuptime                        first      last

>From http://netflow.caligare.com/netflow_v5.htm

sys_uptime      Current time in milliseconds since the export device 
booted
unix_secs       Current count of seconds since 0000 UTC 1970 (epoch time)
unix_nsecs      Residual nanoseconds since 0000 UTC 1970
first         SysUptime at start of flow
last          SysUptime at the time the last packet of the flow was 
received

sysuptime is in milliseconds so SSSSSSS.MMM (SSSSSSS is integer seconds; 
MMM is integer milliseconds)
unix_secs is integer seconds of epoch at time of netflow packet export
unix_nsecs is integer number of nanoseconds (billionths of a second 
incredibly) at time of netflow packet export
first is sysuptime secs of first packet in flow
last is sysuptime secs of last packet in flow

So, this netflow packet was exported at 1205337599.477621174 seconds since 
epoch (03/12/2008 15:59:59 (GMT))
When the packet was exported, the system had been up for 3920562.904 
seconds
The first packet in the flow was received by the device at 3920554.564 
seconds, -8.340 seconds
So the time of the first packet was 03/12/2008 15:59:51 
The time of the last packet was 03/12/2008 15:59:53 (ignoring fractions)
The flow was 2 seconds long

(Hope I have this right)

Joe






"Baptiste Lacroix" <Baptiste.Lacroix at businessdecision.com> 
05/14/2008 09:11 AM

To
Joe Loiacono/CIV/CSC at CSC
cc
<flow-tools at list.splintered.net>, <flow-tools-bounces at list.splintered.net>
Subject
RE: [Flow-tools] More details about flow-export






Thanx a lot about DFLOWS... The one I use is :
flow-cat /var/log/netflow/ft/ft-v05* | flow-export -f3 -u 
"flowuser:2521bast18:localhost:3306:netflow:FLOWS" 
 
-mUNIX_SECS,EXADDR,DFLOWS,DPKTS,DOCTETS,SRCADDR,DSTADDR,SRCPORT,DSTPORT,PROT,TOS
or: 
flow-cat /var/log/netflow/ft/ft-v05* | flow-export -f3 -u 
"flowuser:2521bast18:localhost:3306:netflow:FLOWS" -m0x0000000000783069LL
 
 
And it is actually working fine but I would like to know the exact 
signification of each field even if I can guess all of them I want that 
there's no doubt.
For example The difference between UNIX_SEC, UNIX_NSEC, SYSUPTIME... I 
guess the first one is the time of the transmission, the second one the 
duration but the last one ???
Also 'D'OCTETS... D means Distribution ??? what should I understand by 
distribution... I hope those questions doesn't seem too stupid.
Best regards.
 
Baptiste Lacroix 
 

De : Joe Loiacono [mailto:jloiacon at csc.com] 
Envoyé : mercredi 14 mai 2008 14:52
À : Baptiste Lacroix
Cc : flow-tools at list.splintered.net; 
flow-tools-bounces at list.splintered.net
Objet : Re: [Flow-tools] More details about flow-export


One thing that might be throwing you off is that DFLOWS does not exist for 
netflow versions 1 and 5. 

Here's a flow-export command I have used: 

flow-export -f2 -m UNIX_SECS, UNIX_NSECS, SYSUPTIME, EXADDR, DPKTS, 
DOCTETS, FIRST, LAST, SRCADDR, DSTADDR, INPUT, OUTPUT, SRCPORT, 
DSTPORT,PROT,TOS < ft-v05.2008-02-12.091503+0000 > ~/flowtools_export

Joe 



"Baptiste Lacroix" <Baptiste.Lacroix at businessdecision.com> 
Sent by: flow-tools-bounces at list.splintered.net 
05/14/2008 03:15 AM 


To
<flow-tools at list.splintered.net> 
cc

Subject
[Flow-tools] More details about flow-export








Hi, 
  
  I'm actually working on a project about netflow. I'm using flow-tools 
and in particular flow-export. I just would like to know if a detail 
explanation of every field used to export (in the case of MYSQL export). I 
have some difficulties to well understand the DFLOWS for example. I'm 
finnishing my studies and the period that they're allowing for me to work 
on this project is really short so maybe I missed some explaination on the 
net and I apologize for this . 
Thanks in advance. 
  
Baptiste Lacroix 
 _______________________________________________
Flow-tools mailing list
flow-tools at splintered.net
http://mailman.splintered.net/mailman/listinfo/flow-tools 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20080514/a37487be/attachment.htm

More information about the Flow-tools mailing list