[Flow-tools] Weirdness with flags in flow-print output
Michael W. Lucas
mwlucas at blackhelicopters.org
Wed Jan 7 13:40:05 EST 2009
Hi,
I'm using flow-print 0.68.4 on FreeBSD, installed from a package.
I've noticed something odd with flow-print's representation of TCP
flags. Here I'm using flow-print -f 1:
Sif SrcIPaddress DIf DstIPaddress Pr SrcP DstP Pkts Octets
StartTime EndTime Active B/Pk Ts Fl
0000 63.85.32.4 0000 207.46.209.247 06 c952 50 6095 326196
1201.11:58:00.409 1201.12:01:55.917 235.508 53 00 1a
0000 63.85.32.4 0000 207.46.209.247 06 c954 50 5860 315247
1201.11:58:00.451 1201.12:02:05.769 245.318 53 00 1a
1a= 26 or 11010 or ACK+PSH+SYN, a perfectly decent set of flags.
Here's the same set of flags with flow-print f 5:
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets
1201.11:58:00.409 1201.12:01:55.917 0 63.85.32.4 51538 0 207.46.209.247 80 6 2 6095 326196
1201.11:58:00.451 1201.12:02:05.769 0 63.85.32.4 51540 0 207.46.209.247 80 6 2 5860 315247
The flags for these flows are shown as "2". It's almost as if the
flags field in -f5 is getting trimmed?
Any thoughts? Am I reading this wrong, or shall I file a bug?
Thanks,
==ml
--
Michael W. Lucas mwlucas at BlackHelicopters.org, mwlucas at FreeBSD.org
http://www.BlackHelicopters.org/~mwlucas/
"My pessimism extends to the point of even suspecting the sincerity of
the pessimists." -- Jean Rostand, French biologist and philosopher
More information about the Flow-tools
mailing list