[Flow-tools] RE: flow-export against flow-gen -V 5 files: exaddrmissing from wire but present in ascii?

Hahn, Robert Robert.Hahn at Teradata.com
Wed May 27 14:38:05 EDT 2009 

   Thanks!  (I'm a total newbie with netflow and these tools).

   I think 'exporter' identifies the router, like e.g.
exporterIPv4Address in IPFIX and as you say doesn't belong in 'wire'
format flow-export output.

   So if I need the exporter, I could instead use flow-export -f 0
(cflowd) with CF_ROUTERMASK set/defaulted in the mask_fields?  (Or ascii
but I want binary format).

> 
> Hi Robert,
> 
> On Wed, May 27, 2009 at 01:29:19PM -0400, Hahn, Robert wrote:
> > >      I am using flow-export version 1.26 against files created 
> > > w/flow-gen version 5 '-V 5' and outputting wire format via 
> > > flow-export '-f 4'.
> > >  $Id: flow-export.c,v 1.26 2004/03/31 03:11:14 maf Exp $
> > > 
> > >      It seems to be missing the exaddr field 'Exporter IP address'
> > > which I do need and which is present in ascii delimited 
> output '-f 2'
> > > as the 4th ordinal.  Is this by design?  Am I missing something?  
> 
> Yes and yes... I'll try to clarify:
> 
> > >      It is in the flow-gen output:
> <snip>
> >     I don't see it in struct ftpdu_v5
> 
> The exporter IP address is not in the wire format because it 
> is the merely the source IP address from the IP header of the packet.
> It would be redundant and error-prone to repeat it in the 
> structured payload of the packet.
> 
> When a process uses the socket API to receive from the 
> "wire", i.e. when it receives the payload from a UDP 
> datagram, it can call the recvfrom() system call, which 
> returns the content and also the remote IP (source) address 
> and port number.
> 
> It's only when flow-tools stores flow information to a file 
> that it needs to save or "remember" the exporter IP address 
> (because otherwise it would be lost); it is implicitly there 
> in the IP packet header (as the source IP address) when 
> transmitted on the wire.
> 
> Dave
> 
> P.S. There are some protocols that support forwarding of 
> information on the wire from one host to another, in which 
> case they would want to preserve the original source IP 
> address (e.g., the exporter IP
> address) but NetFlow is not one that supports that sort of forwarding.
> 
> --
> plonka at doit.wisc.edu  http://net.doit.wisc.edu/~plonka/  Madison, WI
>

More information about the Flow-tools mailing list