On Mon, Apr 08, 2002 at 03:59:15PM -0500, Gerald Combs wrote:
> Flow-tools comes with a utility called "flow-export" that's supposed to be
> able to convert flow data to something that should be readable by
> Ethereal, tcpdump, and ntop.
You already answered your own question ("the flow data doesn't contain
enough information to completely reconstruct the packet data"), but
I'll expand on this a little.
Cisco netflow exports are statistics for bunches of similar packets.
One flow record might represent 58 TCP packets sent from host A, port
12345 to host B, port 80. They do not contain per packet information.
Although they do preserve some of the original packet header
information (IP source/destination address, TCP/UDP source/destination
port), some of that information is obscured (e.g. the flags for TCP
flows are a logical OR of all of the flags for packets in that flow).
The rest of the packet headers, and all of the data beyond the TCP/UDP
layer are totally missing.
Flow-export is a hack (like the man page says). It reconstructs
"packets" from the flows, and was written specifically so that you
could use the relatively powerful filtering language in tcpdump to
pull out "packets" to look at. It does this by creating "fake"
packets in pcap format with missing values filled in with defaults. I
think it creates 1 packet per flow, though I don't recall
specifically.
You should be able to use ethereal to look at the pcap files that
flow-export can create, but I can't imagine that the results will be
very useful or pretty...
--- Steve