Ethereal-users: Re: [Ethereal-users] netflow from Cisco

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Annie Tong <annie.tong@xxxxxxxx>
Date: Mon, 08 Apr 2002 14:31:44 -0700
Thanks to Steve, Gerald, Guy and Eugene, for all the valuable input!

Annie Tong
MAE Engineering
MCI WorldCom


Steve Romig wrote:
On Mon, Apr 08, 2002 at 03:59:15PM -0500, Gerald Combs wrote:
Flow-tools comes with a utility called "flow-export" that's supposed to be
able to convert flow data to something that should be readable by
Ethereal, tcpdump, and ntop.

You already answered your own question ("the flow data doesn't contain
enough information to completely reconstruct the packet data"), but
I'll expand on this a little.

Cisco netflow exports are statistics for bunches of similar packets.
One flow record might represent 58 TCP packets sent from host A, port
12345 to host B, port 80.  They do not contain per packet information.
Although they do preserve some of the original packet header
information (IP source/destination address, TCP/UDP source/destination
port), some of that information is obscured (e.g. the flags for TCP
flows are a logical OR of all of the flags for packets in that flow).
The rest of the packet headers, and all of the data beyond the TCP/UDP
layer are totally missing.

Flow-export is a hack (like the man page says).  It reconstructs
"packets" from the flows, and was written specifically so that you
could use the relatively powerfu
l filtering language in tcpdump to
pull out "packets" to look at.  It does this by creating "fake"
packets in pcap format with missing values filled in with defaults.  I
think it creates 1 packet per flow, though I don't recall
specifically. 

You should be able to use ethereal to look at the pcap files that
flow-export can create, but I can't imagine that the results will be
very useful or pretty...

--- Steve




This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. 


Sanitizer (start="1018301012"):
  Replaced MIME boundary: >>Boundary_<<
                    with: >>MIMEStream=_0+32981_3972733263474_742127161939<<
  Part (pos="1878"):
    SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
      Match (rule="2"):
        Enforced policy: accept

    Total modifications so far: 1

  Part (pos="3747"):
    SanitizeFile (filename="unnamed.html", mimetype="text/html"):
      Match (rule="default"):
        Enforced policy: accept

Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $