I don't expect anybody to have an answer to this, but I thought I'd sent it for future google amusement.
I got some more funny flows with messed-up time stamps, this time from a Juniper router: #:unix_secs,unix_nsecs,sysuptime,exaddr,dpkts,doctets,first,last,engine_type,engine_id,srcaddr,dstaddr,nexthop,input,output,srcport,dstport,prot,tos,tcp_flags,src_mask,dst_mask,src_as,dst_as 1093500655,0,12209,128.32.1.201,80,5040,4294923885,4294953880,0,0,128.32.12.137,219.144.7.68,137.164.92.65,41,52,4022,53,17,0,0,24,15,25,4134 1093500655,0,12209,128.32.1.201,40,2960,7305,7305,0,0,128.32.12.137,219.144.7.68,127.164.23.65,39,52,4022,53,17,0,0,24,15,25,4134 Notice the "first" and "last" fields in the second flow go to 7305 from 429xxxxxxx, which causes rrdtool to go back in time (for autofocus from UCSD, a neat graphing app that I hope to send an email about in the future)...*sigh*. I guess I need to build some kind of filter. I would be interested to know if anybody thinks it's more likely that the PDU came out of the router looking like that, or if something bad happened on the receiver in processing the UDP packet (there's a checksum iirc).... Mike _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
