On Thu, 27 Sep 2007 09:12:29 -0400, Joe Loiacono <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote on 09/27/2007 03:28:40 AM: > >> Hi, >> >> I'm surely not in the right mailling list but I think you have an > answer >> for my question ;-) >> >> I'm trying to write a small script, using flow-tools, to convert > Netscreen >> syslog output into flows to analyse them with Netflow Analyser. But as > I'm >> new to netflow, I have a problem... >> >> for example, if I connect to www.google.com I'll get the following line > in >> my log : >> Sep 27 09:19:53 (traffic): start_time="2007-09-27 09:18:50" duration=67 >> sent=3100 rcvd=10046 src=192.168.0.2 dst=64.233.183.104 src_port=1960 >> dst_port=80 >> >> I miss the number of packet transmited, but it's not really a problem (I >> just want to know witch protocols are used on my network). >> >> The problem is that I get a number of sent octets AND a number of > received >> octets. But in a flow there is only something like transmited octets ... > > Treat your firewall as a two-interface router. Map the 'sent' bytes from > above as input into the 'local' interface of your router, and map the > 'rcvd' bytes as input into the 'Internet' interface. For flows in the > opposite direction, do the opposite. This will simulate a router exporting > netflow, since (typically) the router collects netflow as input bytes only > to interfaces. > >> So this is my question. How Netflow identify the In and Out traffic ? > > Unless you're using a very modern IOS, netflow will only collect and > export *input* data to each interface on which you are running netflow. > Output data can be examined by filtering on all data with an 'outbound' > interface equal to the one you're interested in. > >> Is there, for a tcp connection, 2 flows : one by direction ? If it's > that, how >> Netflow identify that these 2 flows are for the same TCP connection ? > > Netflow ignores connections and only looks at input traffic. > > HTH, > > Joe
Thank you very much for these informations. I'll modify my script to generate 2 flows per log line : one with an interface SNMP index as INPUT and the send traffic one with another interface SNMP index as OUTPUT and the rcvd traffic and invert the src/dst of the second flow. Best regards Julien Nury _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
