The times are a little tricky. Here's an example:
1205337599,477621174,3920562904,198.119.56.66,1,64,3920554564,3920554566,172.16.22.83,192.168.56.66,94,0,0,2048,1,0 ^^^^^^^^^^ ^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ unix_secs,unix_nsecs,sysuptime first last >From http://netflow.caligare.com/netflow_v5.htm sys_uptime Current time in milliseconds since the export device booted unix_secs Current count of seconds since 0000 UTC 1970 (epoch time) unix_nsecs Residual nanoseconds since 0000 UTC 1970 first SysUptime at start of flow last SysUptime at the time the last packet of the flow was received sysuptime is in milliseconds so SSSSSSS.MMM (SSSSSSS is integer seconds; MMM is integer milliseconds) unix_secs is integer seconds of epoch at time of netflow packet export unix_nsecs is integer number of nanoseconds (billionths of a second incredibly) at time of netflow packet export first is sysuptime secs of first packet in flow last is sysuptime secs of last packet in flow So, this netflow packet was exported at 1205337599.477621174 seconds since epoch (03/12/2008 15:59:59 (GMT)) When the packet was exported, the system had been up for 3920562.904 seconds The first packet in the flow was received by the device at 3920554.564 seconds, -8.340 seconds So the time of the first packet was 03/12/2008 15:59:51 The time of the last packet was 03/12/2008 15:59:53 (ignoring fractions) The flow was 2 seconds long (Hope I have this right) Joe "Baptiste Lacroix" <[EMAIL PROTECTED]> 05/14/2008 09:11 AM To Joe Loiacono/CIV/[EMAIL PROTECTED] cc <flow-tools@list.splintered.net>, <[EMAIL PROTECTED]> Subject RE: [Flow-tools] More details about flow-export Thanx a lot about DFLOWS... The one I use is : flow-cat /var/log/netflow/ft/ft-v05* | flow-export -f3 -u "flowuser:2521bast18:localhost:3306:netflow:FLOWS" -mUNIX_SECS,EXADDR,DFLOWS,DPKTS,DOCTETS,SRCADDR,DSTADDR,SRCPORT,DSTPORT,PROT,TOS or: flow-cat /var/log/netflow/ft/ft-v05* | flow-export -f3 -u "flowuser:2521bast18:localhost:3306:netflow:FLOWS" -m0x0000000000783069LL And it is actually working fine but I would like to know the exact signification of each field even if I can guess all of them I want that there's no doubt. For example The difference between UNIX_SEC, UNIX_NSEC, SYSUPTIME... I guess the first one is the time of the transmission, the second one the duration but the last one ??? Also 'D'OCTETS... D means Distribution ??? what should I understand by distribution... I hope those questions doesn't seem too stupid. Best regards. Baptiste Lacroix De : Joe Loiacono [mailto:[EMAIL PROTECTED] Envoyé : mercredi 14 mai 2008 14:52 À : Baptiste Lacroix Cc : flow-tools@list.splintered.net; [EMAIL PROTECTED] Objet : Re: [Flow-tools] More details about flow-export One thing that might be throwing you off is that DFLOWS does not exist for netflow versions 1 and 5. Here's a flow-export command I have used: flow-export -f2 -m UNIX_SECS, UNIX_NSECS, SYSUPTIME, EXADDR, DPKTS, DOCTETS, FIRST, LAST, SRCADDR, DSTADDR, INPUT, OUTPUT, SRCPORT, DSTPORT,PROT,TOS < ft-v05.2008-02-12.091503+0000 > ~/flowtools_export Joe "Baptiste Lacroix" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 05/14/2008 03:15 AM To <flow-tools@list.splintered.net> cc Subject [Flow-tools] More details about flow-export Hi, I'm actually working on a project about netflow. I'm using flow-tools and in particular flow-export. I just would like to know if a detail explanation of every field used to export (in the case of MYSQL export). I have some difficulties to well understand the DFLOWS for example. I'm finnishing my studies and the period that they're allowing for me to work on this project is really short so maybe I missed some explaination on the net and I apologize for this . Thanks in advance. Baptiste Lacroix _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
