Michael W. Lucas
Wed, 07 Jan 2009 10:41:44 -0800
Hi, I'm using flow-print 0.68.4 on FreeBSD, installed from a package.
I've noticed something odd with flow-print's representation of TCP
flags. Here I'm using flow-print -f 1:
Sif SrcIPaddress DIf DstIPaddress Pr SrcP DstP Pkts Octets
StartTime EndTime Active B/Pk Ts Fl
0000 63.85.32.4 0000 207.46.209.247 06 c952 50 6095 326196
1201.11:58:00.409 1201.12:01:55.917 235.508 53 00 1a
0000 63.85.32.4 0000 207.46.209.247 06 c954 50 5860 315247
1201.11:58:00.451 1201.12:02:05.769 245.318 53 00 1a
1a= 26 or 11010 or ACK+PSH+SYN, a perfectly decent set of flags.
Here's the same set of flags with flow-print f 5:
Start End Sif SrcIPaddress SrcP DIf
DstIPaddress DstP P Fl Pkts Octets
1201.11:58:00.409 1201.12:01:55.917 0 63.85.32.4 51538 0
207.46.209.247 80 6 2 6095 326196
1201.11:58:00.451 1201.12:02:05.769 0 63.85.32.4 51540 0
207.46.209.247 80 6 2 5860 315247
The flags for these flows are shown as "2". It's almost as if the
flags field in -f5 is getting trimmed?
Any thoughts? Am I reading this wrong, or shall I file a bug?
Thanks,
==ml
--
Michael W. Lucas mwlu...@blackhelicopters.org, mwlu...@freebsd.org
http://www.BlackHelicopters.org/~mwlucas/
"My pessimism extends to the point of even suspecting the sincerity of
the pessimists." -- Jean Rostand, French biologist and philosopher
_______________________________________________
Flow-tools mailing list
flow-to...@splintered.net
http://mailman.splintered.net/mailman/listinfo/flow-tools