FIRST and LAST.
From flow-export.1
FIRST 0x0000000000000080LL LAST 0x0000000000000100LL
These are relative to the sysUpTime (which is not the same as the SNMP sysUpTime) of the router which you can get with
SYSUPTIME 0x0000000000000004LL
FYI I'm not sure if flow-print deals with the case of sysUpTime rolling over...It's something on my todo list to look at.
-- mark
On Jul 26, 2004, at 8:57 PM, Mike Hunter wrote:
Hi everybody,
I've got an app that's crashing, complaining about a flow that is outside
of its time window. I figured out that the flow it complains about isn't
wrong; it's the one before, which claims to be from September 2004.
Yeikes!
Here's the flow under flow-export -f 2:
1090846405,95362500,496,128.32.23.45,3,144,4294943380,4294951940,0,0,83 .152.130.232,169.229.67.89,0.0.0.0,9,0,3783,4661,6,0,2,0,16,0,0
Here's the "same" flow under flow-print -f 5:
0913.22:55:47.979 0913.22:55:56.539 9 83.152.130.232 3783 0 169.229.67.89 4661 6 2 3 144
Obviously there's something very funky going on here.
What I need some help on is figuring out where in the flow-export record
the duration of the flow is listed. I'm thinking that maybe there's
something very wrong with that field (overflow/negative perhaps?) that is
making this flow jump into the future.
It should be noted that this flow comes from a cisco 6509 running in
hybrid mode. I've had problems with flows form such machines in the past,
so I'm very willing to implicate corrupt netflow packets.
I read the flow-export man page, but I couldn't figure out what field (if
any) determines the duration of a flow...flow-print -f 5 has it in there,
so it must be in the flow somewhere, but I am missing it.
Thanks,
Mike _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
