[Flow-tools] anomalous tcp flags from flow-print -f 5

Mon, 18 Oct 2004 14:04:05 -0700 

Hi,
I'm looking at version 5 flows captured from a cisco router (ios 12.1-5)
exported to flow-capture (flow-tools-0.67/FreeBSD 4.10r0).  The only TCP
flags I'm seeing (combined) in the Fl column are SYN, FIN, and RST.  Are the
rest being masked out?  Is this likely to be happening on the router or in
flow-tools?

flow-print -f 5 <ft-v05.2004-10-18.150001-0400 | grep "192.168.65.1    4013"
Start             End               Sif   SrcIPaddress    SrcP  DIf
DstIPaddress    DstP    P Fl Pkts       Octets  (header pasted in)
1018.14:59:58.182 1018.14:59:58.194 1     192.168.57.89   20    4
192.168.65.1    4013  6   3  6          244       
1018.14:59:58.182 1018.14:59:58.194 4     192.168.65.1    4013  1
192.168.57.89   20    6   3  9          9212      


Thanks, Steve Dutky
Rockville MD Geocenter Network Support
301-545-4113 desk
800-532-2382 24x7
301-325-8146 cell
[EMAIL PROTECTED]
www.thomson.com/financial


Related previous post:
Mark Fullmer maf at splintered.net 
Sun May 12 11:01:03 EDT 2002 

Previous message: [flow-tools] TCP flags in flow-print format 5 
Next message: [flow-tools] C6509 / Native IOS / Flow-Tools (Take 2) 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 

----------------------------------------------------------------------------
----

See /usr/include/netinet/tcp.h

#define TH_FIN  0x01
#define TH_SYN  0x02
#define TH_RST  0x04
#define TH_PUSH 0x08
#define TH_ACK  0x10
#define TH_URG  0x20
#define TH_ECE  0x40
#define TH_CWR  0x80

The NetFlow tcp_flags field is contructed by an OR operation on the TCP
header
flags the for every packet in the flow.

mark

On Fri, May 10, 2002 at 10:39:33PM +1000, Dale Clapperton (lists) wrote:
> Hi
> 
> A brief question..  When using flow-print -f5, how does the value for
> "(u_int)*cur.tcp_flags & 0x7" in the code translate into the actual flags
on
> each packet?  I'm attempting to hack together a custom format for
flow-print
> which will output in the DSHIELD format
> (http://www.dshield.org/specs.html#dshield_format), which requires the
flags to
> be represented using charecters or text, not numerically.
> 
> Thanks
> 
> Dale
> 
> 
> _______________________________________________
> flow-tools at splintered.net
> http://www.splintered.net/sw/flow-tools

_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to