Hi, I'm using flow-print 0.68.4 on FreeBSD, installed from a package.
I've noticed something odd with flow-print's representation of TCP flags. Here I'm using flow-print -f 1: Sif SrcIPaddress DIf DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl 0000 63.85.32.4 0000 207.46.209.247 06 c952 50 6095 326196 1201.11:58:00.409 1201.12:01:55.917 235.508 53 00 1a 0000 63.85.32.4 0000 207.46.209.247 06 c954 50 5860 315247 1201.11:58:00.451 1201.12:02:05.769 245.318 53 00 1a 1a= 26 or 11010 or ACK+PSH+SYN, a perfectly decent set of flags. Here's the same set of flags with flow-print f 5: Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets 1201.11:58:00.409 1201.12:01:55.917 0 63.85.32.4 51538 0 207.46.209.247 80 6 2 6095 326196 1201.11:58:00.451 1201.12:02:05.769 0 63.85.32.4 51540 0 207.46.209.247 80 6 2 5860 315247 The flags for these flows are shown as "2". It's almost as if the flags field in -f5 is getting trimmed? Any thoughts? Am I reading this wrong, or shall I file a bug? Thanks, ==ml -- Michael W. Lucas [email protected], [email protected] http://www.BlackHelicopters.org/~mwlucas/ "My pessimism extends to the point of even suspecting the sincerity of the pessimists." -- Jean Rostand, French biologist and philosopher _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
