Hi Robert, On Wed, May 27, 2009 at 01:29:19PM -0400, Hahn, Robert wrote: > > I am using flow-export version 1.26 against files created > > w/flow-gen version 5 '-V 5' and outputting wire format via flow-export > > '-f 4'. > > $Id: flow-export.c,v 1.26 2004/03/31 03:11:14 maf Exp $ > > > > It seems to be missing the exaddr field 'Exporter IP address' > > which I do need and which is present in ascii delimited output '-f 2' > > as the 4th ordinal. Is this by design? Am I missing something?
Yes and yes... I'll try to clarify: > > It is in the flow-gen output: <snip> > I don't see it in struct ftpdu_v5 The exporter IP address is not in the wire format because it is the merely the source IP address from the IP header of the packet. It would be redundant and error-prone to repeat it in the structured payload of the packet. When a process uses the socket API to receive from the "wire", i.e. when it receives the payload from a UDP datagram, it can call the recvfrom() system call, which returns the content and also the remote IP (source) address and port number. It's only when flow-tools stores flow information to a file that it needs to save or "remember" the exporter IP address (because otherwise it would be lost); it is implicitly there in the IP packet header (as the source IP address) when transmitted on the wire. Dave P.S. There are some protocols that support forwarding of information on the wire from one host to another, in which case they would want to preserve the original source IP address (e.g., the exporter IP address) but NetFlow is not one that supports that sort of forwarding. -- [email protected] http://net.doit.wisc.edu/~plonka/ Madison, WI _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
