Thanks! (I'm a total newbie with netflow and these tools). I think 'exporter' identifies the router, like e.g. exporterIPv4Address in IPFIX and as you say doesn't belong in 'wire' format flow-export output.
So if I need the exporter, I could instead use flow-export -f 0 (cflowd) with CF_ROUTERMASK set/defaulted in the mask_fields? (Or ascii but I want binary format). > > Hi Robert, > > On Wed, May 27, 2009 at 01:29:19PM -0400, Hahn, Robert wrote: > > > I am using flow-export version 1.26 against files created > > > w/flow-gen version 5 '-V 5' and outputting wire format via > > > flow-export '-f 4'. > > > $Id: flow-export.c,v 1.26 2004/03/31 03:11:14 maf Exp $ > > > > > > It seems to be missing the exaddr field 'Exporter IP address' > > > which I do need and which is present in ascii delimited > output '-f 2' > > > as the 4th ordinal. Is this by design? Am I missing something? > > Yes and yes... I'll try to clarify: > > > > It is in the flow-gen output: > <snip> > > I don't see it in struct ftpdu_v5 > > The exporter IP address is not in the wire format because it > is the merely the source IP address from the IP header of the packet. > It would be redundant and error-prone to repeat it in the > structured payload of the packet. > > When a process uses the socket API to receive from the > "wire", i.e. when it receives the payload from a UDP > datagram, it can call the recvfrom() system call, which > returns the content and also the remote IP (source) address > and port number. > > It's only when flow-tools stores flow information to a file > that it needs to save or "remember" the exporter IP address > (because otherwise it would be lost); it is implicitly there > in the IP packet header (as the source IP address) when > transmitted on the wire. > > Dave > > P.S. There are some protocols that support forwarding of > information on the wire from one host to another, in which > case they would want to preserve the original source IP > address (e.g., the exporter IP > address) but NetFlow is not one that supports that sort of forwarding. > > -- > [email protected] http://net.doit.wisc.edu/~plonka/ Madison, WI > _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
