Hi Johannes, Yes, the flags are OR'ed on that field as they come. Don't know which daemon you are using; if nfacctd then that is the standard way a NetFlow metering process accounts for TCP flags. pmacctd and the other daemons have inherited such a behaviour. So you should test presence (boolean and) of the flag you are looking for rather than equal to.
If not using nfacctd, I know this may not be ideal for some use-cases - especially in the area of security and forensics - and hence i'm open to feedback. Cheers, Paolo On Mon, Jul 20, 2015 at 09:54:51PM +0200, Johannes Formann wrote: > Hi, > > I have a question: how are the different Flags stored in the tcp_flags column > of the mysql-Database (int(4))? > The common mapping (SYN=2, ACK=16) doesn’t seem to match. I get these > TCP-Flags for 90% of the traffic: 27, 223, 31 > > That means 90% of the traffic have SYN, ACK AND FIN set… > > Am I matching the wrong bits or is the problem somewhere else? > > greetings > > Johannes > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
