Hi Paolo, Using normal pmacctd.
If I understand you correctly, number 27 in the database means the following flags are set: ACK (16) PSH (8) (NO RST) SYN (2) FIN (1) Which is a strange combination, considering that according to the database is set in about 20% of the packets … Or is my mapping of the flags to numbers wrong? greetings Johannes > Am 22.07.2015 um 05:20 schrieb Paolo Lucente <pa...@pmacct.net>: > > Hi Johannes, > > Yes, the flags are OR'ed on that field as they come. Don't know which > daemon you are using; if nfacctd then that is the standard way a > NetFlow metering process accounts for TCP flags. pmacctd and the > other daemons have inherited such a behaviour. So you should test > presence (boolean and) of the flag you are looking for rather than > equal to. > > If not using nfacctd, I know this may not be ideal for some use-cases > - especially in the area of security and forensics - and hence i'm > open to feedback. > > Cheers, > Paolo > > On Mon, Jul 20, 2015 at 09:54:51PM +0200, Johannes Formann wrote: >> Hi, >> >> I have a question: how are the different Flags stored in the tcp_flags >> column of the mysql-Database (int(4))? >> The common mapping (SYN=2, ACK=16) doesn’t seem to match. I get these >> TCP-Flags for 90% of the traffic: 27, 223, 31 >> >> That means 90% of the traffic have SYN, ACK AND FIN set… >> >> Am I matching the wrong bits or is the problem somewhere else? >> >> greetings >> >> Johannes >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists