Hi Johannes, We can do some debugging against a single session that you have control of - and hence know what to expect in terms of tcp flags. And if you pass me the pcap trace privately i can also reproduce in lab. Let me know how this sounds.
Cheers, Paolo On Wed, Jul 22, 2015 at 05:50:16AM +0200, Johannes Formann wrote: > Hi Paolo, > > Using normal pmacctd. > > If I understand you correctly, number 27 in the database means the following > flags are set: > ACK (16) > PSH (8) > (NO RST) > SYN (2) > FIN (1) > > Which is a strange combination, considering that according to the database is > set in about 20% of the packets … > Or is my mapping of the flags to numbers wrong? > > greetings > > Johannes > > > > Am 22.07.2015 um 05:20 schrieb Paolo Lucente <[email protected]>: > > > > Hi Johannes, > > > > Yes, the flags are OR'ed on that field as they come. Don't know which > > daemon you are using; if nfacctd then that is the standard way a > > NetFlow metering process accounts for TCP flags. pmacctd and the > > other daemons have inherited such a behaviour. So you should test > > presence (boolean and) of the flag you are looking for rather than > > equal to. > > > > If not using nfacctd, I know this may not be ideal for some use-cases > > - especially in the area of security and forensics - and hence i'm > > open to feedback. > > > > Cheers, > > Paolo > > > > On Mon, Jul 20, 2015 at 09:54:51PM +0200, Johannes Formann wrote: > >> Hi, > >> > >> I have a question: how are the different Flags stored in the tcp_flags > >> column of the mysql-Database (int(4))? > >> The common mapping (SYN=2, ACK=16) doesn’t seem to match. I get these > >> TCP-Flags for 90% of the traffic: 27, 223, 31 > >> > >> That means 90% of the traffic have SYN, ACK AND FIN set… > >> > >> Am I matching the wrong bits or is the problem somewhere else? > >> > >> greetings > >> > >> Johannes > >> _______________________________________________ > >> pmacct-discussion mailing list > >> http://www.pmacct.net/#mailinglists > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
