NetFlow如何决定方向:
NetFlow Direction and it’s Value to Troubleshooting
https://www.plixer.com/blog/netflow-and-ipfix-2/netflow-direction-and-its-value-to-troubleshooting/
Strategies used that attempt to determine flow direction but, aren’t entirely reliable include:
- Comparison of flow start times
- Lowest source port = server
- The relationship of A and B with other hosts on the network. A host with many connections to unique hosts ‘could’ be a server.
- Byte volumes: the host with the lower sent octet delta count is the client. This can be very misleading.
- Observation of TCP flags however, due to flow technologies aggregation methods, this strategy generally fails.
- Examining TTL metrics (if exported) – doesn’t provide a definitive answer.
- Consideration of how the flows were metered (I.e. ingress or egress) however, this is unreliable as some vendors only support egress. In other cases both are exported. Frankly, I never really understood why this was a good strategy. Perhaps someone could share their insight on this.
总结:基于硬件,比较准确。
官方文档:
IP Flow Information Export (IPFIX) Entities
http://www.iana.org/assignments/ipfix/ipfix.xhtml
Bidirectional Flow Export Using IP Flow Information Export (IPFIX)
https://tools.ietf.org/html/rfc5103
Wikipedia:
NetFlow
https://en.wikipedia.org/wiki/NetFlow
pcap转NetFlow以及时间戳问题
https://sourceforge.net/p/nfdump/mailman/message/23791576/
>> $ nfcapd -p9995 -l ./netflow/
>> $ softflowd -n 127.0.0.1:9995 -r dump.pcap
时间戳不太对。而且一个双向流会被拆分成两个。
nfcapd -f pcap #办不到
tshark读取pcap
tcpreplay,centos
