search

davidediger / flow-tools

Automatically exported from code.google.com/p/flow-tools
Other
0 stars 0 forks source link

flow-export issues #3

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
1. flow-export -f1
2.
3.

What is the expected output? What do you see instead?
Expected output is a valid libpcap file it would appear both the tcp dump
versions minor and major are out dated as well as the magic number.

What version of the product are you using? On what operating system?
Latest stable version, on opensuse 10.3

Please provide any additional information below.
If more infomation is required please let me know.

thanks 
n keep up the amazing work.

Original issue reported on code.google.com by bmatth...@mattco.info on 9 Feb 2008 at 11:32

GoogleCodeExporter commented 8 years ago 
I prepared a patch to address this issue.

I've attached it but you can also find it (and it's description) here:

   http://net.doit.wisc.edu/~plonka/flow-tools/

 * flow-tools-0.68.4-flow-export-f1-fix.patch
   ------------------------------------------

   This patch modifies flow-export, when using the "-f1" option, so
   that it produces a well-formed libpcap version 2.4 file as output.

   Previously, without this patch, the output would be reported as
   corrupt by tcpdump, etc.  This issue is reported here:
      http://code.google.com/p/flow-tools/issues/detail?id=3

   This patch was prepared using flow-tools-0.68.4

   Installation
   ------------

   NOTE: The patch has been prepared with GNU diff's "--unified"
         option.  Only GNU patch is "guaranteed" to automatically apply
         diffs in this format.  If "patch --version" fails, you're not
         using GNU patch.  GNU patch can be found at:
         "ftp://ftp.gnu.org/pub/gnu/patch/".

   $ cd flow-tools-0.68.4
   $ patch -p0 < ../flow-tools-0.68.4-flow-export-f1-fix.patch
   $ # continue with configure and make ...

   Usage
   -----

      $ flow-capture -f1 < ft-v05... > file.pcap
      $ tcpdump -n -r file.pcap

   Bugs
   ----

   Note that "flow-export -f1" produces one pcap packet record per
   flow record, so the packet and byte counts will not accurately
   reflect what was indicated in the flow records.  Based on Mark
   Fullmer's original comments, I believe this was his intended
   behavior; i.e. this is just a hack so that you can use tcpdump (or
   tshark, wireshark, etc.) expressions to test detect the presence
   of matching flows.

   We might want to add another format number that synthesizes the
   right number of output packet records and packet sizes that are
   valid, based on the flow's average packet size, for instance.

   Also, don't trust the pcap output packet timestamps.  They're in
   the realm of reason, but they are not necessarily either the time
   of the first or last packet in the flow.

--
Dave

Original comment by daveplo...@gmail.com on 27 Jan 2009 at 10:11

Attachments:

GoogleCodeExporter commented 8 years ago 
Thanks Dave, applying this

Original comment by therap...@gmail.com on 28 Jan 2009 at 8:01

GoogleCodeExporter commented 8 years ago 
http://gitorious.org/projects/flow-
tools/repos/mainline/commits/04510a9eda8a51107683f106a6041912da1a4677

Original comment by therap...@gmail.com on 28 Jan 2009 at 8:12