search

phaag / nfdump

Netflow processing tools
Other
770 stars 202 forks source link

Documentation on tcp_flags #549

Closed sandervandegeijn closed 1 month ago

sandervandegeijn commented 1 month ago

I'm trying to parse nfdump files to elastic and would like to interpret the tcp flags. So in the data you will see something like:

"tcp_flags" : "......S."

I can't find documentation on what each letter / position means. Is it possible to describe this somewhere?

Thanks!

phaag commented 1 month ago

You should find the flags definition in the man page nfdump(1). They are coded as:

'C' // Congestion window reduced -  CWR
'E' // ECN-Echo
'U' // Urgent
'A' // Ack
'P' // Push
'R' // Reset
'S' // Syn
'F' // Fin
sandervandegeijn commented 1 month ago

ah, I missed it, very sorry. Only saw the bit representation, my bad!

phaag commented 1 month ago

No worries! The new csv-fast format could also be an option for you.

sandervandegeijn commented 1 month ago

Thanks! I'm using Vector(.dev) to ingest the logs into opensearch with ECS mapping, so the json is fine for that! Can share the pipeline if that's useful.

phaag commented 1 month ago

Sure! Feel free to share it here or at my email in the authors file.