[netsa-tools-discuss] Question about handling multiple streams of flow data.

[Matthew Markland]

All:

I'm continuing to try to evaluate the SiLK toolchain but have run into a situation I cannot explain.

In the environment I am working in the NetFlow from a large network is being reflected to a single port on my processing box. In other words, I am seeing flow information from multiple routers interleaved on a single port. When I run flowcap, it appears to capture data correctly, although it does issue many messages about sequence numbers (which I would expect). However, when attempting to do other processing on the files, many fields in the generated information appear to be incorrect (dates like 1776, or 21345 in flows, bad counts, etc). When I capture the same stream with a different collector (flowd in this case), we appear to get clean data without these incorrect values. Clearly this could be a result of flowd throwing something away, but it makes us suspicious that the SiLK system doesn't like having all this interleaved traffic coming in for processing.

My question to the SiLK tools maintainers is whether their tools are designed to work in the environment I describe or whether they expect a one-to-one match between a flow generator (i.e. YAF or a router) and an instance of flowcap.

Thanks for your time!

Matt
----
Matthew Markland
mwmarkland at outlook.com

 		 	   		  
-------------- next part --------------
HTML attachment scrubbed and removed