[netsa-tools-discuss] flowcap formats

[John Green]

Hi,
I've just started using analysis pipeline which relies on accurate flow
times.  

As a result I've found a number of flows with old etimes (all with
duration of 65535 seconds).  Looking more closely this appears to be a
result of flowcap using FT_FLOWCAP for v5 records which stores flow
duration in seconds using 2 bytes.  Flowcap uses FT_RWIPV6ROUTING for
non-v5 sources, in msec using 4 bytes (giving the 49 day maximum seen
elsewhere) 

And 65535 seconds is only 0.75 of a day I'm seeing quite a few of
these.

I'm going to try changing flowcap.c to use FT_RWIPV6ROUTING regardless,
at the expense of larger files, but I just wanted to check I wasn't
missing something?

As FT_FLOWCAP uses 3 further bytes for stime/elapsed msec this seems
like quite a compromise to save 1 byte!

Thanks
John

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.