[netsa-tools-discuss] flowcap formats
John Green
John.Green at jisc.ac.uk
Wed Sep 16 10:46:56 EDT 2015
Hi Mark,
On Tue, 2015-09-15 at 11:58 -0400, Mark Thomas wrote:
> There is an assumption in SiLK that the flow generator (router or
> YAF) splits long-lived flow records into multiple records using an
> active-timeout of about an hour or less.
Is there a specification describing how these long lived flows should
work? The long lived flows I am receiving are regularly exported by
the active timeout, but the stime remains the same. Perhaps this
behaviour varies between vendors?
> Using the FT_RWGENERIC format in place of FT_FLOWCAP will give you
> the 49 day maximum duration without requiring the extra space for
> the IPv6 addresses.
Thanks for this. I'll use that instead.
Regards
John
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the netsa-tools-discuss
mailing list