[netsa-tools-discuss] flowcap formats
Mark Thomas
mthomas at cert.org
Mon Sep 21 13:08:07 EDT 2015
John-
On Wed, 16 Sep 2015 14:46:56 +0000, John Green wrote:
> Is there a specification describing how these long lived flows
> should work? The long lived flows I am receiving are regularly
> exported by the active timeout, but the stime remains the same.
I do not know of a specification that details how the timestamps of
long-lived flow records are to be set.
The behavior of SiLK comes from our experience receiving NetFlow v5
data from Cisco routers. When a long-lived session reached the
active timeout, the old record was closed and a new record would
begin using the current time as the start-time for this new record.
> Perhaps this behaviour varies between vendors?
Yes, I believe Juniper handles this situation as you describe: by
leaving the start-time as a constant.
-Mark
More information about the netsa-tools-discuss
mailing list