NetFlow的一些知识

NetFlow如何决定方向：

NetFlow Direction and it’s Value to Troubleshooting
https://www.plixer.com/blog/netflow-and-ipfix-2/netflow-direction-and-its-value-to-troubleshooting/

Strategies used that attempt to determine flow direction but, aren’t entirely reliable include:

• Comparison of flow start times

• Lowest source port = server
• The relationship of A and B with other hosts on the network. A host with many connections to unique hosts ‘could’ be a server.
• Byte volumes: the host with the lower sent octet delta count is the client. This can be very misleading.
• Observation of TCP flags however, due to flow technologies aggregation methods, this strategy generally fails.
• Examining TTL metrics (if exported) – doesn’t provide a definitive answer.
• Consideration of how the flows were metered (I.e. ingress or egress) however, this is unreliable as some vendors only support egress. In other cases both are exported. Frankly, I never really understood why this was a good strategy. Perhaps someone could share their insight on this.

总结：基于硬件，比较准确。

官方文档：

IP Flow Information Export (IPFIX) Entities
http://www.iana.org/assignments/ipfix/ipfix.xhtml
Bidirectional Flow Export Using IP Flow Information Export (IPFIX)
https://tools.ietf.org/html/rfc5103

Wikipedia：
NetFlow
https://en.wikipedia.org/wiki/NetFlow

pcap转NetFlow以及时间戳问题
https://sourceforge.net/p/nfdump/mailman/message/23791576/

>>  $ nfcapd -p9995 -l ./netflow/
>>  $ softflowd -n 127.0.0.1:9995 -r dump.pcap

时间戳不太对。而且一个双向流会被拆分成两个。

nfcapd -f pcap #办不到

tshark读取pcap

tcpreplay，centos