[flow-tools] Matching RP & switch records
Daniel MacKay
daniel@noc.dal.ca
Thu, 9 May 2002 08:21:25 -0300
I have a hybrid router/switch. The RP is issuing records like the following:
129.173.23.136/0 140.194.2.20/0 0.0.0.0 17 137 137 192 2
129.173.33.35/0 24.200.233.119/0 0.0.0.0 6 1058 1214 48 1
Which contain all the data anyone could want to do statistics,
hunting for bad guys and debugging problems, but only for the first
packet or so of a flow. The rest of the information about a flow
(how many packets and bytes) comes from the switch side in V7 records
like this:
0 192.75.95.243/0 198.166.1.9 0 0 0 2123 22
0 193.61.122.237/0 198.166.1.9 0 0 0 80 2
0 63.91.145.36/0 198.166.1.9 0 0 0 74 1
missing source IP, ports, and other tcp header info.
My question is: is there any way to match up a Cat flow record with
the correct RP flow record so that I can get full statistics on a
flow? Do you do it using the timestamp or something?
Any tips appreciated. Please reply directly to me; anyone asks for
it I'll post the responses back to the list.