[flow-tools] TCP flags in flow-print format 5
Mark Fullmer
maf@splintered.net
Sun, 12 May 2002 11:01:03 -0400
See /usr/include/netinet/tcp.h
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
#define TH_ECE 0x40
#define TH_CWR 0x80
The NetFlow tcp_flags field is contructed by an OR operation on the TCP header
flags the for every packet in the flow.
mark
On Fri, May 10, 2002 at 10:39:33PM +1000, Dale Clapperton (lists) wrote:
> Hi
>
> A brief question.. When using flow-print -f5, how does the value for
> "(u_int)*cur.tcp_flags & 0x7" in the code translate into the actual flags on
> each packet? I'm attempting to hack together a custom format for flow-print
> which will output in the DSHIELD format
> (http://www.dshield.org/specs.html#dshield_format), which requires the flags to
> be represented using charecters or text, not numerically.
>
> Thanks
>
> Dale
>
>
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools