nProbe icon indicating copy to clipboard operation
nProbe copied to clipboard

Published 20 hours ago verified publisher icon ntop

TCP flags in collector mode

Open simonemainardi opened this issue 4 years ago • 0 comments

Default template in collector mode (EXPANDED_NTOPNG_SHORTCUT_COLLECTOR_MODE) should only include %TCP_FLAGS and not %CLIENT_TCP_FLAGS %SERVER_TCP_FLAGS.

This because NetFlow flags are cumulative.

V5:

37 | tcp_flags | Cumulative OR of TCP flags Source: https://www.ibm.com/docs/en/npi/1.3.0?topic=versions-netflow-v5-formats

V9:

TCP_FLAGS | 6 | 1 | Cumulative of all the TCP flags seen for this flow Source: https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

Using per-direction flags causes cumulative flags to be exported into per-direction flags and also tricks downstream receivers into taking wrong decisions.

I have also provided a Mikrotik capture privately that shows this behavior even when NetFlow is monodirectional as in V5.

simonemainardi avatar Jul 13 '21 09:07 simonemainardi