[unisog] CISCO NetFlow

H. Morrow Long morrow.long at yale.edu
Wed Sep 17 19:35:38 GMT 2003


ICMP has a message type and subtype rather than port #s.

In Netflow the port column when interpreted for ICMP is
a combination of the ICMP Message type code and subtype
encoded as the destination port (e.g. in 0x800 you would
see ICMPMessage Type 8 which is an ICMP Echo (request)).

For more on the OSU netflow tools see :

http://www.usenix.org/events/lisa2000/full_papers/fullmer/fullmer_html/

- Morrow

kamal hilmi othman wrote:

> Hi
> Just curios , does anyone knows abt this ?
> 
> SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP
> DstP  Pkts
> Se3/0.16      10.1.10.1       Fa4/0         192.168.10.1    01 0000
> 0800   650 
> 
> Pr == Protocol 
> DstP == Destination IP
> 
> as of above ;
> converting 0800 to decimal is 2048 , not as everyone in this list aware
> that icmp has a port!
> 
> -k



More information about the unisog mailing list