Re: sFlow parsing troubles...

From: Mandip S Sangha <mandip.sangha@apoapsis.com>
Date: 11/24/06
Message-ID: <00b901c70feb$262f3e30$8103000a@laptop106>

Oh right, thanks for clearing that up.

Regards
Mandip

----- Original Message -----
From: "Elisa Jasinska" <elisa.jasinska@ams-ix.net>
To: "Mandip S Sangha" <mandip.sangha@apoapsis.com>
Cc: <sflow@sflow.org>
Sent: Friday, November 24, 2006 11:02 AM
Subject: Re: [sFlow] sFlow parsing troubles...

> Hi Mandip,
>
> On Nov 24, 2006, at 11:13 AM, Mandip S Sangha wrote:
> > I can see the first 6 bytes are the dstMAC (00-14-6C-60-CB-B2), the
> > next 6
> > bytes are the srcMAC (00-09-6B-8C-43-A8) and the next 2 bytes are
> > the Ether
> > type (08-00).
>
> Exactly, good start.
>
> > However, the following bytes fall into the data/payload part
> > of the frame, so we need to know the exact format for how the
> > information is
> > stored in the data/payload. I have been able to figure out most of the
> > format by stepping through the source for the 'sflowtool' but I'm
> > after
> > document that specifies all this.
> >
>
> Like I mentioned in my previous mail, the raw header data is not
> specified in the sflow format but in the general network protocol
> encapsulations. The payload of an ethernet frame contains the header
> of the next higher layer protocol.
>
> Here are a few links which might help:
>
> http://en.wikipedia.org/wiki/Internet_protocol_suite
> http://en.wikipedia.org/wiki/Internet_Protocol
> http://en.wikipedia.org/wiki/Transmission_Control_Protocol
> http://en.wikipedia.org/wiki/User_Datagram_Protocol
>
> Cheers
> Elisa
>
>
> > ----- Original Message -----
> > From: "Elisa Jasinska" <elisa.jasinska@ams-ix.net>
> > To: "Mandip S Sangha" <mandip.sangha@apoapsis.com>
> > Cc: <sflow@sflow.org>
> > Sent: Thursday, November 23, 2006 10:55 PM
> > Subject: Re: [sFlow] sFlow parsing troubles...
> >
> >
> >> Hi,
> >>
> >> On Nov 23, 2006, at 8:37 PM, Mandip S Sangha wrote:
> >>> Is there documentation to tell us at what byte within the
> >>> headerBytes to find
> >>> srcIP, dstIP IPProtocol, IPTOS, TCPSrcPort, TCPDstPort?
> >>
> >> That is, like the name says, a raw packet header, so you have to look
> >> into how the headers of an ethernet frame look like (IP, TCP, etc.).
> >>
> >>>
> >>> Also where in this data is the actual bytes transfered by each of
> >>> the flows?
> >>
> >> 'Flow' is a bit incorrect in case of sFlow, because it's actually not
> >> showing you flows (like NetFlow does) but packet samples. You can
> >> find out the packet size by looking into the length field of the IP
> >> header.
> >>
> >> Cheers
> >> --
> >> Elisa Jasinska - AMS-IX NOC
> >> http://www.ams-ix.net
>
>
>
> --
> Elisa Jasinska - AMS-IX NOC
> http://www.ams-ix.net
Received on Fri Nov 24 09:08:17 2006

This archive was generated by hypermail 2.1.8 : 11/24/06 PST