Re: sFlow parsing troubles...

From: Mandip S Sangha <mandip.sangha@apoapsis.com>
Date: 11/24/06
Message-ID: <002901c70fb1$28108db0$8103000a@laptop106>

Hi Elisa

Yes I have looked into the Ethernet Frame Format so for the example below:-

headerBytes
00-14-6C-60-CB-B2-00-09-6B-8C-43-A8-08-00-45-00-00-34-7C-88-40-00-3F-06-2B-5
A
-58-60-87-C1-45-3C-6E-84-FC-6C-03-E1-19-33-B3-BF-1D-96-EA-34-80-10-FF-FF-B2-
F
1-00-00-01-01-08-0A-19-5D-AB-41-46-91-4F-AE
dstMAC 00146c60cbb2
srcMAC 00096b8c43a8
IPSize 52
ip.tot_len 52
srcIP 88.96.135.193
dstIP 69.60.110.132
IPProtocol 6
IPTOS 0
IPTTL 63
TCPSrcPort 64620
TCPDstPort 993
TCPFlags 16

I can see the first 6 bytes are the dstMAC (00-14-6C-60-CB-B2), the next 6
bytes are the srcMAC (00-09-6B-8C-43-A8) and the next 2 bytes are the Ether
type (08-00). However, the following bytes fall into the data/payload part
of the frame, so we need to know the exact format for how the information is
stored in the data/payload. I have been able to figure out most of the
format by stepping through the source for the 'sflowtool' but I'm after
document that specifies all this.

Regards
Mandip

----- Original Message -----
From: "Elisa Jasinska" <elisa.jasinska@ams-ix.net>
To: "Mandip S Sangha" <mandip.sangha@apoapsis.com>
Cc: <sflow@sflow.org>
Sent: Thursday, November 23, 2006 10:55 PM
Subject: Re: [sFlow] sFlow parsing troubles...

> Hi,
>
> On Nov 23, 2006, at 8:37 PM, Mandip S Sangha wrote:
> > Is there documentation to tell us at what byte within the
> > headerBytes to find
> > srcIP, dstIP IPProtocol, IPTOS, TCPSrcPort, TCPDstPort?
>
> That is, like the name says, a raw packet header, so you have to look
> into how the headers of an ethernet frame look like (IP, TCP, etc.).
>
> >
> > Also where in this data is the actual bytes transfered by each of
> > the flows?
>
> 'Flow' is a bit incorrect in case of sFlow, because it's actually not
> showing you flows (like NetFlow does) but packet samples. You can
> find out the packet size by looking into the length field of the IP
> header.
>
> Cheers
> --
> Elisa Jasinska - AMS-IX NOC
> http://www.ams-ix.net
Received on Fri Nov 24 02:13:18 2006

This archive was generated by hypermail 2.1.8 : 11/24/06 PST