NetFlow & ICMP type/subtype

Discussion in 'Cisco' started by Slava Astashonok, Dec 9, 2003.

  1. First of all sorry for my clumsy English.
    This is my first post to the group, so please excuse me if it is offtopic.

    In
    http://www.usenix.org/events/lisa2000/full_papers/fullmer/fullmer_html
    I've read that "... In the case of Internet Control Message Protocol
    (ICMP) traffic, the ICMP type and subtype are recorded in the
    destination port field of the NetFlow records. ...".
    Is it truth? I've read documentation at cisco.com about NetFlow 1, 5 and
    7 and there isn't anything about recording ICMP type/subtype.
     
    Slava Astashonok, Dec 9, 2003
    #1
    1. Advertising

  2. Slava Astashonok

    Simon Leinen Guest

    Slava,

    > In
    > http://www.usenix.org/events/lisa2000/full_papers/fullmer/fullmer_html
    > I've read that "... In the case of Internet Control Message Protocol
    > (ICMP) traffic, the ICMP type and subtype are recorded in the
    > destination port field of the NetFlow records. ...".
    > Is it truth? I've read documentation at cisco.com about NetFlow 1, 5
    > and 7 and there isn't anything about recording ICMP type/subtype.


    some Netflow implementations do indeed put ICMP the type/code fields
    into the places that are used for ports in TCP and UDP (ICMP type is
    the higher eight bits of the destination port field, ICMP code is the
    lower eight bits of the destination port field). I find this useful.

    Unfortunately, the Netflow implementation I use most these days
    (Catalyst 6500/7600 OSR with Supervisor 2) just leaves the port fields
    zero for ICMP traffic. Don't know about other implementations.

    Regards,
    --
    Simon.
     
    Simon Leinen, Dec 9, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Drx
    Replies:
    6
    Views:
    5,564
  2. Replies:
    0
    Views:
    975
  3. miffysmate :-\)\)

    ICMP(type:8/subtype:0)

    miffysmate :-\)\), Aug 27, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    3,910
  4. Scott Townsend
    Replies:
    2
    Views:
    10,207
    Scott Townsend
    May 4, 2006
  5. dot

    type I type II ?

    dot, Nov 26, 2003, in forum: Digital Photography
    Replies:
    6
    Views:
    398
    Ron Hunter
    Nov 26, 2003
Loading...

Share This Page