Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security

Reading the output of flow-extract

This article describes how to read the output of the flow-extract tool.

The ASCII output of flow-extract looks like:

08/28/2002 13:07:29 -> 08/28/2002 13:07:34    6  103 example.com 34474 <->  02 example.org   finger 3          136        00 -SR---
08/28/2002 13:07:40 -> 08/28/2002 13:07:43 6 02 example.net finger <-> 103 example.com 34475 38 4793 00 FS-PA-

The columns are (in order):

  • Start date and time
  • "->"
  • End date and time
  • The protocol (1 is ICMP, 6 is tcp, 17 is UDP)
  • The router interface of the source
  • The source host
  • The source port
  • "<->"
  • The router interface of the destination
  • The destination host
  • The destination port
  • The number of packets
  • The number of octets (bytes)
  • Type of Service
  • The TCP flags

Some important things to remember when reading flow data:

  • Flows are not TCP connections. One connection can, and probably will, be spread out among many flows.
  • The source of the flow is not necessarily the source of the connection. In general, you're best off looking at ports to determine which end is being connected to (if one end is the telnet port and another is port 32421 it's most likely that it was a connection to the telnet port.)

The first connection above is a host at example.com querying the finger port on example.org. example.org has sent back a RESET packet, so it must not be accepting connections on that port.

The second connection above is the same host at example.com trying finger again, this time directed at example.net. In this flow there are 38 packets exchanged between the two hosts, and a total of 4793 bytes of data. The TCP flags set in this flow are FIN, SYN,PUSH,ACK, so it was likely a successful finger query.

08/25/1999 17:51:04 -> 08/25/1999 17:51:04    6  96 example.com ident <->  96 example.org   34118 1          40    00 -S----
08/25/1999 17:51:03 -> 08/25/1999 17:51:09 6 96 example.com 1028 <-> 96 example.org finger 7 301 00 FS-PA-
08/25/1999 17:51:23 -> 08/25/1999 17:51:26 6 96 example.com iad3 <-> 96 example.net finger 5 221 00 FS-PA-
08/25/1999 17:51:49 -> 08/25/1999 17:51:49 6 96 example.com ident <-> 96 example.net 54171 1 40 00 -S----

In our second set of flows the first connection is an attempt by example.org to connect to example.com's ident port to get ident information. This is followed immediately by a finger connection to example.org from example.com. This is a little unusual as normally hosts don't connect to the ident port unless someone has already connected to a service on their host. In this case, if you look at the start times of the connections, you'll see that the second connection started first but ended second. So what we're seeing is a finger with the responding ident lookup.

The finger attempt has 301 bytes transferred, which is probably enough to be a query attempt. The ident, however, was only 40 bytes worth of data, which is the SYN attempt. In this case, ident probably wasn't running on the machine at example.com.

The next two connections are similar to the original one, except to the machine example.net. The order of the flows is more expected this time around.

See Also:




Keywords:forensic, analysis, netflow, flow-tools   Doc ID:19875
Owner:James C.Group:University of Chicago
Created:2011-08-19 19:25 CDTUpdated:2017-04-15 10:46 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  1   1