[Oisf-devel] accessing flowints and flowbits in decode
David Mandelberg
dmandelb at bbn.com
Thu Feb 28 19:50:20 UTC 2013
On Thu, 2013-02-28 at 11:53 +0100, Victor Julien wrote:
> On 02/27/2013 10:29 PM, David Mandelberg wrote:
> > determine if the packet is part of a flow and access per-flow integers
> > and bits if it is? Is there a way to get the packet arrival time that
> > works for both live capture and reading pcap files? Is there any reason
> > not to format the packet arrival time as a *nix time and store it in a
> > flowint?
>
> I think creating a detection keyword would be best. There you have
> access to the flow. You can use flowvars/flowints and such. From there
> you also have full access to the pkt headers, the raw pkt data, pkt time
> stamps, etc.
Thanks, that makes sense. I just started implementing it as a keyword
called flowtype that for now will just support values of "interactive"
or "!interactive", but hopefully it can be extended in the future for
other interesting properties of flows.
More information about the Oisf-devel
mailing list