Is it possible to know if a flow contained fragmented traffic? about nfdump HOT 6 CLOSED

Up to now it does not. If you think, this may be useful, I can certainly check for an implementation. It would definitely help, if you habe such an exporter, exporting these flags, to send me a few minutes worth of pcaps, sent to the collector for proper testing and for other options to implement. If this works for you, send it to my email in the AUTHORS file. All data is treated confidential..

from nfdump.

Are you asking for pcaps of fragmented IP traffic or a NetFlow pcap export with information that would indicate that flows contained fragmented traffic? The latter I am not sure how I would go about acquiring. Is ‘fragmentFlags’ the correct way to indicate this information?

from nfdump.

Sorry for being not clear enough. It's a pcap of the traffic sent to the collector. For example, if it listens on port 12335 coming in through eth0 it would be tcpdump -n -i eth0 -w flows.pcap -s 1600 port 12345
I am interested to see what your exporter sends.

from nfdump.

I unfortunately do not have or know of an exporter capable of indicating whether the flows it is producing contain fragmented traffic. To be clear, nfpcapd is not currently able to indicate fragmentation in flows, correct?

from nfdump.

No - nfpcapd does not. However, if I would implement the fragmentation flags tag #197 - then this would also apply to nfpcapd as a consequence. If this would help, I am glad to do so.

from nfdump.

Thank you. I would not want to waste your time with this as this it is not deeply important to me. I’m going to close this issue since you have answered my question.

from nfdump.