How does netflow handle IP Fragmented packets?

Scrutinizer is an enterprise/business class NetFlow and sFlow analysis tool. Scrutinizer provides historical trends of the company's critical network interfaces as well as the details on:

Who: The end system causing the traffic
What: The application/protocol that is being used
When: The time frame it has been occurring for
Where: The network connection that is affected

Moderators: scottr, Moderator Team

Post Reply
salmanm
Posts: 2
Joined: Fri Feb 21, 2014 8:47 pm

How does netflow handle IP Fragmented packets?

Post by salmanm » Fri Feb 21, 2014 8:54 pm

Hi,

Sorry if this is not the right place to ask this question but I wanted to ask if the netflow is expected to count IP fragments belonging to the same packet individually? sflow counts all such fragments as one packet (based on the packet flow records I observed). Please let me know.

Thanks!

JakeB
Posts: 83
Joined: Thu Jan 10, 2013 2:15 pm

Re: How does netflow handle IP Fragmented packets?

Post by JakeB » Mon Feb 24, 2014 2:20 pm

Hello -

Scrutinizer will reassemble any fragmented packets that come in assuming that the checksums are okay - you can view this in Wireshark by taking a packet capture and adding a filter for "cflow". If you are getting bad checksums that will cause some issues. Let me know if this helps.

-Jake

salmanm
Posts: 2
Joined: Fri Feb 21, 2014 8:47 pm

Re: How does netflow handle IP Fragmented packets?

Post by salmanm » Mon Feb 24, 2014 3:26 pm

Thanks for your reply Jake.

I am using netflow as standalone entity and without srutinizer and so the question now is without scrutinizer in place, does netflow assemble the fragments and then count all fragments as a single packet or is it the scrutinizer's specialty to assemble the framgented packets that are reported multiple times by netflow?

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests