Morning, Please excuse my lack of knowledge in this. The sflowtool -t is a binary output.
I don't know what the tcpdump stream is supposed to be. Here is a link that may help explain it: http://www.tcpdump.org/tcpdump_man.html I used `./sflowtool -t | tcpdump -vvv -r -` to display the sflow output, and it apapears to be standard tcpdump outout with no payload, as was expected. On Oct 15, 2008, at 05:56 EDT, Paolo Lucente wrote: > Hi Joe, > > can you please show an example of what's the output of the > "sflowtool -t" > command, which makes snort happy? That can help addressing your > question. > > Also, do you know which sFlow fields are relevant to snort - this > is just > in case sfacctd is unable to produce a dump as detailed as > sflowtool does? > I'm anyway guessing that the only way would be through the "print" > plugin > and a few sed/awk around it. > > Cheers, > Paolo > > On Tue, Oct 14, 2008 at 05:17:34PM -0400, Joe Carvalho wrote: >> Hello, >> I'd like to have sfacctd provide a tcpdump-style output suitable for >> feeding into snort. >> >> I've been doing this, but I'd like to replace sflowtool with sfacctd/ >> pmacctd. >> % sflowtool -t | snort -Afull -r - -c snort.conf >> >> tnx. >> --joe > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
