Is it possible to know if a flow contained fragmented traffic?

[hacel]

There's fragmentFlags but I'm not sure how to access this field through nfdump or any other tool. Does nfdump collect IP flags?

[phaag]

Up to now it does not. If you think, this may be useful, I can certainly check for an implementation. It would definitely help, if you habe such an exporter, exporting these flags, to send me a few minutes worth of pcaps, sent to the collector for proper testing and for other options to implement. If this works for you, send it to my email in the AUTHORS file. All data is treated confidential..

[hacel]

Are you asking for pcaps of fragmented IP traffic or a NetFlow pcap export with information that would indicate that flows contained fragmented traffic? The latter I am not sure how I would go about acquiring. Is ‘fragmentFlags’ the correct way to indicate this information?

[phaag]

Sorry for being not clear enough. It's a pcap of the traffic sent to the collector. For example, if it listens on port 12335 coming in through eth0 it would be tcpdump -n -i eth0 -w flows.pcap -s 1600 port 12345
I am interested to see what your exporter sends.

[hacel]

I unfortunately do not have or know of an exporter capable of indicating whether the flows it is producing contain fragmented traffic. To be clear, nfpcapd is not currently able to indicate fragmentation in flows, correct?

[phaag]

No - nfpcapd does not. However, if I would implement the fragmentation flags tag #197 - then this would also apply to nfpcapd as a consequence. If this would help, I am glad to do so.

[hacel]

Thank you. I would not want to waste your time with this as this it is not deeply important to me. I’m going to close this issue since you have answered my question.