todo

netflow,抓包

FT_RECGET -> FTIO_RECGET - use ftio offsets.

fts3rec_compute_offsets() could be done automatically on ftio_open(4READ)
  -- update everything to use ftio->fo.

flow-split, flow-report timing problem when a period passes with no clock.

source spoofing in flow-fanout is not going to work properly with multiple
sources - need per source sequence numbers on output side.

source spoofing - in flow-send use the exporter IP from the flow record.

SCTP support

NetFlow v9 support

flow-rptfmt

Sparc/Linux portability
http://www.debian.org/ports/sparc/ has a little more as does
http://www.ultralinux.org/
http://www.auroralinux.org/
Matt.Foster@Unilever.com

> stat-report report1
>   input
>      time yesterday
>      path /data/%Y/%Y-%m/%Y-%m-%d/
(dynamic path)

filter actions
  invoke tags
  invoke tag-mask
  invoke privacy mask

flow-capture - use ftfil ACL for accepting flows.

flow-split should fail more gracefully when splitting on time with old
flow files without clocking information.

flow-cat -> ftlib so flow-xxx /flows/data/2002 will work without using flow-cat

flow-probe

flow-capture / flow-expire not removing empty directories.

flow-report per src/dst tag src/dst host count

reference ip2hostname utility on web page

flow-report, flow-nfilter, flow-tag - config file from command line string.

flow-print strftime style processing.

flow-cat mmap causes crash problem on Solaris

cisco magic filters

total_flows should always be a u_int64, not u_int32

DEC portability
 - check for snprintf

Robin's libcap/flow-import patch

flow-capture/flow-receive finish the locip/remip/port code to accept multiple
 exporters

the as substitution can be smarter, ie don't do substitution for multicast
traffic or output ifIndex 0, or possibly if the mask bits are 0.

mmap should be turned off for large files since it won't work.

directio 

md5 checksums

ftio_write could use write() instead of writen() to better utilize d_buf
when write() returns 0 -- ie on a TCP connection.

flow-xlate - split overflow scaled flows

flow-bidir

flow-import/export - argus files

flow-import/export - OCxmon files

flow-import/export - netramet files

flow-import/export - cabletron files

bgp integration - community (xxx:yyy) -> tag yyy

packet sampling rate need to be stored in the flow file.  flow-stat would
need to use this to estimate total # of flows

--with-cflow - automagically build Dave's Cflow module

flow-cat
  -R ifalias  Reset ifalias
  -R ifmap    Reset ifmap
  -L ifalias  Load ifalias
  -L ifmap    Load ifmap
  -S <path>   where to look for symbol names
  -I <iplist> only load for IP's

flow-capture
  -M <path>   where to look for symbol names

symbol file:
 ifmap exporter=1.2.3.4 ifIndex=99 name=FastEthernet0/0 encap=60 sample_rate=100
 ifalias exporter=1.2.3.4 name=outside ifIndex_list=5,1,2,3,4,5

flow-top

flow-capture ager is running on all errors

incorporate flow-sort

AC_ARG_WITH(socks,
[  --with-libwrap            use the libwrap library],
[AC_DEFINE(HAVE_LIBWRAP)])

instrument read/write for compression stats by using total_in and total_out

flow-5to8 - convert v5 to v8 flows

flow-active
 maintains active src or destination IP address first/last seen on disk
   first_time
   last_time
   flows
   octets
   packets

regression tests

flow-dns
 -l level (heirachy level, 0 is infinity)
  - level 1 would only be top level domains (.com, .edu, .net)
  - level 2 would be second level (ohio-state.edu, psu.edu, cic.net)
  - level 0 would be any level, ie FQDN's (shattered.net.ohio-state.edu)

flow-reduce
 various data reducations
 glue together TCP connections

keep state when there's a ftp control connection, then use that
to give hints about ftp data connections