See the Getting Started and Command Usage documents.
See the answer to the question: How do I get routing tables for ASFinder?
crl_flowuse the FIN packet for flow termination?
The current version of
doesn't look for FIN or any other
protocol feature to detect the end of a flow; it only uses
timing. With the
-I option, a flow ends when the
interval ends (so at the end of each interval, all flows are
considered expired). With a
-T option, a flow ends
when some specified amount of time has passed since the last
packet was seen matching the flow id.
Expired flows are still reported at the end of every interval,
and at the end of the run any flows that never expired are reported.
With the -A option, still-active flows are reported every interval.
When a flow expires, any new packets with
the same flow id are considered part of a new flow; this is why
you may see values greater than 1 in the flows column when you