Hi Andrey,
Filtering according the router IP address works only, if you collect this
information.
Have a look into one of your nfcapd file such as ./nfdump -r
/path/to/nfcapd.xxx -c 1 -o raw
This shows you all the fields in a record, what you have collected. If the
router address
does no show up, you need to add this extension in nfsen.conf:
%sources = (
'monitor' => { 'port' => '60181', 'col' => '#0000ff', 'type' => 'netflow',
'optarg' => '-T13' },
);
See also nfcapd(1) for all extensions. If you don't care disk space, use -Tall,
so nfcapd gets all it
understands from the exporter.
- Peter
On 2/14/13 16:51, Andrey Teslenko wrote:
> *Hello,
> *
> I tried to use nfsen instead flow-tools.
> I tried to convert flow-files in to nfdump format with ft2nfdump utility.
> I have more than 20 routers in my network and all of them exported data to
> the single host-collector.
> All data collected succesfully and nfsen "live" profile worked fine.
>
> Filters such as: "src/dst AS", "src/dst IP", "src/dst IF" work fine.
>
> BUT.
>
> How I must to write filter, to see statistics from "src/dst IF" from specific
> export source.
> SNMP indexes on some router are identical, so I need filtered by exporter-ip
> such as Loopback ip-address or some one
> else ID.
>
> Example:
>
> #sh ip flow export
> Flow export v5 is enabled for main cache
> Export source and destination details :
> VRF ID : Default
> Source(1) 213.xx.xx.3 (Loopback0)
> Destination(1) 62.xx.xx.xx (60181)
>
>
> In native data of flow-tools this field called — exporter id.
> *Can I be sure that after convertation data by ft2nfdump this information not
> disapear?*
>
>
> Currently i try to use such filter options as:
>
> Router IP
> router ip <ipaddr>
> Filter the flows according the IP address of the exporting router.
>
> But I got empty results.
>
> ** nfdump -M /home/netflow/flows/live/upstreams -T -r nfcapd.201302141434
> -n 10 -s ip/flows
> nfdump filter:
> *router ip 213.xx.xx.3*
> Top 10 IP Addr ordered by flows:
> Date first seen Duration Proto IP Addr Flows(%)
> Packets(%) Bytes(%) pps bps bpp
>
> Summary: total flows: 0, total bytes: 0, total packets: 0, avg bps: 0, avg
> pps: 0, avg bpp: 0
> Time window: 2013-02-14 14:04:52 - 2013-02-14 14:35:48
> Total flows processed: 689084, Blocks skipped: 0, Bytes read: 46858276
> Sys: 0.144s flows/second: 4785006.5 Wall: 1.391s flows/second: 495145.8
>
> *
> Can i hope it will work If I will switch all my routers directly to nfdump
> collector (without convertation), but
> continue using single source to collect data from all routers?
> *
> %sources = (
> 'monitor' => { 'port' => '60181', 'col' => '#0000ff', 'type' =>
> 'netflow' },
> );**
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
>
>
>
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
--
Be nice to your netflow data
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
