Hello all,
I’m testing nfsen along with nfdump and it works fine.
Now I would like to get an alert when a certain amount of flows pointing to the
same destination IP address is exceeded.
I tried:
/usr/local/nfdump/bin/nfdump -M
/usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R
2014/03/25/nfcapd.201403250000:2014/03/25/nfcapd.201403250040 -n 5 -s
dstip/flows
Top 5 Dst IP Addr ordered by flows:
Date first seen Duration Proto Dst IP Addr Flows(%)
Packets(%) Bytes(%) pps bps bpp
2014-03-25 00:01:40.684 2583.240 any a.b.c.d1 16640( 7.1) 16706(
3.1) 1.0 M( 1.7) 6 3104 60
2014-03-25 00:02:35.664 2528.104 any a.b.c.d2 11183( 4.8) 15210(
2.8) 905478( 1.5) 6 2865 59
2014-03-25 00:01:40.664 2581.600 any a.b.c.d3 7532( 3.2) 10521(
2.0) 624571( 1.1) 4 1935 59
2014-03-25 00:01:40.664 2583.212 any a.b.c.d4 5325( 2.3) 7153(
1.3) 364414( 0.6) 2 1128 50
2014-03-25 00:02:36.056 2527.592 any a.b.c.d5 3372( 1.4) 3384(
0.6) 210376( 0.4) 1 665 62
Summary: total flows: 235183, total bytes: 58.5 M, total packets: 536871, avg
bps: 120690, avg pps: 138, avg bpp: 108
Time window: 2014-03-24 23:40:20 - 2014-03-25 00:44:57
Total flows processed: 235183, Blocks skipped: 0, Bytes read: 14111476
Sys: 0.044s flows/second: 5227218.2 Wall: 0.044s flows/second: 5298585.1
Or like this:
/nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R
2014/03/25/nfcapd.201403250000:2014/03/25/nfcapd.201403250040 -o "fmt:%fl %da"
-a -A dstip | sort –g
2081 a.b.c.d1
2545 a.b.c.d2
2724 a.b.c.d3
3208 a.b.c.d4
3372 a.b.c.d5
5325 a.b.c.d6
7532 a.b.c.d7
11183 a.b.c.d8
16640 a.b.c.d9
I would like to get an alert (email) when the number of flows exceed 5000 for
example.
Is there a way to do it in nfsen by defining an alert?
Thank you.
Pat.
The information in this message, including in all attachments, is confidential
or privileged. In the event you have received this message in error and are not
the intended recipient, you are hereby advised that any use, copying or
reproduction of this document is strictly forbidden. Please notify immediately
the sender of this error and destroy this message, including its attachments,
as the case may be.
L'information apparaissant dans ce message électronique et dans les documents
qui y sont joints est de nature confidentielle ou privilégiée. Si ce message
vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé,
vous êtes par les présentes avisé que toute utilisation, copie ou distribution
de ce message est strictement interdite. Vous êtes donc prié d’en informer
immédiatement l’expéditeur et de détruire ce message, ainsi que les documents
qui y sont joints, le cas échéant.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
