Re: [Nfsen-discuss] Defining alert if exceeds x number of flows
Hello Chris, I did what you suggested, but the alert never triggers. I put a low value of 10. I see some dstIP with higher than 10 flows, but it doesn’t work. Any idea? Pat The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Patrick Lessard [mailto:patrick.less...@cogeco.com] Envoyé : 25 mars 2014 16:02 À : Chris Roose Cc : nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Ok I just did that and set the threshold very low to trigger some alerts. I will let it run and let you know. Thank you. Patrick. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:31 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Oh, sorry -- maybe I read too fast. 1) Click on Alerts tab 2) Click plus sign to add an alert 3) Enter Name, check enabled Status, and select Filter 4) Select radio button next to Conditions based on individual Top 1 statistics: 5) Use drop-downs to construct filter: Flows of Top 1 DST IP Address 5000 6) Configure Trigger and Action fields for your email preferences Best, Chris On 3/25/2014 3:24 PM, Patrick Lessard wrote: That’s basically my question! ☺ How can I do it in nfsen? I have no experience and not sure how to do it. Any help would be appreciated. Thank you. Pat. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:20 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Pat, Have you tried doing this in NfSen? It's pretty easy to set an email alert for this condition using the GUI. Thanks, Chris On 3/25/2014 2:43 PM, Patrick Lessard wrote: Hello all, I’m testing nfsen along with nfdump and it works fine. Now I would like to get an alert when a certain amount of flows pointing to the same destination IP address is exceeded. I tried: /usr/local/nfdump/bin/nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -n 5 -s dstip/flows Top 5 Dst IP Addr ordered by flows: Date first seen Duration Proto Dst IP AddrFlows(%) Packets(%) Bytes(%) pps bps bpp 2014-03-25 00:01:40.684 2583.240 any a.b.c.d1 16640( 7.1)16706( 3.1)1.0 M( 1.7)6 310460 2014-03-25 00:02:35.664 2528.104 anya.b.c.d211183( 4.8)15210( 2.8) 905478( 1.5)6 286559 2014-03-25 00:01:40.664 2581.600 any a.b.c.d3 7532( 3.2)10521( 2.0) 624571( 1.1)4 193559 2014-03-25 00:01:40.664 2583.212 any a.b.c.d4 5325( 2.3) 7153( 1.3) 364414( 0.6)2 112850 2014-03-25 00:02:36.056 2527.592 any a.b.c.d5 3372( 1.4) 3384( 0.6) 210376( 0.4)1 66562 Summary: total flows: 235183, total bytes: 58.5 M, total packets: 536871, avg bps: 120690, avg pps: 138, avg bpp: 108 Time window: 2014-03-24 23:40:20 - 2014-03-25 00:44:57 Total flows processed
Re: [Nfsen-discuss] Defining alert if exceeds x number of flows
Ok it’s working now, I had to change the default filter from “not any” to “proto udp” Now I’m getting this error when it tried to send an email Mar 26 11:25:00 netflow01 nfcapd[22729]: Ident: 'RouterA' Flows: 12355, Packets: 70331, Bytes: 5203913, Sequence Errors: 0, Bad Packets: 0 Mar 26 11:25:00 netflow01 nfcapd[22729]: Total ignored packets: 0 Mar 26 11:25:15 netflow01 nfsen[22731]: 1 channels/alerts to profile Mar 26 11:25:15 netflow01 nfprofile[24558]: Process line '.#~Test#8#Test#RouterA#012' Mar 26 11:25:15 netflow01 nfprofile[24558]: Setup channel 'Test' in profile '~Test' group '.', channellist 'DR6509' Mar 26 11:25:15 netflow01 nfsen[22731]: Update profile live in group . Mar 26 11:25:15 netflow01 nfsen[22731]: Error reading channel stat information. Missing key 'first' Mar 26 11:25:15 netflow01 nfsen[22731]: Process alert 'Test' Mar 26 11:25:15 netflow01 nfsen[22731]: condition 0: evaluated to True Mar 26 11:25:15 netflow01 nfsen[22731]: Alert 'Test' execute action Mar 26 11:25:15 netflow01 nfsen[22731]: alert 'Test' : Failed to send alert email to: removed@domain.com Mar 26 11:25:15 netflow01 nfsen[22731]: Run expire at Wed Mar 26 11:25:00 2014 Mar 26 11:25:15 netflow01 nfsen[22731]: End expire at Wed Mar 26 11:25:00 2014 Thx for the help! Pat. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Patrick Lessard Envoyé : 26 mars 2014 08:06 À : Patrick Lessard; Chris Roose Cc : nfsen-discuss@lists.sourceforge.net Objet : RE: [Nfsen-discuss] Defining alert if exceeds x number of flows Hello Chris, I did what you suggested, but the alert never triggers. I put a low value of 10. I see some dstIP with higher than 10 flows, but it doesn’t work. Any idea? Pat De : Patrick Lessard [mailto:patrick.less...@cogeco.com] Envoyé : 25 mars 2014 16:02 À : Chris Roose Cc : nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Ok I just did that and set the threshold very low to trigger some alerts. I will let it run and let you know. Thank you. Patrick. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:31 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Oh, sorry -- maybe I read too fast. 1) Click on Alerts tab 2) Click plus sign to add an alert 3) Enter Name, check enabled Status, and select Filter 4) Select radio button next to Conditions based on individual Top 1 statistics: 5) Use drop-downs to construct filter: Flows of Top 1 DST IP Address 5000 6) Configure Trigger and Action fields for your email preferences Best, Chris On 3/25/2014 3:24 PM, Patrick Lessard wrote: That’s basically my question! ☺ How can I do it in nfsen? I have no experience and not sure how to do it. Any help would be appreciated. Thank you. Pat. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:20 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Pat, Have you tried doing this in NfSen? It's
[Nfsen-discuss] Defining alert if exceeds x number of flows
Hello all, I’m testing nfsen along with nfdump and it works fine. Now I would like to get an alert when a certain amount of flows pointing to the same destination IP address is exceeded. I tried: /usr/local/nfdump/bin/nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -n 5 -s dstip/flows Top 5 Dst IP Addr ordered by flows: Date first seen Duration Proto Dst IP AddrFlows(%) Packets(%) Bytes(%) pps bps bpp 2014-03-25 00:01:40.684 2583.240 any a.b.c.d1 16640( 7.1)16706( 3.1)1.0 M( 1.7)6 310460 2014-03-25 00:02:35.664 2528.104 anya.b.c.d211183( 4.8)15210( 2.8) 905478( 1.5)6 286559 2014-03-25 00:01:40.664 2581.600 any a.b.c.d3 7532( 3.2)10521( 2.0) 624571( 1.1)4 193559 2014-03-25 00:01:40.664 2583.212 any a.b.c.d4 5325( 2.3) 7153( 1.3) 364414( 0.6)2 112850 2014-03-25 00:02:36.056 2527.592 any a.b.c.d5 3372( 1.4) 3384( 0.6) 210376( 0.4)1 66562 Summary: total flows: 235183, total bytes: 58.5 M, total packets: 536871, avg bps: 120690, avg pps: 138, avg bpp: 108 Time window: 2014-03-24 23:40:20 - 2014-03-25 00:44:57 Total flows processed: 235183, Blocks skipped: 0, Bytes read: 14111476 Sys: 0.044s flows/second: 5227218.2 Wall: 0.044s flows/second: 5298585.1 Or like this: /nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -o fmt:%fl %da -a -A dstip | sort –g 2081a.b.c.d1 2545a.b.c.d2 2724 a.b.c.d3 3208 a.b.c.d4 3372 a.b.c.d5 5325 a.b.c.d6 7532 a.b.c.d7 11183a.b.c.d8 16640 a.b.c.d9 I would like to get an alert (email) when the number of flows exceed 5000 for example. Is there a way to do it in nfsen by defining an alert? Thank you. Pat. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Re: [Nfsen-discuss] Defining alert if exceeds x number of flows
That’s basically my question! ☺ How can I do it in nfsen? I have no experience and not sure how to do it. Any help would be appreciated. Thank you. Pat. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:20 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Pat, Have you tried doing this in NfSen? It's pretty easy to set an email alert for this condition using the GUI. Thanks, Chris On 3/25/2014 2:43 PM, Patrick Lessard wrote: Hello all, I’m testing nfsen along with nfdump and it works fine. Now I would like to get an alert when a certain amount of flows pointing to the same destination IP address is exceeded. I tried: /usr/local/nfdump/bin/nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -n 5 -s dstip/flows Top 5 Dst IP Addr ordered by flows: Date first seen Duration Proto Dst IP AddrFlows(%) Packets(%) Bytes(%) pps bps bpp 2014-03-25 00:01:40.684 2583.240 any a.b.c.d1 16640( 7.1)16706( 3.1)1.0 M( 1.7)6 310460 2014-03-25 00:02:35.664 2528.104 anya.b.c.d211183( 4.8)15210( 2.8) 905478( 1.5)6 286559 2014-03-25 00:01:40.664 2581.600 any a.b.c.d3 7532( 3.2)10521( 2.0) 624571( 1.1)4 193559 2014-03-25 00:01:40.664 2583.212 any a.b.c.d4 5325( 2.3) 7153( 1.3) 364414( 0.6)2 112850 2014-03-25 00:02:36.056 2527.592 any a.b.c.d5 3372( 1.4) 3384( 0.6) 210376( 0.4)1 66562 Summary: total flows: 235183, total bytes: 58.5 M, total packets: 536871, avg bps: 120690, avg pps: 138, avg bpp: 108 Time window: 2014-03-24 23:40:20 - 2014-03-25 00:44:57 Total flows processed: 235183, Blocks skipped: 0, Bytes read: 14111476 Sys: 0.044s flows/second: 5227218.2 Wall: 0.044s flows/second: 5298585.1 Or like this: /nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -o fmt:%fl %da -a -A dstip | sort –g 2081a.b.c.d1 2545a.b.c.d2 2724 a.b.c.d3 3208 a.b.c.d4 3372 a.b.c.d5 5325 a.b.c.d6 7532 a.b.c.d7 11183a.b.c.d8 16640 a.b.c.d9 I would like to get an alert (email) when the number of flows exceed 5000 for example. Is there a way to do it in nfsen by defining an alert? Thank you. Pat. -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Re: [Nfsen-discuss] Defining alert if exceeds x number of flows
Ok I just did that and set the threshold very low to trigger some alerts. I will let it run and let you know. Thank you. Patrick. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:31 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Oh, sorry -- maybe I read too fast. 1) Click on Alerts tab 2) Click plus sign to add an alert 3) Enter Name, check enabled Status, and select Filter 4) Select radio button next to Conditions based on individual Top 1 statistics: 5) Use drop-downs to construct filter: Flows of Top 1 DST IP Address 5000 6) Configure Trigger and Action fields for your email preferences Best, Chris On 3/25/2014 3:24 PM, Patrick Lessard wrote: That’s basically my question! ☺ How can I do it in nfsen? I have no experience and not sure how to do it. Any help would be appreciated. Thank you. Pat. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:20 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.netmailto:nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Pat, Have you tried doing this in NfSen? It's pretty easy to set an email alert for this condition using the GUI. Thanks, Chris On 3/25/2014 2:43 PM, Patrick Lessard wrote: Hello all, I’m testing nfsen along with nfdump and it works fine. Now I would like to get an alert when a certain amount of flows pointing to the same destination IP address is exceeded. I tried: /usr/local/nfdump/bin/nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -n 5 -s dstip/flows Top 5 Dst IP Addr ordered by flows: Date first seen Duration Proto Dst IP AddrFlows(%) Packets(%) Bytes(%) pps bps bpp 2014-03-25 00:01:40.684 2583.240 any a.b.c.d1 16640( 7.1)16706( 3.1)1.0 M( 1.7)6 310460 2014-03-25 00:02:35.664 2528.104 anya.b.c.d211183( 4.8)15210( 2.8) 905478( 1.5)6 286559 2014-03-25 00:01:40.664 2581.600 any a.b.c.d3 7532( 3.2)10521( 2.0) 624571( 1.1)4 193559 2014-03-25 00:01:40.664 2583.212 any a.b.c.d4 5325( 2.3) 7153( 1.3) 364414( 0.6)2 112850 2014-03-25 00:02:36.056 2527.592 any a.b.c.d5 3372( 1.4) 3384( 0.6) 210376( 0.4)1 66562 Summary: total flows: 235183, total bytes: 58.5 M, total packets: 536871, avg bps: 120690, avg pps: 138, avg bpp: 108 Time window: 2014-03-24 23:40:20 - 2014-03-25 00:44:57 Total flows processed: 235183, Blocks skipped: 0, Bytes read: 14111476 Sys: 0.044s flows/second: 5227218.2 Wall: 0.044s flows/second: 5298585.1 Or like this: /nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -o fmt:%fl %da -a -A dstip | sort –g 2081a.b.c.d1 2545a.b.c.d2 2724 a.b.c.d3 3208 a.b.c.d4 3372 a.b.c.d5 5325 a.b.c.d6 7532 a.b.c.d7 11183a.b.c.d8 16640 a.b.c.d9 I would like to get an alert (email) when the number of flows exceed 5000 for example. Is there a way to do it in nfsen by defining an alert? Thank you. Pat. -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
Re: [Nfsen-discuss] Defining alert if exceeds x number of flows
Hello Patrick, Go to NFSEN web gui , there should be ALERTS tab, click on it and add alert and then set conditions. Tuesday, March 25, 2014, 8:24:36 PM, you wrote: That’s basically my question! J How can I do it in nfsen? I have no experience and not sure how to do it. Any help would be appreciated. Thank you. Pat. The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be. L'information apparaissant dans ce message électronique et dans les documents qui y sont joints est de nature confidentielle ou privilégiée. Si ce message vous est parvenu par erreur et que vous n'en êtes pas le destinataire visé, vous êtes par les présentes avisé que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous êtes donc prié d’en informer immédiatement l’expéditeur et de détruire ce message, ainsi que les documents qui y sont joints, le cas échéant. De : Chris Roose [mailto:ch...@transientaudio.net] Envoyé : 25 mars 2014 15:20 À : Patrick Lessard Cc : nfsen-discuss@lists.sourceforge.net Objet : Re: [Nfsen-discuss] Defining alert if exceeds x number of flows Pat, Have you tried doing this in NfSen? It's pretty easy to set an email alert for this condition using the GUI. Thanks, Chris On 3/25/2014 2:43 PM, Patrick Lessard wrote: Hello all, I’m testing nfsen along with nfdump and it works fine. Now I would like to get an alert when a certain amount of flows pointing to the same destination IP address is exceeded. I tried: /usr/local/nfdump/bin/nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -n 5 -s dstip/flows Top 5 Dst IP Addr ordered by flows: Date first seen Duration Proto Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 2014-03-25 00:01:40.684 2583.240 any a.b.c.d1 16640( 7.1) 16706( 3.1)1.0 M( 1.7)6 310460 2014-03-25 00:02:35.664 2528.104 anya.b.c.d211183( 4.8)15210( 2.8) 905478( 1.5)6 286559 2014-03-25 00:01:40.664 2581.600 any a.b.c.d3 7532( 3.2) 10521( 2.0) 624571( 1.1)4 193559 2014-03-25 00:01:40.664 2583.212 any a.b.c.d4 5325( 2.3) 7153( 1.3) 364414( 0.6)2 112850 2014-03-25 00:02:36.056 2527.592 any a.b.c.d5 3372( 1.4) 3384( 0.6) 210376( 0.4)1 66562 Summary: total flows: 235183, total bytes: 58.5 M, total packets: 536871, avg bps: 120690, avg pps: 138, avg bpp: 108 Time window: 2014-03-24 23:40:20 - 2014-03-25 00:44:57 Total flows processed: 235183, Blocks skipped: 0, Bytes read: 14111476 Sys: 0.044s flows/second: 5227218.2 Wall: 0.044s flows/second: 5298585.1 Or like this: /nfdump -M /usr/local/nfsen-1.3.6p1/profiles-data/live/RouterA -T -R 2014/03/25/nfcapd.20140325:2014/03/25/nfcapd.201403250040 -o fmt:%fl %da -a -A dstip | sort –g 2081a.b.c.d1 2545a.b.c.d2 2724 a.b.c.d3 3208 a.b.c.d4 3372 a.b.c.d5 5325 a.b.c.d6 7532 a.b.c.d7 11183a.b.c.d8 16640 a.b.c.d9 I would like to get an alert (email) when the number of flows exceed 5000 for example. Is there a way to do it in nfsen by defining an alert? Thank you. Pat. -- Best regards, Ozga Rafal mailto:go...@mtm-info.pl -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
