>
> Hi Peter,
>
> On Wed, 17 Jan 2007, at 09:11, Peter Haag wrote:
>
>> - --On January 16, 2007 17:39:57 +0000 Maurizio Molina
>> <[EMAIL PROTECTED]> wrote:
>>
>> | Hi,
>> | the last nfdump snapshot (20070110) seems to have problems with the -R
>> | option:
>> |
>> | [EMAIL PROTECTED] man]$
>> | /opt/flowtest/tools/nfdump/snapshot-20070110/bin/nfdump -R
>> | /opt/flowtest/tools/nfdump/snapshot-20070110/archive/ath_gr/ -I
>> | Open file: bad version: 0
>>
>> You must have created those files with an old pre-1.5 ( version <=
>> nfdump-snapshot-20060721 ).
>
> Same problem here, with recent (post snap-2007*) data. culprit
> is the nfcapd.current.* file
Apply the patch append to nfdump-snapshot-20070110, which fixes the
problem of detecting nfcapd.current.*. The patch also fixes a bug in the
ICMP decoding.
- Peter
>
> % nfdump -R .
> Open file: bad version: 0
>
> % nfdump -R nfcapd.200701131930:nfcapd.200701212235 -c 1
> Date flow start Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Packets Bytes Flows
> ...
>
> % nfdump -r nfcapd.current.23397
> Date flow start Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Packets Bytes Flows
> Open file: bad version: 0
>
> cheers,
>
> - yann
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/diff -ru nfdump-snapshot-20070110.orig/flist.c nfdump-snapshot-20070110/flist.c
--- nfdump-snapshot-20070110.orig/flist.c 2007-01-09 10:27:16.000000000
+0100
+++ nfdump-snapshot-20070110/flist.c 2007-01-25 10:46:55.000000000 +0100
@@ -741,13 +741,13 @@
break;
case FTS_F:
// file entry
-// printf("==> Test: %s\n", ftsent->fts_path);
+// printf("==> Check: %s\n", ftsent->fts_name);
// skip stat file
- if ( strcmp(ftsent->fts_accpath, ".nfstat") ==
0 ||
- strncmp(ftsent->fts_accpath,
"nfcapd.current", 14) == 0)
+ if ( strcmp(ftsent->fts_name, ".nfstat") == 0
||
+ strncmp(ftsent->fts_name,
"nfcapd.current", 14) == 0)
continue;
- if ( strstr(ftsent->fts_accpath, ".stat") !=
NULL )
+ if ( strstr(ftsent->fts_name, ".stat") != NULL
)
continue;
if ( file_list_level && (
diff -ru nfdump-snapshot-20070110.orig/nf_common.c
nfdump-snapshot-20070110/nf_common.c
--- nfdump-snapshot-20070110.orig/nf_common.c 2007-01-09
10:27:16.000000000 +0100
+++ nfdump-snapshot-20070110/nf_common.c 2007-01-25 10:44:53.000000000
+0100
@@ -733,7 +733,7 @@
if ( r->prot == 1 ) { // ICMP
type = r->dstport >> 8;
- code = r->dstport && 0xFF;
+ code = r->dstport & 0xFF;
snprintf(string, MAX_STRING_LENGTH-1, "%u.%u", type, code);
} else { // dst port
snprintf(string, MAX_STRING_LENGTH-1, "%u", r->dstport);-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
