I am working with nfsen/nfdump to create some reports(plugins eventually
that I will release) based off of netflow data and I seem to be having a
problem with formatting the output. I see from the man pages for nfdump
that I should be able to use fmt: to specify a certain output but I am
unsuccessful. Essentially, I want to return the top "n" ips for a given
time period ordered by ip/bytes. What I don't want is fields other than
IP and Bytes.
Here is the command I am currently using (without a -o fmt:):
/usr/local/bin/nfdump -qNM /data/nfsen/profiles/live/rus-kla-ops-1 -T
-R nfcapd.200704110000:nfcapd.200704120000 -n 10 -s ip/bytes
1. Is there anyway to suppress the column names? I am using -q but it
still adds these 2 lines in the output:
Top 10 IP Addr ordered by bytes:
Date first seen Duration Proto IP Addr
Flows Packets Bytes pps bps bpp
2. What does a properly formatted fmt: look like to return just the IP
and the Bytes for the above results? I don't see/understand a way to
return Any IP (instead of just srcip or dstip) and just the bytes. -o
fmt:???%byt
I also saw in an earlier thread the -s can override some output values.
Is that part of what I am encountering?
So basically I want to go from :
Top 10 IP Addr ordered by bytes:
Date first seen Duration Proto IP Addr Flows
Packets Bytes pps bps bpp
2007-04-10 23:44:56.652 87168.973 any 172.16.10.108 38 17.0
M 16.5 G 204 1.6 M 993
To:
172.16.10.108 16.5 G
Currently I do a lot of parsing with perl to accomplish this. Is there
a better way?
Thanks.
Chris Waters
Technology Services - Networks Group
JELD-WEN, inc.
Information Systems
[EMAIL PROTECTED]
RELIABILITY for real life(r)
This correspondence is for the named person's use only. It may contain
confidential or legally privileged information and is intended solely
for the named addressee. If you receive this correspondence in error,
please notify the sender and delete it from your system. You must not
disclose, copy or rely on any part of this correspondence if you are not
the intended recipient.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfdump-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
