-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The user defined format -o fmt works only for entire netflow records and
not for record element statistics. Using Perl ,you may check wether the
beginning of the line is a number ( date ), to process a line and skipping
header lines. Alternatively you may use -o pipe, which gives a '|' separated
record list without any additional lines/headers.
- Peter
- --On April 12, 2007 13:39:55 -0700 Chris Waters <[EMAIL PROTECTED]> wrote:
| I am working with nfsen/nfdump to create some reports(plugins eventually
| that I will release) based off of netflow data and I seem to be having a
| problem with formatting the output. I see from the man pages for nfdump
| that I should be able to use fmt: to specify a certain output but I am
| unsuccessful. Essentially, I want to return the top "n" ips for a given
| time period ordered by ip/bytes. What I don't want is fields other than
| IP and Bytes.
|
| Here is the command I am currently using (without a -o fmt:):
|
| /usr/local/bin/nfdump -qNM /data/nfsen/profiles/live/rus-kla-ops-1 -T
| -R nfcapd.200704110000:nfcapd.200704120000 -n 10 -s ip/bytes
|
|
| 1. Is there anyway to suppress the column names? I am using -q but it
| still adds these 2 lines in the output:
|
| Top 10 IP Addr ordered by bytes:
| Date first seen Duration Proto IP Addr
| Flows Packets Bytes pps bps bpp
|
| 2. What does a properly formatted fmt: look like to return just the IP
| and the Bytes for the above results? I don't see/understand a way to
| return Any IP (instead of just srcip or dstip) and just the bytes. -o
| fmt:???%byt
|
| I also saw in an earlier thread the -s can override some output values.
| Is that part of what I am encountering?
|
| So basically I want to go from :
|
| Top 10 IP Addr ordered by bytes:
| Date first seen Duration Proto IP Addr Flows
| Packets Bytes pps bps bpp
| 2007-04-10 23:44:56.652 87168.973 any 172.16.10.108 38 17.0
| M 16.5 G 204 1.6 M 993
|
| To:
|
| 172.16.10.108 16.5 G
|
| Currently I do a lot of parsing with perl to accomplish this. Is there
| a better way?
|
|
| Thanks.
|
| Chris Waters
|
| Technology Services - Networks Group
|
|
|
| JELD-WEN, inc.
|
| Information Systems
|
| [EMAIL PROTECTED]
|
| RELIABILITY for real life(r)
|
| This correspondence is for the named person's use only. It may contain
| confidential or legally privileged information and is intended solely
| for the named addressee. If you receive this correspondence in error,
| please notify the sender and delete it from your system. You must not
| disclose, copy or rely on any part of this correspondence if you are not
| the intended recipient.
|
|
| -------------------------------------------------------------------------
| Take Surveys. Earn Cash. Influence the Future of IT
| Join SourceForge.net's Techsay panel and you'll get the chance to share your
| opinions on IT & business topics through brief surveys-and earn cash
| http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
| _______________________________________________
| Nfdump-discuss mailing list
| [EMAIL PROTECTED]
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRh9Xlf5AbZRALNr/AQLfFAP/fAvU555VI6A4fomp6rX2Yj0cw/iDmUsS
SfXkoaVUjb22cNozh64pXMSG3F5qwlWlvsqqMAebOvoTwpOm/cPN+AzZHdcR08CO
3eU7Yp5JMEapjoGtPEDmNHgddVDJEbTub/pYf9FeaXpK/Lxwl3vFgnkdSq6bxZ72
/k61mfdqr3E=
=qTbx
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfdump-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
