-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Bernhard,
There is a bug in snapshot-20070312 in aggregation. Could you please download
the
latest snapshot-20070808, which I uploaded today, try it again and report back.
- Peter
- --On August 9, 2007 20:03:56 +0200 Bernhard Schmidt <[EMAIL PROTECTED]>
wrote:
| Hi,
|
| I've just installed nfdump-snapshot-20070312 and configured it to
| collect Netflow v9 IPv6 flowrecords generated by IBM Hespera on another box.
|
| For starters I tried to have a look to which ISPs our hosts send traffic
| to or where they receive traffic from (e.g. aggregate by /32 boundary).
|
| The inbound direction works fine:
|
| # nfdump -R . -s record/bytes "dst net 2001:4ca0::/32" -o line6 -A
| srcip6/32 -n 5
| Aggregated flows 175
| Top 5 flows ordered by bytes:
| Date flow start Duration Proto Src
| IP Addr:Port Dst IP Addr:Port Packets
| Bytes Flows
| 2007-08-09 19:09:31.396 2933.969 0
| 2001:638::.0 -> ::.0
| 39415 14.1 M 81
| 2007-08-09 19:09:31.395 2936.716 0
| 2001:a60::.0 -> ::.0
| 36512 3.7 M 100
| 2007-08-09 19:09:31.498 2913.864 0
| 2001:608::.0 -> ::.0
| 20785 1.8 M 152
| 2007-08-09 19:09:31.433 2958.103 0
| 2001:610::.0 -> ::.0
| 4504 1.3 M 511
| 2007-08-09 19:09:31.571 2922.668 0
| 2001:738::.0 -> ::.0
| 3093 808160 17
|
| The outbound direction (dst net -> src net and srcip6 -> dstip6)
| aggregates in a wrong way
|
| # nfdump -R . -s record/bytes "src net 2001:4ca0::/32" -o line6 -A
| dstip6/32 -n 5
| Aggregated flows 1
| Top 5 flows ordered by bytes:
| Date flow start Duration Proto Src
| IP Addr:Port Dst IP Addr:Port Packets
| Bytes Flows
| 2007-08-09 19:09:31.398 2958.112 0
| ::.0 -> 2001:610::.0 175845
| 122.1 M 5487
|
| Although by far not all traffic is towards Surfnet, which is shown by
| omitting the aggregation, the first Surfnet host is at position 10 in my
| top list.
|
| # nfdump -R . -s record/bytes "src net 2001:4ca0::/32" -o line6 -A
| dstip6 -n 5
| Aggregated flows 302
| Top 5 flows ordered by bytes:
| Date flow start Duration Proto Src
| IP Addr:Port Dst IP Addr:Port Packets
| Bytes Flows
| 2007-08-09 19:09:31.398 2933.340 0
| ::.0 -> 2001:638:c:a00a::2.0 90031
| 67.9 M 565
| 2007-08-09 19:09:31.411 2488.793 0
| ::.0 -> 2001:608:0:502:216:cbff:fea6:a27d.0 33069
| 41.2 M 7
| 2007-08-09 19:09:31.871 2763.097 0
| ::.0 -> 2001:a60:f001:1:218:f3ff:fe66:c777.0 9828
| 7.4 M 17
| 2007-08-09 19:09:31.672 2931.934 0
| ::.0 -> 2001:4c50:fffe:5:201:29ff:fefb:a747.0 7744
| 983920 32
| 2007-08-09 19:53:58.043 290.153 0
| ::.0 -> 2001:638:208:120::27.0 5503
| 530984 4
|
| Any pointers?
|
| Regards,
| Bernhard
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by: Splunk Inc.
| Still grepping through log files to find problems? Stop.
| Now Search log events and configuration files using AJAX and a browser.
| Download your FREE copy of Splunk now >> http://get.splunk.com/
| _______________________________________________
| Nfdump-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRrwnrv5AbZRALNr/AQJERAP/egy/+Q9kaKOTHyCae6ORHWfg+nBvDkPJ
2CX2Y6wANscI34MLm24SsDbBWSP9IdJQprlfEBXqp5Igr9QrYFZBcWOlf97jOnxO
0AwApNrl0CBFEIfXvcmx+Ty6OwWciRj6nFIcxRhji2iRcBNrN5nYjWeTXvbESRl4
bKjjvHMS40c=
=9tdD
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
