> I always have assumed that the "Port" fields of nfdump output are just a > number between 1 and 64k. Now I've come across values with a dot in between: > $nfdump -r nfcapd.200710101555 -o "fmt:%sp%dp%byt" | grep "\." | head -10 > 771 0.0 85 > 771 0.0 123
> There are not many records of that type in the file, only about 60 out > of 14000. > > Can anybody tell me what that means? ICMP packets have no port fields but 8 bit type and code. 771 above is actually 3*256+3 that should be written as 3.3. (Means "destination unreachable"."port unreachable".) However Cisco IOS sometimes sends this info with the source address and sometimes with the destination address. See more at http://sourceforge.net/tracker/index.php?func=detail&aid=1694342&group_id=119350&atid=683752 Regards Gabor ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
