Kiss Gabor (Bitman) wrote: > At this moment all type of flows (UDP, TCP, ICMP) are displayed > with the same format string. > > What is your suggestion? > What to write instead of this command? > > nfdump <other_options> \ > -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %fl" \ > src host 192.168.63.12
I suggest that: - For all traffic that doesn't have ports (e.g. ICMP) the "port" field should be set to zero. "proto AH" and "proto GRE" are already implemented that way. When you make a SRC-/DST-Port analysis all ICMP traffic will be put into the "0/0" category. - There should be a new format string for displaying the ICMP type/code info, something like "fmt%itype" - For ICMP traffic exported via NetFlow v9 the "ICMP_TYPE" should be used to get the ICMP type/code parameters ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
