-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hallo Ralf,
A few things to add:
You are right as for the v9 ICMP_TYPE, which is in current nfdump ( v1.5.5. )
not yet implemented. This is part in the current nfdump development cycle, I'm
doing right now, which includes better v9 support for more v9 type codes.
One of them is ICMP_TYPE.
As for displaying I only partly agree: So far I find it very handy to have ICMP
type/code directly displayed inline instead of the dst port. Maybe I should
better
document this "feature" to be more clear on that. However, I like the idea to
have
a separate display code such as %itype, if one needs a specific line fomrat to
be
displayed. I'll put that on the todo list, but I also would like to keep the
current
behaviour with the dst port. So everybody can compile it best suited output
format,
which btw. is the idea behind that.
Would that be ok for your needs?
- Peter
- --On October 11, 2007 11:46:02 AM +0200 Ralf Kleineisel <[EMAIL PROTECTED]>
wrote:
| Kiss Gabor (Bitman) wrote:
|
| > At this moment all type of flows (UDP, TCP, ICMP) are displayed
| > with the same format string.
| >
| > What is your suggestion?
| > What to write instead of this command?
| >
| > nfdump <other_options> \
| > -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %fl" \
| > src host 192.168.63.12
|
| I suggest that:
| - For all traffic that doesn't have ports (e.g. ICMP) the "port" field
| should be set to zero. "proto AH" and "proto GRE" are already
| implemented that way. When you make a SRC-/DST-Port analysis all ICMP
| traffic will be put into the "0/0" category.
| - There should be a new format string for displaying the ICMP type/code
| info, something like "fmt%itype"
| - For ICMP traffic exported via NetFlow v9 the "ICMP_TYPE" should be
| used to get the ICMP type/code parameters
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by: Splunk Inc.
| Still grepping through log files to find problems? Stop.
| Now Search log events and configuration files using AJAX and a browser.
| Download your FREE copy of Splunk now >> http://get.splunk.com/
| _______________________________________________
| Nfdump-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBRw4VH/5AbZRALNr/AQIVQwP/er1eQ30kDc0LAynjdJ5Bv64/gsJyO8Rm
FG8pcJ8YJ3QMdEVFyZIuWZ7E3sKAbwxsBWMig9ZGABVTEaFqUwgdfkTrvk/2cn6o
2x8pPxOM9hdaWaZYNu5waUvZqhPVMl7gdi6NHuFdq+3wWWD8CAslFqwYIx+/AEFN
u61EvTmV0Vw=
=NcbA
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
