Peter Haag wrote:
> As for displaying I only partly agree: So far I find it very handy to have
> ICMP
> type/code directly displayed inline instead of the dst port. Maybe I should
> better
> document this "feature" to be more clear on that. However, I like the idea to
> have
> a separate display code such as %itype, if one needs a specific line fomrat
> to be
> displayed. I'll put that on the todo list, but I also would like to keep the
> current
> behaviour with the dst port.
That's ok as long as you cannot confuse it with a port number. I think
it would be ok to put it into the dst port only and always in the "N.N"
format. Please take it out of the src port field in the "N" form,
because this looks exactly like a valid port number.
To be precise:
Change the output of this command:
$nfdump -R nfcapd.200710110000 -o "fmt:%sap -> %dap %byt" "proto ICMP"
from:
Src IP Addr:Port zus Dst IP Addr:Port zus Bytes
118.195.175.36:8 -> 31.148.253.7:0.0 46
118.195.233.254:0 -> 90.1.203.3:3.13 56
118.195.55.240:8 -> 142.117.78.64:0.0 84
118.195.196.100:771 -> 142.61.18.18:0.0 85
120.110.24.180:0 -> 139.176.111.3:0.0 84
to this:
Src IP Addr:Port zus Dst IP Addr:Port zus Bytes
118.195.175.36:0 -> 31.148.253.7:8.0 46
118.195.233.254:0 -> 90.1.203.3:3.13 56
118.195.55.240:0 -> 142.117.78.64:8.0 84
118.195.196.100:0 -> 142.61.18.18:3.3 85
120.110.24.180:0 -> 139.176.111.3:0.0 84
This is easily parseable.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
