-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ralf,
- --On October 11, 2007 2:33:37 PM +0200 Ralf Kleineisel <[EMAIL PROTECTED]>
wrote:
| Peter Haag wrote:
|
| > As for displaying I only partly agree: So far I find it very handy to have
ICMP
| > type/code directly displayed inline instead of the dst port. Maybe I should
better
| > document this "feature" to be more clear on that. However, I like the idea
to have
| > a separate display code such as %itype, if one needs a specific line fomrat
to be
| > displayed. I'll put that on the todo list, but I also would like to keep
the current
| > behaviour with the dst port.
|
| That's ok as long as you cannot confuse it with a port number. I think
| it would be ok to put it into the dst port only and always in the "N.N"
| format. Please take it out of the src port field in the "N" form,
| because this looks exactly like a valid port number.
Fully agreed on that. That's because current nfdump does not expect ICMP
information in the
src port field, as this is nowhere specified like this. But CISCO itself break
their
own specifications, and send it in the src port field as implemented in some
IOSes.
Anyway for a tmp fix you may replace the function ICMP_Port_decode in
nf_common.c to look like:
static inline void ICMP_Port_decode(master_record_t *r, char *string) {
uint8_t type, code;
uint16_t icmp = r->srcport + r->dstport;
if ( r->prot == 1 ) { // ICMP
type = icmp >> 8;
code = icmp & 0xFF;
snprintf(string, MAX_STRING_LENGTH-1, "%u.%u", type, code);
} else { // dst port
snprintf(string, MAX_STRING_LENGTH-1, "%u", icmp);
}
string[MAX_STRING_LENGTH-1] = '\0';
} // End of ICMP_Port_decode
|
| To be precise:
| Change the output of this command:
| $nfdump -R nfcapd.200710110000 -o "fmt:%sap -> %dap %byt" "proto ICMP"
|
| from:
| Src IP Addr:Port zus Dst IP Addr:Port zus Bytes
| 118.195.175.36:8 -> 31.148.253.7:0.0 46
| 118.195.233.254:0 -> 90.1.203.3:3.13 56
| 118.195.55.240:8 -> 142.117.78.64:0.0 84
| 118.195.196.100:771 -> 142.61.18.18:0.0 85
| 120.110.24.180:0 -> 139.176.111.3:0.0 84
|
|
| to this:
| Src IP Addr:Port zus Dst IP Addr:Port zus Bytes
| 118.195.175.36:0 -> 31.148.253.7:8.0 46
| 118.195.233.254:0 -> 90.1.203.3:3.13 56
| 118.195.55.240:0 -> 142.117.78.64:8.0 84
| 118.195.196.100:0 -> 142.61.18.18:3.3 85
| 120.110.24.180:0 -> 139.176.111.3:0.0 84
|
| This is easily parseable.
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by: Splunk Inc.
| Still grepping through log files to find problems? Stop.
| Now Search log events and configuration files using AJAX and a browser.
| Download your FREE copy of Splunk now >> http://get.splunk.com/
| _______________________________________________
| Nfdump-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBRw4ca/5AbZRALNr/AQI4igP/ddY5z938sSKHO99mXYsHAZtTzkiIJJTu
75uo+r52+ND9uZGxDio9GdLGVuxTcYA0ENTgh0uq6+azf4VWwfTmEiLWJdnel9Im
HHhQotdxLqPs/qxMTrh6XBNRWY0mEZRrc+6zy5llS+i9UhN3yNM5By+Wio82aoXF
quqO3E3sgB4=
=jtgB
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
