Dear Peter,
I downloaded and installed the nfdump-1.6b-snapshot-20090619 version, and then
the nfcapd collect the netflow V5 from a CISCO router. However, the report
can't display the src mask and dest mask when i using the command
nfdump -r nfcapd.200908051215 -o "fmt:%sa %da %smk %dmk %fl %byt %pkt" -a -A
srcip,dstip
It just shows the 0 "zero" on the fields, lik the following
Src IP Addr Dst IP Addr SMask DMask Flows Bytes Packets
202.X.X.143 203.194.210.172 0 0 11 9931 117
203.X.174.3 203.194.210.208 0 0 2 3660 33
How can I know the nfdump has been stored the src mask and dest mask bits?
Thanks!
Eddie
________________________________
寄件人﹕ Peter Haag <peter.h...@switch.ch>
收件人 Chor Keung Li <ckat...@yahoo.com.hk>
副本(CC) nfdump-discuss@lists.sourceforge.net
傳送日期﹕ 2009 年 8月 5 日 星期三 下午 1:36:45
主題: Re: [Nfdump-discuss] Re: Re: Re: Re: How can display IP prefix
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chor Keung Li wrote:
> Dear Peter,
>
> You mean after version 1.6b-xxx, nfdump can dump the report of src/dst prefix
> per mask bits, like the flow-tools does?
> When will be the stable version of 1.6.x released? Any schedule?
I will think about that.
- Peter
>
> Thank you so much for your reply!!
>
> Eddie
>
>
>
> ________________________________
> 寄件人﹕ Peter Haag <peter.h...@switch.ch>
> 收件人 Chor Keung Li <ckat...@yahoo.com.hk>
> 副本(CC) nfdump-discuss@lists.sourceforge.net
> 傳送日期﹕ 2009 年 8月 4 日 星期二 下午 7:54:32
> 主題: Re: [Nfdump-discuss] Re: Re: Re: How can display IP prefix
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Chor Keung Li wrote:
>> Dear Peter,
>>
>> Why nfdump does not store the mask bits? Which expoters sending netflow data
>> will not strored by nfdump? Would nfdump store CISCO and Juniper routers
>> mask bit informaiton?
>
> Back in history, there was no need for mask bits - so they were not included.
>
>> I'm planning to ugrade our CISCO and Juniper routers from netflow V5 to V9,
>> does nfdump still store the mask bits in V9?
>
> The latest 1.6b-xxx version stores mask bits.
>
> - Peter
>> Thanks again!!
>>
>> Eddie
>>
>>
>> ________________________________
>> 寄件人﹕ Peter Haag <peter.h...@switch.ch>
>> 收件人 Chor Keung Li <ckat...@yahoo.com.hk>
>> 副本(CC) nfdump-discuss@lists.sourceforge.net
>> 傳送日期﹕ 2009 年 8月 4 日 星期二 下午 3:53:59
>> 主題: Re: Re: [Nfdump-discuss] Re: How can display IP prefix
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Chor Keung Li wrote:
>>> Dear Peter,
>>>
>>> Thanks for your reply! You mean the current version of nfdump does not
>>> store the mask bits that the netflow protocol have? But how come I can
>>> display the prefix report using the command
>>> nfdump -r nfcapd.200907282355 -o "fmt:%sa %fl %byt %pkt" -a -A srcip4/22?
>>> where I interested in the source IP with mask bit 22.
>> You can manually apply any mask you like, but the netmask bits, which some
>> exporters send in the netflow data are not
>> stored. Therefore applying the mask automatically according the netbits does
>> not work.
>>
>> - Peter
>>> I'm now using nfdump 1.5.8 running in FC9.
>>>
>>> If the current version does not support the source/dest prefix or mask
>>> bits, when will it support?
>>>
>>> Thanks for your kindly help!!
>>>
>>> Eddie
>>>
>>>
>>>
>>>
>>> ________________________________
>>> 寄件人﹕ Peter Haag <peter.h...@switch.ch>
>>> 收件人 Chor Keung Li <ckat...@yahoo.com.hk>
>>> 副本(CC) nfdump-discuss@lists.sourceforge.net
>>> 傳送日期﹕ 2009 年 8月 4 日 星期二 下午 1:28:12
>>> 主題: Re: [Nfdump-discuss] Re: How can display IP prefix
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> Chor Keung Li wrote:
>>>> Dear all,
>>>>
>>>> After reading document, I can create reports by prefix or bit-masks using
>>>> the filter commands, for example, If looking at the src prefix with mask
>>>> bit 22, the following comamnd line will work.
>>>> nfdump -r nfcapd.200907282355 -o "fmt:%sa %fl %byt %pkt" -a -A srcip4/22
>>>>
>>>> In this case, however, I must input and specify the mask bit to nfdump to
>>>> work out the report. Just want to know is nfdump capable to gernerate all
>>>> the source/destination prefix reports without inputting the mask bits,
>>>> like the source/destination prefix report in flow-tools? It is a bit
>>>> inconvenience!
>>>>
>>>> Looking forward to your reply and thanks in advance!!!
>>> The mask bits are not stored in current version of nfdump - so it does not
>>> work yet.
>>>
>>> - Peter
>>>
>>>> Eddie
>>>>
>>>>
>>>> ________________________________
>>>> 寄件人﹕ Chor Keung Li <ckat...@yahoo.com.hk>
>>>> 收件人 nfdump-discuss@lists.sourceforge.net
>>>> 傳送日期﹕ 2009 年 7月 27 日 星期一 下午 4:46:47
>>>> 主題: How can display IP prefix
>>>>
>>>>
>>>> Hello all,
>>>>
>>>> I'm new to nfdump. How can I display the neflow information with source
>>>> IP prefix and destination IP prefix by using nfdump. I can't see any
>>>> predefined tags in the customer output format.
>>>>
>>>>
>>>> eg. 192.168.0.10/24
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Eddie
>>>>
>>>>
>>>> Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/
>>>>了解更多!
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>>> 30-Day
>>>> trial. Simplify your report design, integration and deployment - and focus
>>>> on
>>>> what you do best, core application coding. Discover what's new with
>>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Nfdump-discuss mailing list
>>>> Nfdump-discuss@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>> - --
>>> _______ SWITCH - The Swiss Education and Research Network ______
>>> Peter Haag, Security Engineer, Member of SWITCH CERT
>>> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
>>> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
>>> E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.5 (Darwin)
>>>
>>> iQCVAwUBSnfG6/5AbZRALNr/AQI6KwQAmIsQnIcLDaPWidUH0b8dloqLxwxAS9Pu
>>> 0J20zuPjoTRcuEvq84oO20C4ldRNNfV0MkVe1T2LGQFdhtFqdGPaA7mlGjwhwlCw
>>> 4+sF0LMwCH2LnzOtubs84+l0M9a644qFq0Z3XgSykB9VAhKMJF7vM0U2M/CoDTAT
>>> LyTNTAxrh8A=
>>> =RDds
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>>
>>> Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/
>>>了解更多!
>> - --
>> _______ SWITCH - The Swiss Education and Research Network ______
>> Peter Haag, Security Engineer, Member of SWITCH CERT
>> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
>> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
>> E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.5 (Darwin)
>>
>> iQCVAwUBSnfpFf5AbZRALNr/AQIpagP9Gn4SP186zJQNpg6z0cjhseiy5V6L5Eox
>> nwfKAznfa2hiPxSM3zbYXO9nv428d4NPd/OswfMrxdhk5hhEwpcQM2ij5G5LYbVr
>> eCuN4Kt4fJ6w2JLTjeskFoWMbJzRShsIiFNlHl+B8KsRvEVNR/fk2DAMxwoutzsG
>> iofQSPk+LzY=
>> =5vU4
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!
>>
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Nfdump-discuss mailing list
>> Nfdump-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
> - --
> _______ SWITCH - The Swiss Education and Research Network ______
> Peter Haag, Security Engineer, Member of SWITCH CERT
> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iQCVAwUBSnghdv5AbZRALNr/AQLrWwQAh62XBBDivDPGcs5sPNPQM8vndH3Bn96D
> Bod3FtbSINbMttRrP+FoAl2xUbv3lqiDxaqQW4MJYq7tzQUR2H7jivpW+cjR70D1
> sb8CZgOEaj9KYHFSxuWzTBESAOp1iGD7NLYayKgJwiNyuZxf73MjJdCGprMu+YGa
> SpnLlbg6z3Y=
> =9Z5y
> -----END PGP SIGNATURE-----
>
>
>
> Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSnkaa/5AbZRALNr/AQIsmwP/Tc1NFzcJP3QQO+R1uPK/Hngc/0hxMVgi
9mRii0J56qSR5NpHrKrRmqz1n34sSlsVNsWHjP3ZnwLwZ7pLu5mm8qnLpxyqIRcr
T85EAPHoTL1kjs6JlwE6dK60I/9tOzQDPOq5KPfsctANiq8hCS9ocv9clk5ltaPM
jMxjsFL0y4A=
=8cG0
-----END PGP SIGNATURE-----
Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
