Yes, I have tried, output as follow, but not info of src or dst mask.
Flow Record:
Flags = 0x00 Unsampled
size = 52
first = 1249452892 [2009-08-05 14:14:52]
last = 1249452893 [2009-08-05 14:14:53]
msec_first = 510
msec_last = 566
src addr = 210.x.x.241
dst addr = x.x.89.95
src port = 80
dst port = 46610
fwd status = 0
tcp flags = 0x1b .AP.SF
proto = 6
(src)tos = 0
(in)packets = 4
(in)bytes = 356
input = 6
output = 6
src as = 338x
dst as = 98xx
________________________________
寄件人﹕ John Kougoulos <k...@intracom.gr>
收件人 Chor Keung Li <ckat...@yahoo.com.hk>
副本(CC) peter.h...@switch.ch; nfdump-discuss@lists.sourceforge.net
傳送日期﹕ 2009 年 8月 5 日 星期三 下午 3:54:44
主題: Re: [Nfdump-discuss] Re: Re: Re: Re: Re: How can display IP prefix
Have you tried nfdump -o raw ?
On Wed, 5 Aug 2009, Chor Keung Li wrote:
> Dear Peter,
>
> I downloaded and installed the nfdump-1.6b-snapshot-20090619 version, and
> then the nfcapd collect the
> netflow V5 from a CISCO router. However, the report can't display the src
> mask and dest mask when i using
> the command
> nfdump -r nfcapd.200908051215 -o "fmt:%sa %da %smk %dmk %fl %byt %pkt" -a -A
> srcip,dstip
>
> It just shows the 0 "zero" on the fields, lik the following
> Src IP Addr Dst IP Addr SMask DMask Flows Bytes Packets
> 202.X.X.143 203.194.210.172 0 0 11 9931 117
> 203.X.174.3 203.194.210.208 0 0 2 3660 33
>
> How can I know the nfdump has been stored the src mask and dest mask bits?
>
> Thanks!
>
> Eddie
>
> ___________________________________________________________________________________________________________
> 寄件人﹕ Peter Haag <peter.h...@switch.ch>
> 收件人 Chor Keung Li <ckat...@yahoo.com.hk>
> 副本(CC) nfdump-discuss@lists.sourceforge.net
> 傳送日期﹕ 2009 年 8月 5 日 星期三 下午 1:36:45
> 主題: Re: [Nfdump-discuss] Re: Re: Re: Re: How can display IP prefix
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Chor Keung Li wrote:
> > Dear Peter,
> >
> > You mean after version 1.6b-xxx, nfdump can dump the report of src/dst
> > prefix per mask bits, like the
> flow-tools does? > When will be the stable version of 1.6.x released? Any
> schedule?
>
> I will think about that.
>
> - Peter
> >
> > Thank you so much for your reply!!
> >
> > Eddie
> >
> >
> >
> > ________________________________
> > 寄件人﹕ Peter Haag <peter.h...@switch.ch>
> > 收件人 Chor Keung Li <ckat...@yahoo.com.hk>
> > 副本(CC) nfdump-discuss@lists.sourceforge.net
> > 傳送日期﹕ 2009 年 8月 4 日 星期二 下午 7:54:32
> > 主題: Re: [Nfdump-discuss] Re: Re: Re: How can display IP prefix
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> >
> > Chor Keung Li wrote:
> >> Dear Peter,
> >>
> >> Why nfdump does not store the mask bits? Which expoters sending netflow
> >> data will not strored by nfdump?
> Would nfdump store CISCO and Juniper routers mask bit informaiton?
> >
> > Back in history, there was no need for mask bits - so they were not
> > included.
> >
> >> I'm planning to ugrade our CISCO and Juniper routers from netflow V5 to
> >> V9, does nfdump still store the
> mask bits in V9?
> >
> > The latest 1.6b-xxx version stores mask bits.
> >
> > - Peter
> >> Thanks again!!
> >>
> >> Eddie
> >>
> >>
> >> ________________________________
> >> 寄件人﹕ Peter Haag <peter.h...@switch.ch>
> >> 收件人 Chor Keung Li <ckat...@yahoo.com.hk>
> >> 副本(CC) nfdump-discuss@lists.sourceforge.net
> >> 傳送日期﹕ 2009 年 8月 4 日 星期二 下午 3:53:59
> >> 主題: Re: Re: [Nfdump-discuss] Re: How can display IP prefix
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >>
> >> Chor Keung Li wrote:
> >>> Dear Peter,
> >>>
> >>> Thanks for your reply! You mean the current version of nfdump does not
> >>> store the mask bits that the
> netflow protocol have? But how come I can display the prefix report using the
> command
> >>> nfdump -r nfcapd.200907282355 -o "fmt:%sa %fl %byt %pkt" -a -A srcip4/22?
> >>> where I interested in the
> source IP with mask bit 22. >> You can manually apply any mask you like, but
> the netmask bits, which some exporters send in the netflow
> data are not
> >> stored. Therefore applying the mask automatically according the netbits
> >> does not work.
> >>
> >> - Peter
> >>> I'm now using nfdump 1.5.8 running in FC9. >>>
> >>> If the current version does not support the source/dest prefix or mask
> >>> bits, when will it support?
> >>>
> >>> Thanks for your kindly help!!
> >>>
> >>> Eddie
> >>>
> >>>
> >>>
> >>>
> >>> ________________________________
> >>> 寄件人﹕ Peter Haag <peter.h...@switch.ch>
> >>> 收件人 Chor Keung Li <ckat...@yahoo.com.hk>
> >>> 副本(CC) nfdump-discuss@lists.sourceforge.net
> >>> 傳送日期﹕ 2009 年 8月 4 日 星期二 下午 1:28:12
> >>> 主題: Re: [Nfdump-discuss] Re: How can display IP prefix
> >>>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>>
> >>>
> >>> Chor Keung Li wrote:
> >>>> Dear all,
> >>>>
> >>>> After reading document, I can create reports by prefix or bit-masks
> >>>> using the filter commands, for
> example, If looking at the src prefix with mask bit 22, the following comamnd
> line will work.
> >>>> nfdump -r nfcapd.200907282355 -o "fmt:%sa %fl %byt %pkt" -a -A srcip4/22
> >>>>
> >>>> In this case, however, I must input and specify the mask bit to nfdump
> >>>> to work out the report. Just
> want to know is nfdump capable to gernerate all the source/destination prefix
> reports without inputting the
> mask bits, like the source/destination prefix report in flow-tools? It is a
> bit inconvenience!
> >>>>
> >>>> Looking forward to your reply and thanks in advance!!!
> >>> The mask bits are not stored in current version of nfdump - so it does
> >>> not work yet.
> >>>
> >>> - Peter
> >>>
> >>>> Eddie
> >>>>
> >>>>
> >>>> ________________________________
> >>>> 寄件人﹕ Chor Keung Li <ckat...@yahoo.com.hk>
> >>>> 收件人 nfdump-discuss@lists.sourceforge.net
> >>>> 傳送日期﹕ 2009 年 7月 27 日 星期一 下午 4:46:47
> >>>> 主題: How can display IP prefix
> >>>>
> >>>>
> >>>> Hello all,
> >>>>
> >>>> I'm new to nfdump. How can I display the neflow information with source
> >>>> IP prefix and destination IP
> prefix by using nfdump. I can't see any predefined tags in the customer
> output format.
> >>>>
> >>>>
> >>>> eg. 192.168.0.10/24 >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Eddie
> >>>>
> >>>>
> >>>> Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/
> 了解更多!
> >>>>
> >>>>
> >>>> ------------------------------------------------------------------------
> >>>>
> >>>> ------------------------------------------------------------------------------
> >>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> >>>> 30-Day
> >>>> trial. Simplify your report design, integration and deployment - and
> >>>> focus on
> >>>> what you do best, core application coding. Discover what's new with
> >>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> >>>>
> >>>>
> >>>> ------------------------------------------------------------------------
> >>>>
> >>>> _______________________________________________
> >>>> Nfdump-discuss mailing list
> >>>> Nfdump-discuss@lists.sourceforge.net
> >>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> >>> - --
> >>> _______ SWITCH - The Swiss Education and Research Network ______
> >>> Peter Haag, Security Engineer, Member of SWITCH CERT
> >>> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
> >>> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> >>> E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1.4.5 (Darwin)
> >>>
> >>> iQCVAwUBSnfG6/5AbZRALNr/AQI6KwQAmIsQnIcLDaPWidUH0b8dloqLxwxAS9Pu
> >>> 0J20zuPjoTRcuEvq84oO20C4ldRNNfV0MkVe1T2LGQFdhtFqdGPaA7mlGjwhwlCw
> >>> 4+sF0LMwCH2LnzOtubs84+l0M9a644qFq0Z3XgSykB9VAhKMJF7vM0U2M/CoDTAT
> >>> LyTNTAxrh8A=
> >>> =RDds
> >>> -----END PGP SIGNATURE-----
> >>>
> >>>
> >>>
> >>> Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/
> >>>了解更多!
> >> - --
> >> _______ SWITCH - The Swiss Education and Research Network ______
> >> Peter Haag, Security Engineer, Member of SWITCH CERT
> >> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
> >> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> >> E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.5 (Darwin)
> >>
> >> iQCVAwUBSnfpFf5AbZRALNr/AQIpagP9Gn4SP186zJQNpg6z0cjhseiy5V6L5Eox
> >> nwfKAznfa2hiPxSM3zbYXO9nv428d4NPd/OswfMrxdhk5hhEwpcQM2ij5G5LYbVr
> >> eCuN4Kt4fJ6w2JLTjeskFoWMbJzRShsIiFNlHl+B8KsRvEVNR/fk2DAMxwoutzsG
> >> iofQSPk+LzY=
> >> =5vU4
> >> -----END PGP SIGNATURE-----
> >>
> >>
> >>
> >> Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/
> >>了解更多!
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >> ------------------------------------------------------------------------------
> >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> >> trial. Simplify your report design, integration and deployment - and focus
> >> on
> >> what you do best, core application coding. Discover what's new with
> >> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Nfdump-discuss mailing list
> >> Nfdump-discuss@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> >
> > - --
> > _______ SWITCH - The Swiss Education and Research Network ______
> > Peter Haag, Security Engineer, Member of SWITCH CERT
> > PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
> > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> > E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.5 (Darwin)
> >
> > iQCVAwUBSnghdv5AbZRALNr/AQLrWwQAh62XBBDivDPGcs5sPNPQM8vndH3Bn96D
> > Bod3FtbSINbMttRrP+FoAl2xUbv3lqiDxaqQW4MJYq7tzQUR2H7jivpW+cjR70D1
> > sb8CZgOEaj9KYHFSxuWzTBESAOp1iGD7NLYayKgJwiNyuZxf73MjJdCGprMu+YGa
> > SpnLlbg6z3Y=
> > =9Z5y
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/
> >了解更多!
> >
> >
> > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> > trial. Simplify your report design, integration and deployment - and focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now. http://p.sf.net/sfu/bobj-july
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Nfdump-discuss mailing list
> > Nfdump-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
> - --
> _______ SWITCH - The Swiss Education and Research Network ______
> Peter Haag, Security Engineer, Member of SWITCH CERT
> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iQCVAwUBSnkaa/5AbZRALNr/AQIsmwP/Tc1NFzcJP3QQO+R1uPK/Hngc/0hxMVgi
> 9mRii0J56qSR5NpHrKrRmqz1n34sSlsVNsWHjP3ZnwLwZ7pLu5mm8qnLpxyqIRcr
> T85EAPHoTL1kjs6JlwE6dK60I/9tOzQDPOq5KPfsctANiq8hCS9ocv9clk5ltaPM
> jMxjsFL0y4A=
> =8cG0
> -----END PGP SIGNATURE-----
>
> ___________________________________________________________________________________________________________
> Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多
>
Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
