-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Many thanks Bernhard for the info. I'll check that and will come back to you.
- Peter
Bernhard Schmidt wrote:
> Hi,
>
> I've recently upgraded a testbox to the latest nfdump snapshot
> (1.6b-20090930) and I've noticed a few oddities in my statistics scripts
> that look like bugs to me.
>
> For example, I had a daily stat of the top 20 conversations (by
> srcip/dstip) with nfdump 1.5.8 like this (SOURCESPEC and READSPEC just
> point to the correct profile directories and date specifications):
>
> ${NFDUMP} ${SOURCESPEC} ${READSPEC} -6 -A srcip6,dstip6 -s record/bytes
> "net 2001:4ca0::/32" -n 20 -o "fmt:%sa -> %da %pkt %byt %fl"
>
> nfdump 1.6 says:
> 'srcip6' needs subnet bits too aggregate
>
> changing that to srcip,dstip I get the full source host, but the
> destination host seems to be aggregated on a /64 level.
>
> Top 20 flows ordered by bytes:
> Src IP Addr
> Dst IP Addr Packets Bytes Flows
> 2a01:xxx:1:63::33 ->
> 2001:4ca0:0:fe00:: 10551 13.2 M 21
> 2001:xxxx:a003::5b ->
> 2001:4ca0:0:fe00:: 11099 12.2 M 41
> 2002:xxxx:9635::ce15:9635 ->
> 2001:4ca0:0:fe00:: 9544 12.2 M 1
>
> hm, okay, quick doublecheck, srcip6/128,dstip6/128 should do the trick
> as well according to the manpage
>
> Top 20 flows ordered by bytes:
> Src IP Addr
> Dst IP Addr Packets Bytes Flows
> ::33 ->
> :: 10551 13.2 M 21
> ::5b ->
> :: 11114 12.2 M 42
> ::xxx.xx.150.53 ->
> :: 9544 12.2 M 1
>
> Uh? That doesn't look quite right. Up to /64 aggregation it does pretty
> much the right thing
>
> Top 20 flows ordered by bytes:
> Src IP Addr
> Dst IP Addr Packets Bytes Flows
> 2001:xxxx:a003:: ->
> 2001:4ca0:0:fe00:: 31748 33.4 M 725
> 2a01:xxx:1:63:: ->
> 2001:4ca0:0:fe00:: 10551 13.2 M 21
> 2002:xxxx:9635:: ->
> 2001:4ca0:0:fe00:: 9544 12.2 M 1
>
> but with a mask/prefixlen of 65+ it's pretty much broken (e.g. /65):
>
> Aggregated flows 2
> Top 20 flows ordered by bytes:
> Src IP Addr
> Dst IP Addr Packets Bytes Flows
> :: ->
> :: 402180 109.0 M 6243
> ::8000:0:0:0 ->
> :: 6571 505840 62
>
> Known issues? Or am I doing it wrong? :-)
>
> Bernhard
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSwVJUv5AbZRALNr/AQK36AP/WYzKQJmZon6+VeaGoEcSVe/30EAbF8t4
czUoLtgh2pi2fXjGHRPaELXSP6YrgTtYIVl4hiZ1dQvrnKa+NQnoJQH9T61mg853
Os+naGJN7iL2iXsh3A72kldSUoZ0fdff9v9XNwDxaM1an65wRyXKpNyAM1nVmmRy
0FECgKkRoTM=
=msV1
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
