On 23/8/10 4:30 PM, [email protected] wrote:
> With a bit more analysis, this seems to only affect the new -B option.
> Using -b or uni-directional flows, the filters seem to work. I am using
> the latest stable release: 1.6.1.
Yes - but that's the nature of -B:
o nfdump applies first the flow filter.
o Those flows which pass, build up the internal flow table.
o The first flow seen of a bidirectional connection defines the direction.
o when all flows are processed, the flow table is exported/printed.
At the last step,nfdump tries to guess if the direction is right, or whether
the flow needs to be swapped.
If it swaps the flow dst becomes src and you get the impression, that the
filter does not work correctly, which is of
course a misleading assumption.
The -B option was introduces as routers export unidirectional flows, and
therefore the return flow may be exported
before the source flow. nfdump swaps flows if src port is < 1024 and dst port >
1024, as this is most likely a swapped
flow. Soo -B is convenient but be aware of it's consequences.
- Peter
>
> Thanks again
>
>> I am trying to filter out known, good traffic so I can see traffic that I
>> am not expecting or considering. I have a list of "rules" that match good
>> traffic and have converted those to nfdump filters. My next step was to
>> negate them which is not producing what I expected. Here are a couple of
>> the simple filters I have tried:
>>
>> // this works great and gives the expected result
>> nfdump -qBr file 'not dst port 443'
>>
>> // This works as expected
>> nfdump -qBr file 'dst port 443 or dst port 389'
>>
>> Now for the inverse filters:
>>
>> // this does not work, it removes 443 traffic, but not 389
>> nfdump -qBr file 'not dst port 443 and not dst port 389'
>>
>> // this also does not work, it removes 443 traffic, but not 389
>> nfdump -qBr file 'not ((dst port 443) or (dst port 389))'
>>
>> Am I doing this incorrectly?
>>
>> Thank you for your time
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by
>>
>> Make an app they can't live without
>> Enter the BlackBerry Developer Challenge
>> http://p.sf.net/sfu/RIM-dev2dev
>> _______________________________________________
>> Nfdump-discuss mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
