> On 23/8/10 4:30 PM, [email protected] wrote: >> With a bit more analysis, this seems to only affect the new -B option. >> Using -b or uni-directional flows, the filters seem to work. I am using >> the latest stable release: 1.6.1. > > Yes - but that's the nature of -B: > > o nfdump applies first the flow filter. > o Those flows which pass, build up the internal flow table. > o The first flow seen of a bidirectional connection defines the direction. > o when all flows are processed, the flow table is exported/printed.
Any chance of adding a post-processing filter option? :) > At the last step,nfdump tries to guess if the direction is right, or > whether the flow needs to be swapped. > If it swaps the flow dst becomes src and you get the impression, that the > filter does not work correctly, which is of > course a misleading assumption. > The -B option was introduces as routers export unidirectional flows, and > therefore the return flow may be exported > before the source flow. nfdump swaps flows if src port is < 1024 and dst > port > 1024, as this is most likely a swapped > flow. Soo -B is convenient but be aware of it's consequences. > > - Peter > >> >> Thanks again >> >>> I am trying to filter out known, good traffic so I can see traffic that >>> I >>> am not expecting or considering. I have a list of "rules" that match >>> good >>> traffic and have converted those to nfdump filters. My next step was >>> to >>> negate them which is not producing what I expected. Here are a couple >>> of >>> the simple filters I have tried: >>> >>> // this works great and gives the expected result >>> nfdump -qBr file 'not dst port 443' >>> >>> // This works as expected >>> nfdump -qBr file 'dst port 443 or dst port 389' >>> >>> Now for the inverse filters: >>> >>> // this does not work, it removes 443 traffic, but not 389 >>> nfdump -qBr file 'not dst port 443 and not dst port 389' >>> >>> // this also does not work, it removes 443 traffic, but not 389 >>> nfdump -qBr file 'not ((dst port 443) or (dst port 389))' >>> >>> Am I doing this incorrectly? >>> >>> Thank you for your time >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by >>> >>> Make an app they can't live without >>> Enter the BlackBerry Developer Challenge >>> http://p.sf.net/sfu/RIM-dev2dev >>> _______________________________________________ >>> Nfdump-discuss mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss >>> >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by >> >> Make an app they can't live without >> Enter the BlackBerry Developer Challenge >> http://p.sf.net/sfu/RIM-dev2dev >> _______________________________________________ >> Nfdump-discuss mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > > -- > Be nice to your netflow data. Use NfSen and nfdump :) > ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
