Hi,
I am just reading up on the nfdump/nfcapd tools and they're quite awesome
...
One question regarding the nfcapd - in one of my applications, we have a
pretty heavy traffic flow and we'd like to have the netflow data in as much
real-time as possible. With flow-tools, I could simply pipe the output of
flow-receive into flow-print (to print the data into format my code might
understand for further processing) - but I don't suppose I could do the same
with nfcapd/nfdump? (since nfcapd must write the captured data into a binary
file for nfdump to separately consume).
The other option I was thinking was I use the -x option on nfcapd and have
it invoke nfdump, so I can have nfdump running as soon as I have a new file
available. In that context, how low can I go with the -t option? I am
guessing 60 seconds is the lowest, since anything less than that still
writes into a file that is generate for each minute.
Could you please let me know what would be my best bet if I wanted to get as
close to real-time processing (nfcapd -> nfdump -> myAnalyzer) using the
NFDUMP tool?
Thanks!
- am
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
