I have spent ages battling with this, and have only just realised what is going on.
I'm using nfdump 1.6.3 to aggregate on source-ip: nfdump -r original -a -A srcip -w new nfdump -r new Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2011-02-14 14:17:07.717 107.125 UDP 155.198.5.151:16169 -> 81.192.53.20:53 11783 933382 5287 ...and so on I was convinced it wasn't aggregating, but closer inspection shows it is; it's just not zeroing the unaggregated fields when writing the flow, presumably using the "last" values. This is really confusing. Is it intentional? ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
