Re: [Nfdump-discuss] Question about filtering and flows aggregation

Thu, 31 Mar 2011 23:25:51 -0700 

Hi Gabriel,

On 3/31/11 11:41, LEFEBVRE Gabriel wrote:
> 
>     Hi there,
> 
> I wonder how to mix bytes/packets filter and aggregation.
> 
> I want to do somthing like this :
>         nfdump ... -b --filter="bytes > xxx"
> 
> and the result is not as expected. In fact I think that each
> ticket is compared with the bytes filter before being aggregated.
> And so the bidirectionnal flow printed does not show all bytes of
> this session - but only shows the aggreation of tickets that was up to
> xxx bytes.
> 
> Is there something I am doing wrong with my filter ? Is there any
> solution to do this ?

well - no - you are perfectly right. The filter you specify applies the to 
flows read from the nfcapd file. The flows
which pass the filter, are inserted into the flow cache, where the 
bidirectional matching occurs. I have some ideas for
implementing post process filters, but the priority is not top notch.

In the meantime you may run: ./nfdump -b -w - | ./nfdump 'your filter'

Which means you pipe the flow cache to a second nfdump process, where you can 
apply all required filters. Please note,
that 'bytes > xx' applies to input or output bytes in case of bidirectional 
flows. Use 'in bytes > xxx' or 'out bytes >
xx' for an explicit direction.
Of course you can also store the bidir flows first into an nfcapd file -w 
<file> and re-process the flows later on with
different filters.

        - Peter

> 
> Thanks for reading
> 
> Gabriel
> 
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself; 
> WebMatrix provides all the features you need to develop and 
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to