Hi Peter, Thank you for your quick and clear response. The workaround you propose is a very good idea that will unlock me.
I'll stay tuned about futurs realisations of nfdump :) Have a nice week-end, Gabriel > Hi Gabriel, > > On 3/31/11 11:41, LEFEBVRE Gabriel wrote: >> >> Hi there, >> >> I wonder how to mix bytes/packets filter and aggregation. >> >> I want to do somthing like this : >> nfdump ... -b --filter="bytes > xxx" >> >> and the result is not as expected. In fact I think that each >> ticket is compared with the bytes filter before being aggregated. >> And so the bidirectionnal flow printed does not show all bytes of >> this session - but only shows the aggreation of tickets that was up to >> xxx bytes. >> >> Is there something I am doing wrong with my filter ? Is there any >> solution to do this ? > > well - no - you are perfectly right. The filter you specify applies the to > flows read from the nfcapd file. The flows > which pass the filter, are inserted into the flow cache, where the > bidirectional matching occurs. I have some ideas for > implementing post process filters, but the priority is not top notch. > In the meantime you may run: ./nfdump -b -w - | ./nfdump 'your filter' > > Which means you pipe the flow cache to a second nfdump process, where you > can apply all required filters. Please note, > that 'bytes > xx' applies to input or output bytes in case of > bidirectional flows. Use 'in bytes > xxx' or 'out bytes > > xx' for an explicit direction. > Of course you can also store the bidir flows first into an nfcapd file -w > <file> and re-process the flows later on with > different filters. > > - Peter > >> >> Thanks for reading >> >> Gabriel ----- Aucun virus trouvé dans ce message. Analyse effectuée par AVG - www.avg.fr Version: 10.0.1209 / Base de données virale: 1500/3543 - Date: 31/03/2011 ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
