Have you told nfcapd to collect the mask? Since nfdump's support for FNF you
have to enable those extension you need -
see nfcapd(1) At least you need nfcapd -T3.
- Peter
On 11/5/11 1:10 PM, Guy, Neale wrote:
> I cannot get nfdump to display the subnets and the raw nfdump output does not
> seem to include this information:
> Flow Record:
> Flags = 0x00 Unsampled
> size = 52
> first = 1305017995 [2011-05-10 09:59:55]
> last = 1305017996 [2011-05-10 09:59:56]
> msec_first = 899
> msec_last = 259
> src addr = 192.168.228.87
> dst addr = 192.168.21.37
> src port = 36887
> dst port = 80
> fwd status = 0
> tcp flags = 0x1e .APRS.
> proto = 6
> (src)tos = 0
> (in)packets = 7
> (in)bytes = 2884
> input = 173
> output = 175
> src as = 0
> dst as = 0
>
>
> /usr/local/bin/nfdump -M /data/nfcapd/flows/router -R
> 2011/05/10/nfcapd.201105100000:2011/05/10/nfcapd.201105102355 -n 5 -s
> mask:p/bps
>
> Top 5 Mask ordered by bps:
> Date first seen Duration Proto Mask Flows(%)
> Packets(%) Bytes(%) pps bps bpp
> 2011-05-09 23:58:56.717 86461.844 any 0 50.9 M(200.0)
> 1.7 G(200.0) 744.0 G(200.0) 19734 68.8 M 436
>
> Summary: total flows: 25471290, total bytes: 372.0 G, total packets: 853.1 M,
> avg bps: 34.4 M, avg pps: 9867, avg bpp: 436
> Time window: 2011-05-09 23:58:56 - 2011-05-10 23:59:58
> Total flows processed: 25471290, Blocks skipped: 0, Bytes read: 1324528668
> Sys: 3.330s flows/second: 7649036.0 Wall: 28.248s flows/second: 901670.8
>
>
> We are using Netflow v5 is this information only included in a certain
> version of netflow packet?
> Looking at the docs for v5 it shows
> 44 src_mask Source address prefix mask bits
> 45 dst_mask Destination address prefix mask bits.
>
> Neale Guy
> Nexus System Developer | System development | NTT Europe Ltd.
> ICT Solutions<http://www.eu.ntt.com/en/products.html> |
> Web<http://www.eu.ntt.com/en/index.html> |
> News<http://www.eu.ntt.com/en/about-us/newsroom.html>
>
> [cid:[email protected]]<http://www.eu.ntt.com/en/index.html>
>
> ________________________________
> This e-mail (and any attachments) contains information which is intended
> solely for the attention of the person to whom it has been sent. If you are
> not the intended recipient, you are not authorised to copy, distribute or use
> it for any purpose or disclose the contents to any person. If you have
> received this e-mail in error, please notify us immediately at [email protected]
> and delete this e-mail from your systems. NTT Europe makes no warranty that
> this message is error or virus free. Any comments or opinions expressed are
> those of the originator not of NTT Europe Ltd. unless otherwise expressly
> stated. NTT Europe Limited is a company registered in England and Wales with
> company number 2307625. Registered Address: 3rd Floor, Devon House, 58-60 St.
> Katharine's Way, London, E1W 1LB, UK.
>
>
>
>
> ------------------------------------------------------------------------------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
