Hi Peter,
if I uncompress a netflow file and try to verify it after that, I get
a result where number of blocks and records are zeroed.
Example:
$ nfdump -v nfcapd.201106302000
File : nfcapd.201106302000
Version : 1 - compressed
Blocks : 54
Type 1 : 0
Type 2 : 54
Records : 822786
$ nfdump -j nfcapd.201106302000
Uncompress file ..
$ nfdump -v nfcapd.201106302000
File : nfcapd.201106302000
Version : 1 - not compressed
Blocks : 0
Type 1 : 0
Type 2 : 0
Records : 0
Affected version is 1.6.3p1. Version 1.6.1p1 works as expected.
I have been digging into the source code and probably proper update of
file header is missing in the CloseUpdateFile function.
Patch solving the issue is attached. Hope you will find it useful.
Regards,
Matej
--- nffile.c 2011-01-08 08:47:28.000000000 +0100
+++ nffile.c.new 2011-07-01 00:09:03.025136270 +0200
@@ -525,6 +525,7 @@
}
}
+ nffile->file_header->NumBlocks = FileHeader.NumBlocks;
strncpy(nffile->file_header->ident, ident ? ident : "unknown" ,
IdentLen);
file_header.ident[IdentLen - 1] = 0;
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
