Re: [Nfdump-discuss] Using nfdump to find top prefixes

Mon, 08 Oct 2012 22:44:30 -0700 

Hi Drew,

On 10/8/12 19:51, Drew Weaver wrote:
> Hi,
> 
>  
> 
> I’m migrating from flow-tools to nfcap/nfdump and I have a few scripts I’m 
> trying to port over to use nfdump.
> 
>  
> 
> This is the flow-tools equivalent:
> 
>  
> 
> /var/netflow/bin/flow-cat ft-v05.2012-10-08* | /var/netflow/bin/flow-filter 
> -Sip_list -P25 -f/var/netflow/bin/flow.acl|
> /var/netflow/bin/flow-stat -f24 -S2
> 
>  
> 
> In flow.acl I have:
> 
>  
> 
> ip access-list standard ip_list permit 192.168.0.0 0.0.31.255
> 
> ip access-list standard ip_list permit 10.0.192.0 0.0.31.255
> 
> ip access-list standard ip_list deny any
> 
>  
> 
> So it only processes data about flows sourced from 192.168.0.0/19 and 
> 10.0.192.0/19 on destination port 25 and is sorted
> by octets.
> 
>  
> 
> Then it outputs it like this:
> 
>  
> 
> # Source Prefix     flows                 octets                packets
> 
> #
> 
> 192.168.0.0/28     657                   852267                719
> 
> 10.0.192.0/28   349                   445912                386
> 
>  
> 
> I’ve tried converting this to nfdump like this:
> 
>  
> 
> nfdump -R /var/netflow/nc/nfcapd.20121008* -s srcnet 'src net 192.168.0.0/19 
> or src net 10.0.192.0/19 and dst port 25'
> 
>  
> 
> but I don’t think nfdump supports using * in file name and it doesn’t appear 
> that you can use ‘srcnet’ as a statistic.
> 
>  
> 
> Can anyone provide me with a bit of guidance on this?

Use nfdump -R /var/netflow/nc/nfcapd.201210080000:nfcapd.201210082355
It reads flows from:to

btw. your filter is syntactically correct, but is most likely not what you 
want? I guess you want
(src net 192.168.0.0/19 or src net 10.0.192.0/19) and dst port 25
(boolean expression) Otherwise you get the right flows only for 10.0.192.0/19, 
but all available flows for  192.168.0.0/19

Hope, this helps

        - Peter
> 
>  
> 
> Thanks,
> 
> -Drew
> 
>  
> 
>  
> 
>  
> 
> 
> 
> This body part will be downloaded on demand.
> 
> 
> 
> This body part will be downloaded on demand.
> 

-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to