Hi,
The difference is, where the data gets stored:
-l /flow_base_dir/router1 puts everything into one file located under
the given directory. If you need to now, which router sent which flows
you have to filter according the sending router address, or according
the exporter id of a given router ( v.1.6.8 )
-n router1,192.168.1.1,/flow_base_dir/router1 -n
router2,192.168.1.2,/flow_base_dir/router2
separates the flows according the sending IP address and stores the flows
into individual directories.
So, in the end it depends on what you prefer for processing your data
afterwards.
- Peter
On 10/10/12 13:15, Veerapuram Varadhan wrote:
> Hi,
>
> Greetings!
>
> Thanks for a great tool.
>
> In recent versions of nfcapd, I read about the "-n" option through which
> multiple-netflow source streams can be captured by a single instance of
> nfcapd.
>
> However, I have been running my tests/analysis of netflow from 3
> different netflow routers pointing to a single instance of nfcapd
> without the "-n" option.
>
> For example:- Currently, I am running nfcapd like this:
>
> nfcapd -b 164.99.87.47 -T +13 -w -B 102400000 -l /flow_base_dir/router1
> -p 9999
>
> and using the following nfdump command/options, I am post processing the
> results:
>
> nfdump -r /flow_base_dir/router1/nfcapd.201210081340 -o "fmt:%ra %ts %td
> %pr %sap -> %dap %flg %tos %pkt %byt %fl" -s router
>
> and get:
>
> Top 10 Router IP ordered by flows:
> Date first seen Duration Proto Router IP Flows(%)
> Packets(%) Bytes(%) pps bps bpp
> 2012-07-03 22:24:44.368 8321360.751 any 164.99.87.223
> 3500(42.2) 186070(42.7) 5.2 M(42.0) 0 5 28
> 2012-07-04 07:45:50.457 8289479.403 any 164.99.87.220
> 2720(32.8) 145925(33.5) 4.2 M(33.6) 0 4 28
> 2012-07-05 09:15:01.152 8190071.749 any 164.99.87.222
> 2070(25.0) 104218(23.9) 3.1 M(24.5) 0 2 29
>
> (grouped by router)
>
> So, was wondering whether using "-n" option in the nfcapd would get me a
> different report than this?
>
> And/or whether the way that I am collecting netflow data from the three
> routers is correct?
>
> Thanks in advance,
>
> V. Varadhan.
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
--
Be nice to your netflow data
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
