Hi Peter, Thanks for the reply.
I clearly see the difference. However, what I would really like to know is whether will there be any difference in the per router statistics or aggregation output of nfdump if I just use -l. Also, with -l, it would be easier for me to just keep pointing routers to a single ip/port without bringing down the nfcapd. With -n, I guess, I will have to bring down nfcapd and add this new router ident, ip, dir and restart it. Or is there a better way of adding a new router without bringing down nfcapd and keep collecting data in separate directory? Best, V. Varadhan On Fri, 2012-10-12 at 10:28 +0200, Peter Haag wrote: > Hi, > > The difference is, where the data gets stored: > > -l /flow_base_dir/router1 puts everything into one file located under > the given directory. If you need to now, which router sent which flows > you have to filter according the sending router address, or according > the exporter id of a given router ( v.1.6.8 ) > > -n router1,192.168.1.1,/flow_base_dir/router1 -n > router2,192.168.1.2,/flow_base_dir/router2 > separates the flows according the sending IP address and stores the flows > into individual directories. > > So, in the end it depends on what you prefer for processing your data > afterwards. > > - Peter > > On 10/10/12 13:15, Veerapuram Varadhan wrote: > > Hi, > > > > Greetings! > > > > Thanks for a great tool. > > > > In recent versions of nfcapd, I read about the "-n" option through which > > multiple-netflow source streams can be captured by a single instance of > > nfcapd. > > > > However, I have been running my tests/analysis of netflow from 3 > > different netflow routers pointing to a single instance of nfcapd > > without the "-n" option. > > > > For example:- Currently, I am running nfcapd like this: > > > > nfcapd -b 164.99.87.47 -T +13 -w -B 102400000 -l /flow_base_dir/router1 > > -p 9999 > > > > and using the following nfdump command/options, I am post processing the > > results: > > > > nfdump -r /flow_base_dir/router1/nfcapd.201210081340 -o "fmt:%ra %ts %td > > %pr %sap -> %dap %flg %tos %pkt %byt %fl" -s router > > > > and get: > > > > Top 10 Router IP ordered by flows: > > Date first seen Duration Proto Router IP Flows(%) > > Packets(%) Bytes(%) pps bps bpp > > 2012-07-03 22:24:44.368 8321360.751 any 164.99.87.223 > > 3500(42.2) 186070(42.7) 5.2 M(42.0) 0 5 28 > > 2012-07-04 07:45:50.457 8289479.403 any 164.99.87.220 > > 2720(32.8) 145925(33.5) 4.2 M(33.6) 0 4 28 > > 2012-07-05 09:15:01.152 8190071.749 any 164.99.87.222 > > 2070(25.0) 104218(23.9) 3.1 M(24.5) 0 2 29 > > > > (grouped by router) > > > > So, was wondering whether using "-n" option in the nfcapd would get me a > > different report than this? > > > > And/or whether the way that I am collecting netflow data from the three > > routers is correct? > > > > Thanks in advance, > > > > V. Varadhan. > > > > > > ------------------------------------------------------------------------------ > > Don't let slow site performance ruin your business. Deploy New Relic APM > > Deploy New Relic app performance management and know exactly > > what is happening inside your Ruby, Python, PHP, Java, and .NET app > > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > > http://p.sf.net/sfu/newrelic-dev2dev > > _______________________________________________ > > Nfdump-discuss mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > > > ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
