I found 'nfsen -r live 4', but get the following when running that: nfsen[2382]: Cmd Decode: rebuild-profile nfsen[2382]: Key format error for '4=1' nfsen[2382]: Cmd Decode: quit
ERR key format error I set the identity in the file, tried to create the profile first and run it without creating the profile. Any ideas what else to try? Thanks, -ryan On Tue, Mar 05, 2013 at 17:06:10, Ryan West wrote: > > Hi, > > With the help of another member I was able to convert months of ASA > syslog data to Netflow v9. Thanks again for that. The data was > converted into nsel- nfdump 1.6.9 format and then the intention was to > use nfreply to push all the data into two collectors. The SiLK collector is > reading the dates fine. > However, nfsen puts the data into a single 5 minute chunk. > > 450871655 Mar 5 15:30 nfcapd.201303051525 > 25829 Mar 5 15:35 nfcapd.201303051530 > 22279 Mar 5 15:40 nfcapd.201303051535 > > If I dump the file, I can see the proper timestamps: > > 2012-10-25 22:36:43.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > 2012-10-25 22:36:50.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > 2012-10-25 22:36:50.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > 2012-10-25 22:36:57.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > 2012-10-25 22:36:57.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > > nfdump -r nfcapd.201303051525 -t 2012/10/25.23:36:43-2013/01/01.00:00:00 > Date first seen Event XEvent Proto Src IP Addr:Port > Dst IP > Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port Bytes > Empty file list. No files to process > No matched flows > > Any idea what I might be missing or another recommended way to get the > data usable by nfsen? Also, I wanted to point out the cosmetic bug on > the xdstport field. > > Thanks, > > -ryan > > ---------------------------------------------------------------------- > -------- Symantec Endpoint Protection 12 positioned as A LEADER in The > Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in > the endpoint security space. For insight on selecting the right > partner to tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > Nfdump-discuss mailing list > Nfdump-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
