On 3/6/13 4:18, Ryan West wrote:
> I found 'nfsen -r live 4', but get the following when running that:
why 4? the only valid option after -r live is nothing or 'all' to rebuild the
graphs
Regards
- Peter
>
> nfsen[2382]: Cmd Decode: rebuild-profile
> nfsen[2382]: Key format error for '4=1'
> nfsen[2382]: Cmd Decode: quit
>
> ERR key format error
>
> I set the identity in the file, tried to create the profile first and run it
> without creating the profile.
>
> Any ideas what else to try?
>
> Thanks,
>
> -ryan
>
> On Tue, Mar 05, 2013 at 17:06:10, Ryan West wrote:
>>
>> Hi,
>>
>> With the help of another member I was able to convert months of ASA
>> syslog data to Netflow v9. Thanks again for that. The data was
>> converted into nsel- nfdump 1.6.9 format and then the intention was to
>> use nfreply to push all the data into two collectors. The SiLK collector is
>> reading the dates fine.
>> However, nfsen puts the data into a single 5 minute chunk.
>>
>> 450871655 Mar 5 15:30 nfcapd.201303051525
>> 25829 Mar 5 15:35 nfcapd.201303051530
>> 22279 Mar 5 15:40 nfcapd.201303051535
>>
>> If I dump the file, I can see the proper timestamps:
>>
>> 2012-10-25 22:36:43.296 IGNORE Ignore TCP 192.168.0.12:443 ->
>> x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129
>> 2012-10-25 22:36:50.296 IGNORE Ignore TCP 192.168.0.12:443 ->
>> x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129
>> 2012-10-25 22:36:50.296 IGNORE Ignore TCP 192.168.0.12:443 ->
>> x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129
>> 2012-10-25 22:36:57.296 IGNORE Ignore TCP 192.168.0.12:443 ->
>> x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129
>> 2012-10-25 22:36:57.296 IGNORE Ignore TCP 192.168.0.12:443 ->
>> x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129
>>
>> nfdump -r nfcapd.201303051525 -t 2012/10/25.23:36:43-2013/01/01.00:00:00
>> Date first seen Event XEvent Proto Src IP Addr:Port
>> Dst IP
>> Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port Bytes
>> Empty file list. No files to process
>> No matched flows
>>
>> Any idea what I might be missing or another recommended way to get the
>> data usable by nfsen? Also, I wanted to point out the cosmetic bug on
>> the xdstport field.
>>
>> Thanks,
>>
>> -ryan
>>
>> ----------------------------------------------------------------------
>> -------- Symantec Endpoint Protection 12 positioned as A LEADER in The
>> Forrester
>> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in
>> the endpoint security space. For insight on selecting the right
>> partner to tackle endpoint security challenges, access the full report.
>> http://p.sf.net/sfu/symantec-dev2dev
>> _______________________________________________
>> Nfdump-discuss mailing list
>> Nfdump-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
--
Be nice to your netflow data
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
