Hi Brian,
Did you "upgrade" your Cisco device? It may come with a new version of
ASA which does include not only incoming, but also outgoing byte counters.
To test, use this format with nfdump:
./nfdump -r .. -o "fmt:%ts %evt %xevt %pr %sap -> %dap %ibyt %obyt %fl"
This example lists your flows with both counters. Whether or not this
additional counter is available is a question of the ASA version.
nfdump adds up both input and output in the summary line. The statistic
output however, does only print the incoming bytes for compatibility and
historic reason. That's where the difference comes from. I may consiger
to add more options to -s ...
Cheers
- Peter
On 04/03/2014 10:52 PM, Brian Candler wrote:
> Here's a really odd one.
>
> Both my cacti graphs and nfsen graphs are showing an unexpected increase
> in data usage; but digging down in nfsen I can't find the source. Then
> I find even nfdump itself doesn't seem to agree internally on what the
> total data volume is.
>
> The data source is a Cisco ASA5520 and I'm running nfdump with
> --enable-nfprofile --enable-nftrack --enable-nsel.
>
> $ nfdump -V
> nfdump: Version: NSEL-NEL1.6.11 $Date: 2013-11-16 09:04:43 +0100 (Sat,
> 16 Nov 2013) $
>
> Here is an example single 5-minute timeslot. nfsen shows the total
> traffic for this slot is 12GB. But if I ask nfsen/nfdump to group it by
> protocol, I see much less:
>
> $ nfdump -M /var/nfsen/profiles-data/live/wrn-asa1 -T -r
> 2014/04/03/nfcapd.201404031445 -n 100 -s proto/bytes
> Top 100 Protocol ordered by bytes:
> Date first seen Duration Proto Protocol
> Flows(%) Packets(%) Bytes(%) pps bps bpp
> 2014-04-03 14:44:59.963 299.827 TCP 6
> 15491(35.0) 0( 0.0) 106.1 M( 0.9) 0 2.8 M 0
> 2014-04-03 14:45:16.740 278.051 ESP 50 37(
> 0.1) 0( 0.0) 9.6 M( 0.1) 0 274810 0
> 2014-04-03 14:45:00.203 299.597 UDP 17
> 28500(64.5) 0( 0.0) 2.5 M( 0.0) 0 67030 0
> 2014-04-03 14:45:08.151 244.776 SCPS 105 15(
> 0.0) 0( 0.0) 16104( 0.0) 0 526 0
> 2014-04-03 14:45:00.353 299.197 ICMP 1 172(
> 0.4) 0( 0.0) 11290( 0.0) 0 301 0
>
> Summary: total flows: 44215, total bytes: 12090101416, total packets: 0,
> avg bps: 322577971, avg pps: 0, avg bpp: 0
> Time window: 2014-04-03 14:44:59 - 2014-04-03 14:49:59
> Total flows processed: 44215, Blocks skipped: 0, Bytes read: 5723064
> Sys: 0.040s flows/second: 1105319.7 Wall: 0.038s flows/second: 1157097.2
>
> Notice that under "summary" it shows total bytes 12GB. But TCP is only
> 106MB, representing 0.9% of the total, and the other protocols much
> less. Where is everything else? What is nfdump adding to get the 'total
> bytes' figure?
>
> The total number of flows is correct! And if I exclude the protocols
> listed above, I get nothing:
>
> $ nfdump -M /var/nfsen/profiles-data/live/wrn-asa1 -T -r
> 2014/04/03/nfcapd.201404031445 -c 100 'not proto tcp and not proto esp
> and not proto udp and not proto scps and not proto icmp'
> Date first seen Event XEvent Proto Src IP
> Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst
> IP Addr:Port In Byte Out Byte
> Summary: total flows: 0, total bytes: 0, total packets: 0, avg bps: 0,
> avg pps: 0, avg bpp: 0
> Time window: 2014-04-03 14:44:59 - 2014-04-03 14:49:59
> Total flows processed: 44215, Blocks skipped: 0, Bytes read: 5723064
>
> Using some Perl to add up the raw data I get around 1.2GB in total:
>
> $ nfdump -M /var/nfsen/profiles-data/live/wrn-asa1 -T -r
> 2014/04/03/nfcapd.201404031445 | perl -ne 'if (/\s+(\d+)\s+(\d+)$/) {
> $in+=$1,$out+=$2; } END { print "in=$in,out=$out\n"; }'
> in=35021687,out=1196947214
>
> Or about 0.5GB if I look only at flow DELETE records:
>
> $ nfdump -M /var/nfsen/profiles-data/live/wrn-asa1 -T -r
> 2014/04/03/nfcapd.201404031445 | grep DELETE | perl -ne 'if
> (/\s+(\d+)\s+(\d+)$/) { $in+=$1,$out+=$2; } END { print
> "in=$in,out=$out\n"; }'
> in=18751754,out=475720863
>
> Neither matches with either the total shown by nfdump, or the total of
> the -s proto/bytes figures.
>
> Any suggestions? I can send the file to the author privately if requested.
>
> Thanks,
>
> Brian.
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
--
Be nice to your netflow data
------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
