Hi Nick,
nfdump can do this by addig ':p'
nfdump .. -s dstport:p/flows
The interface does not offer this option but can easily implemented.
Regards
- Peter
On 23.10.16 22:07, Nikolaos Milas wrote:
> Hello,
>
> I am using nfdump from within nfsen (1.3.6p1), but I am showing here the
> produced nfdump query:
>
> When we do Stat TopN (e.g. from a particular src address) to identify
> destination ports sorted by flows, then the query becomes (example):
>
> ** nfdump -M /data/nfsen/profiles-data/live/thi -T -R
> 2016/10/23/nfcapd.201610232235:2016/10/23/nfcapd.201610232240 -n 50 -s
> dstport/flows
> nfdump filter: (( ident thi) and (OUT IF 32) or ( ident thi) and (IN IF
> 32)) and ( src ip 194.177.194.192 )
>
> This produces a result like:
>
> Top 50 Dst Port ordered by flows:
>
> Date first seen Duration Proto Dst Port Flows(%)
> Packets(%) Bytes(%) pps bps bpp
> 2016-10-23 22:35:36.080 388.864 any 778 12(80.0)
> 12(44.4) 868(33.9) 0 17 72
> 2016-10-23 22:38:40.336 0.140 any 52974 1( 6.7)
> 5(18.5) 563(22.0) 35 32171 112
> 2016-10-23 22:41:24.812 0.012 any 51310 1( 6.7)
> 5(18.5) 563(22.0) 416 375333 112
> 2016-10-23 22:35:24.780 0.008 any 51187 1( 6.7)
> 5(18.5) 563(22.0) 625 563000 112
>
> Summary: total flows: 15, total bytes: 2557, total packets: 27, avg bps:
> 51, avg pps: 0, avg bpp: 94
> Time window: 2016-10-23 22:30:00 - 2016-10-23 22:44:58
> Total flows processed: 37123, Blocks skipped: 0, Bytes read: 2376128
> Sys: 0.009s flows/second: 3713042.6 Wall: 0.007s flows/second: 5007148.6
>
>
> I would like to request that this output report include the Protocol
> info. For example, above the first entry should be ICMP and the last
> three should be TCP.
>
> The same of course should be done for all similar reports, e.g. when
> producing stats for Any IP Address, Dst IP Address, Src Port, etc.
>
> Currently such info is not displayed and that causes the need for
> additional queries to identify protocols for statistical (Stat TopN) data.
>
> I am posting this to nfdump mailing list, thinking the issues is related
> to it. If you think it should rather be posted to nfsen mailing list,
> please let me know.
>
> Thanks,
> Nick
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
