That apparently was it.
Creating a temporary file first via:
nfdump -r nfcapd.20161205000 -w temp.bin -f ./filters/temp.txt
and then doing
nfdump -B -r temp.bin -o "fmt: %sa %da %dp %pr"
worked.
Thanks, Brian.
On 12/11/2016 02:22 PM, Brian Candler wrote:
On 06/12/2016 15:39, James A. Klun wrote:this does not work: $ cat filters/temp.txt not ( dst port 53 and proto UDP ) and not ( dst port 53 and proto TCP ) and not ( dst port 161 and proto UDP ) $ nfdump -B -r nfcapd.201612050004 -f ./filters/temp.txt -o "fmt: %sa %da %dp %pr" | grep " 53 " | more produces output of form below - no filtering x.x.x.x y.y.y.y 53 UDP x.x.x.x y.y.y.y 53 UDP< continues >I've tried your filter, and it works for me.I think your problem is with the -B flag which may swap source and destination ports around - that is, if it sees source port < 1024 with dest port > 1024 then it swaps the flows around before making them bidirectional.If that is the problem, it implies that the filtering is taking place *before* the -B port swapping.Regards, Brian.
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
