-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Adrian,
- -------- Original Message -------- From: Adrian Popa <[EMAIL PROTECTED]> To: [email protected] Subject: [Nfsen-discuss] Give a man enough rope... Date: Wed Oct 04 2006 10:37:17 GMT+0200 (CEST) > Hello, > You probably know the saying: Give a man enough rope and he will hang > himself. Well, open-source software is sometimes known to 'give enough > rope'. I'm sorry to say that the same thing can't be said about nfdump. > :-) > > I tried to do a top 10000 (yes, it's big, but that's my problem, > right?), and nfdump wouldn't let me because a valid topN is between 0 > and 1000. So, I set out to remove this barrier, and I managed to do it. > > in nfdump.c (version 1.5.2), at line 1144 I modfied from: > if ((aggregate || flow_stat) && ( topN > 1000 || topN == 0) ) { > to > if ((aggregate || flow_stat) && ( topN > 10000 || topN == 0) ) { > > I recompiled everything, and as magic, it works! (I admit, I was very > surprised that it was so easy to do...) :-) So, you can say that I > manufactured my extra rope... :) > > My question would be: why is this limitation imposed? Because everything > seems to work fine with a greater top... You're right, that the only limit is that line. You may do top 'what_ever_you_want' from the code perspective, as the code does everything dynamically. So way this limitation? This magic boundary was introduced because of speed reason. nfdump uses 2 different sort algorithms for record statistics and record element statistics. You may have noticed, that you can to -n 0 for -s ip, which results in a fully sorted list of IP addresses from your flows. Sorting records uses another algorithm, which is faster for average top N usage ( typically 10 - 100 ), but slower > 1000 and can become very slow for a full sort ( -n 0 ). That's why the limit was set to 1000. So the rope was limited - typically long enough, but too short to hang yourself :) So you see I'm afraid of you health. You may remove any restriction - but don't complain, if the rope gets long enough. Maybe one day I will change that to dynamically selecting the proper faster algorithm, according to -n . Hope this helps. Take care. - Peter > > Sorry for my ranting, > Adrian Popa > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > > ------------------------------------------------------------------------ > > _______________________________________________ > Nfsen-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRSN6g/5AbZRALNr/AQIBbwP/ZLNrTcRRntruDlvOzkBR3wD8U0E4/4P0 ZrSKpG8oCMcQBlldi6TJnjReOCF+tzA0U5MZQYjejFaq0RmY3BNUOwxeDAAysplp cAvjN/Rxprh0kTwPgAhMIzIVgqS19B46IIG0j/y0m3y2DZCLOmrMBfP3lU4ZK1Vp 47u+XEGMDvo= =ilHy -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
