Hello,
If I am not wrong this problem hasn't anything to do with the nfsen
version but with the nfdump version. It seems nfdump -1.5.2 changed the
way the output is shown as you described.
Cheers,
Chelo
James J. Barlow wrote:
>I don't know if anyone else has run into this problem yet, but it caused
>quite a bit of painful debugging to finally track it down. Also, unless I
>missed something, I didn't see any notification of this change with the
>latest release of NfSen.
>
>The change I am referring to is the output of an nfdump search. The last few
>lines of a search used to look something like:
>
>Time window: Nov 14 2006 08:37:10 - Jan 03 2007 02:52:23
>Flows analysed: 112414 matched: 2, Bytes read: 5493581
>Sys: 0.040s flows/second: 2810350.0 Wall: 0.039s flows/second: 2848375.8
>
>
>We recently upgraded to 1.2.4 and the output now looks something like:
>
>Summary: total flows: 2, total bytes: 522, total packets: 3, avg bps: 0, avg
>pps: 0, avg bpp: 174
>Time window: 2006-12-20 04:00:08 - 2007-02-07 22:07:30
>Total flows processed: 71529, skipped: 0, Bytes read: 3739042
>Sys: 0.770s flows/second: 92894.8 Wall: 0.762s flows/second: 93826.2
>
>
>The reason this is a big deal is that all of the nfsen modules that we
>use were written using the demoplugin.pm as a template. And the demo plugin
>determines if there are any flows found on a search (which to then send an
>email alert) by using the second to last line of the nfdump output.
>
>Here is the code in the demoplugin:
>
> if ( $output[-2] =~ /matched:\s+(\d+)/ ) {
>
>However, once the output changed with version 1.2.4, all the plugins no
>longer worked because it no longer matches the correct expression. So the
>change that's needed is to modify the above line (in all plugins that have it)
>to the following:
>
> if ( $output[-4] =~ /total flows:\s+(\d+)/ ) {
>
>(You'll also want to change the other -2 references to -4 in the modules.)
>
>The reason this caused us so much pain was because along with the NfSen upgrade
>we upgraded perl and many of the modules it uses. Then when after a week or
>so of realizing that we were not getting any notices, and we started debugging
>things, we started thinking it was the perl version or modules that were the
>problem. So to make a long story short we finally tested and wrote quick
>scripts to test all manner of perl modules, then the NfSen Notification.pm,
>then finally worked our way back to the plugins themselves and discovered
>the "simple" fix.
>
>So Peter (or any future developers), PLEASE put in a notification somewhere
>if this ever changes again.
>
>
>P.S. The current demoplugin.pm in the 1.2.4 release still needs to be fixed
> for the correction above.
>
>
>
>
--
"Se puede admitir la fuerza bruta, pero la razón bruta es insoportable.".
Oscar Wilde
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
