Re: [Nfsen-discuss] How do I filter flows with duration > x?

Peter Haag Wed, 27 Dec 2006 07:26:56 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Adrian,



- --On December 27, 2006 9:52:19 +0200 Adrian Popa <[EMAIL PROTECTED]> wrote:

| Hello.
|
| First of all, Happy Hollidays!
|
| I have 2 questions:
|
snipp ..

|
| 2. I want to be able to filter floods that come from the same source to
| the same destination, but with different port numbers. These are
| regarded as different flows by nfsen (and cisco), but is there a way to
| aggregate them in statistics (increasing the flows number)? I don't want
| to use the '-s ip/pps' switch, because it would be hard for me do
| differentiate between legitimate traffic for servers and flooding
| attacks (because both have similar values in my case).
|
| Here's an example:
|
| nfdump -M /data/nfsen/profiles/testprofile/7304bb2:7304bcnt2 -R 
nfcapd.200612251505:nfcapd.200612251615 -n 100 -s record/pps
| -o extended 'host 86.107.104.28'

Add -A srcip,dstip which aggregates src and dst ip Addresses before doing the 
statistics.

Hope, this helps.

    - Peter
|
| Aggregated flows 65012
| Top 100 flows ordered by pps:
| Date flow start          Duration Proto      Src IP Addr:Port          Dst IP 
Addr:Port   Flags Tos  Packets    Bytes
| pps      bps    Bpp Flows ... output omitted ...
| 2006-12-25 15:19:28.585  2276.005 UDP       141.161.3.25:38129 ->    
86.107.104.28:9589  .A....   0     3355    97295
| 1      341     29    15 2006-12-25 15:19:37.024  2268.203 UDP       
141.161.3.25:38129 ->    86.107.104.28:47623 .A....   0
| 3124    90596        1      319     29    14 2006-12-25 15:19:35.051  
2269.962 UDP       141.161.3.25:38129 ->
| 86.107.104.28:34898 .A....   0     3403    98687        1      347     29    
15 2006-12-25 15:19:34.078  2223.652 UDP
| 141.161.3.25:38129 ->    86.107.104.28:32824 .A....   0     2914    84506     
   1      304     29    16 2006-12-25
| 15:19:35.057  2222.664 UDP       141.161.3.25:38129 ->    86.107.104.28:36475 
.A....   0     3494   101326        1      364
| 29    15 2006-12-25 15:19:38.982  2218.135 UDP       141.161.3.25:38129 ->    
86.107.104.28:60941 .A....   0     3115
| 90335        1      325     29    14 2006-12-25 15:19:29.564  2228.963 UDP    
   141.161.3.25:38129 ->    86.107.104.28:29364
| .A....   0     3684   106836        1      383     29    14 2006-12-25 
15:19:43.364  2214.819 UDP       141.161.3.25:38129 ->
| 86.107.104.28:15056 .A....   0     3122    90538        1      327     29    
14 2006-12-25 15:19:30.560  2226.116 UDP
| 141.161.3.25:38129 ->    86.107.104.28:363   .A....   0     3354    97266     
   1      349     29    13 2006-12-25
| 15:19:29.567  2228.708 UDP       141.161.3.25:38129 ->    86.107.104.28:34062 
.A....   0     3294    95526        1      342
| 29    13 2006-12-25 15:19:28.584  2224.559 UDP       141.161.3.25:38129 ->    
86.107.104.28:62463 .A....   0     3080
| 89320        1      321     29    15 2006-12-25 15:19:37.014  2221.000 UDP    
   141.161.3.25:38129 ->    86.107.104.28:38773
| .A....   0     3286    95294        1      343     29    13 2006-12-25 
15:19:33.102  2225.302 UDP       141.161.3.25:38129 ->
| 86.107.104.28:60149 .A....   0     3492   101268        1      364     29    
14 2006-12-25 15:19:49.109  2207.792 UDP
| 141.161.3.25:38129 ->    86.107.104.28:53962 .A....   0     3446    99934     
   1      362     29    13 2006-12-25
| 15:19:34.074  2223.695 UDP       141.161.3.25:38129 ->    86.107.104.28:53403 
.A....   0     3423    99267        1      357
| 29    21
|
| ... output omitted ...
|
| I know I can filter duration and source/destination using a perl module
| (as a plugin), but I'm afraid it may be too intensive and sluggish for
| the hardware I use, so I hope there's a way to do it using nfdump.
|
| Thanks for your time
|
| Adrian Popa
|
|
| -------------------------------------------------------------------------
| Take Surveys. Earn Cash. Influence the Future of IT
| Join SourceForge.net's Techsay panel and you'll get the chance to share your
| opinions on IT & business topics through brief surveys - and earn cash
| http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss



- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iQCVAwUBRZKQsv5AbZRALNr/AQICwAP/dcqZVbqVvIqhWP8ShdxaaItIxuVOdU+m
1ZmZx6hrc6UQodVZLJxhhyOcXGAjt6164iB/1NludLJkHEhqW9AaFPHybcUMydLI
97hCfsaBbLNZoL7VfL/p2vkOpIgVwY9TWOERY9W315n+kuuLVFkBwZrCMj3pXess
2m0kOWuN7mE=
=d1kt
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] How do I filter flows with duration > x?

Reply via email to