Re: [Nfsen-discuss] corrupt data files

Peter Haag Thu, 25 Jan 2007 00:15:38 -0800

Salue Cedric,
Most likely the disk full event resulted in data garbage written to the
file. What really is written in an event like this depends on your
underlaying OS. As I do not see the corrupt file header message I assume,
that the begin of the file seems ok. What you can do is read/rewrite the
file, which results in the same error messages below, but writes a new
file with the clean records, found so far. nfdump tries to resync the data
stream as good as possible, but all the damaged records are skipped and
are lost and can not be reconstructed.


To rebuild the file, simply do a ./nfdump -r file -w newfile
and then rename newfile back to file.

     - Peter



hello,



I've got a problem, since this night, on my nfsen/nfdump configuration.

Here is the log message I can read if I run this command:

/usr/local/bin/nfdump  -R
/data/nfsen/profiles/live/cs7204/nfcapd.200701230010:nfcapd.200701231000
-n 20 -s srcip/bytes 'in if 1 or in if 5 or in if 4 or inif 9'





Short read for netflow records: Expected 839904, got 224992 bytes!

Can't process block type 20159

Short read for netflow records: Expected 393728, got 229076 bytes!

Can't process block type 20446

Short read for netflow records: Expected 393728, got 130772 bytes!

Can't process block type 21963

Can't process block type 20

Can't process block type 25670

Can't process block type 71

Can't process block type 392

Can't process block type 4096

Can't process block type 0

Corrupt data file: Requested buffer size 1083401286 exceeds max. buffer
size.

Top 20 Src IP Addr ordered by bytes:

Date first seen          Duration Proto      Src IP Addr    Flows
Packets    Bytes      pps      bps   bpp

2007-01-23 00:05:29.820  2663.276 any     195.220.94.166    71311
1.1 M    1.4 G      450    4.4 M  1291

2007-01-23 00:05:54.864  2620.180 any       129.20.44.17      236
452483  527.3 M      172    1.6 M  1222

2007-01-23 00:05:21.932  2428.376 any      129.20.128.60       27
253225  214.2 M      104   739800   886

2007-01-23 00:06:53.000  2579.840 any       129.20.161.7     4989
153515  174.2 M       59   566461  1189

2007-01-23 00:05:53.980  2638.376 any      129.20.36.193     7110
120356  124.7 M       45   396582  1086

2007-01-23 00:06:55.268  2575.940 any     195.220.94.165     4200
215875   73.4 M       83   238944   356

2007-01-23 00:08:23.264  2476.768 any     129.20.129.194      637
89478   70.3 M       36   237953   823

2007-01-23 00:08:35.744  2477.636 any     129.20.131.149     3150
61941   69.0 M       25   233649  1168

2007-01-23 00:10:15.412  2140.212 any       129.20.161.9       73
42046   56.4 M       19   221085  1406

2007-01-23 00:07:27.288  2537.428 any     129.20.157.221      500
93269   53.2 M       36   175965   598

2007-01-23 00:09:44.744  2410.808 any      129.20.128.64    11270
117785   49.2 M       48   171107   437

2007-01-23 00:08:55.324  2455.448 any     148.60.213.159     1121
43611   42.4 M       17   144934  1020

2007-01-23 00:09:58.356  2396.168 any     129.20.131.136      685
32328   40.3 M       13   141252  1308

2007-01-23 00:05:23.760  2633.412 any       129.20.53.33      398
37234   40.0 M       14   127447  1126

2007-01-23 00:04:59.668  2692.812 any      129.20.153.40     1409
43701   31.4 M       16    97684   752

2007-01-23 00:08:01.364  2511.580 any      129.20.82.134    70550
101788   30.2 M       40   100739   310

2007-01-23 00:09:40.248  2412.420 any       129.20.82.76    77969
89528   29.7 M       37   103202   347

2007-01-23 00:09:43.700  2409.496 any       129.20.82.62    76978
88582   29.1 M       36   101308   344

2007-01-23 00:09:42.756  2410.000 any       129.20.82.30    77698
88975   29.0 M       36   100808   341

2007-01-23 00:09:42.252  2411.712 any        129.20.82.3    77338
88849   28.8 M       36   100294   340



Summary: total flows: 19097490, total bytes: 7.4 G, total packets: 24.4
M, avg bps: 22.5 M, avg pps: 9496, avg bpp: 311

Time window: 2007-01-23 00:04:59 - 2007-01-23 00:49:55

Total flows processed: 19544886, skipped: 9, Bytes read: 1016371176

Sys: 3.258s flows/second: 5998116.3  Wall: 3.262s flows/second:
5991537.3



Before this problem, the data partition was full, could it be the
reason of the data files corruption ?

Is there a way to rebuild them ?

Thanks for your replies



cedric


-- 
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] corrupt data files

Reply via email to