-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Eric,
- --On September 25, 2007 12:52:05 -0700 Eric Cables <[EMAIL PROTECTED]> wrote:
| I have been using the NetFlow processing tool under the Stats tab in NfSen,
| and I was hoping someone could help explain why I'm seeing discrepencies in
| the time range specified.
|
| Output from command, with pertinent lines:
|
| --
| ** nfdump -M /usr/local/nfsen/profiles-data/live/<<hostname>> -T -R
| 2007/09/25/nfcapd.200709251235:2007/09/25/nfcapd.200709251240 -n 20 -s
| record/bytes -A srcip,dstip,dstport -o long -L 1M
|
| <<output ommitted>>
|
| Summary: total flows: 13715, total bytes: 55.8 M, total packets: 407076, avg
| bps: 197048, avg pps: 171, avg bpp: 143
| Time window: 2007-09-25 12:05:20 - 2007-09-25 12:44:56
| Total flows processed: 28170, skipped: 0, Bytes read: 1464876
| Sys: 0.089s flows/second: 313553.9 Wall: 0.010s flows/second: 2749634.0
| --
|
| The part I'm having trouble with is that the time window I've selected in
| the graph (12:35 -> 12:40) is not indicated in the Time Window below the
| output (12:05:20 -> 12:44:56, in this case).
Nfdump collects the flows and automatically rotates the files. The files are
named
according the real time period, which means flows collected from 200709251240 -
200709251245 are stored in the file named nfcapd.200709251240. The flows
themselves
also have time stamps, which describe the flows: The time a flow start and the
time a
flow ends. The time window nfdump reports, is take directly from the flow
records and
describes the overall time span of all flows seen in this file. In your case it
means
the earliest flow starts at 2007-09-25 12:05:20, the latest ends at 2007-09-25
12:44:56. So everything looks normal. As the earliest starts around 15min ago,
it
means your timeout for active flows could be 15min.
For best adjustment to NfSen and nfdump, you should set the timeouts not longer
than
5min, otherwise you may get spiky graphs in 15min intervals.
To make a long story short: The file names the time span the flows where
collected,
the time window reported by nfdump names the time span, the flows where active.
They
may be filtered/selected by using -t.
- Peter
|
| Is this normal? Am I just interpreting the output incorrectly? I want to
| process netflow data on specific time windows, but the above makes me wonder
| which time range the data is being parsed from.
|
| Thanks in advance...
|
| --
| Eric Cables
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRvuSJP5AbZRALNr/AQINPgQAlbRjeEroQwiMqTgY/mj8xB4J1gZ9pvCH
H+kVCfvikC3vOVDwPceSIIqyDQxXcunRZ5jrzESSDCM7Qx1IkTntDbl2eKRNVTHq
aZI2JtFO0YHDywBpEvbhgY5W5T7kyPuMOnbOPybC7U1uNEgOpiWzJtf/6YufOV7j
qSfr7SirhX8=
=lpMJ
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
