-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- --On March 31, 2008 23:29:57 +0200 Till Dörges <[EMAIL PROTECTED]> wrote: | On 31.03.2008 08:35, Lixin Zou wrote: | | > After checking the log file, I found the error message "nfprofile failed:". | > I made two channel for this profile,and both channel have the same | > filter. In the filter,there are more than 1500 IP. the filter is such as | > "src ip 10.5.24.10 <http://10.5.24.10> or src ip 172.16.1.9 | > <http://172.16.1.9> or ...". There is virtually no limit for nfdump filters as long as your system has enough memory. However, using lists like yours ( or host .. or host .. ) become inefficient if you chain more than ~ 100 hosts. To filter several thousands of IPs use IP lists: host in [1.2.3.4 5.6.7.8 ...] IP lists are implemented as trees and are capable of filtering many thousend of IPs. | > I think the filter is the cause of the problem,because I try to change | > the filter file to make the IP number be less than 1500, and restart the | > nfsen,then the nfsen can work normally. I found that the nfsen can work | > normally if the filter's IP number is less than 1500. but I don't know | > how to fix it. | > | > I use nfsen 1.3b-20070824 + nfdump 1.5.6 on FreeBSD, and I have added | > compile options "--enable-nfprofile" | > | > Any suggestions greatly appreciated! | | There is a length restriction in ArgDecode() in Nfcomm.pm, but the error message | doesn't look like it. Yes - This is most likely the reason. You may change this limit at your own risk. | | If you set the loglevel to debug, NfSen should give you the command that failed | (something starting with "System was: ") immediately after the error message. | | If you post that, it'll be a lot easier to help you. | | | But generally you should update to the latest versions of both NfSen and Nfdump. | Peter is continuously fixing bugs. :-) hmm .. always these bugs ... - Peter | | | Regards -- Till | -- | Dipl.-Inform. Till Dörges [EMAIL PROTECTED] | Senior Researcher Phone: +49 (0)700 / PRESECURE | | PRESECURE Consulting GmbH, Münster AG Münster, HRB 6581 | Geschäftsführer/Managing Director Dr. Klaus-Peter Kossakowski | | CarmentiS - Early Warning Expertise | http://www.carmentis.org | | | ------------------------------------------------------------------------- | Check out the new SourceForge.net Marketplace. | It's the best place to buy or sell services for | just about anything Open Source. | http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace | _______________________________________________ | Nfsen-discuss mailing list | [email protected] | https://lists.sourceforge.net/lists/listinfo/nfsen-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBR/MrSf5AbZRALNr/AQKzeQP/eWLbd5arupyCykwDe8pyPCu2G2j+Aiv8 CsFuoYMGmQloIjfiXl2oBBKQ8wn0Iv8gDJlBVHcyj7607Inh9uRN5S4IM4cMC4hj NYgIU2mX6CRtHwg+AtWS6j8Ddc+PRReoOp8bNcn44XpWIg7UXNq8Cmvj1201pbMi 34bZIOwZCFs= =UARi -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
