Re: [Nfsen-discuss] NFsen / Nfdump filter by duration question..?

[Donnelly, Michael (OFT)]

Then my query of duration < 1 should not have given me results with
durations 

 In the 200's and better  as listed in my original post, right? .. my
point is that

 It looks to me like the duration filter is being disregarded when using
the less 

 than operator. I'm missing something basic here I suspect ..  Observe..

 

Filter: duration < 1000000

duration < 1000000
Top 10     IP Addr ordered by flows:
Date first seen          Duration Proto          IP Addr    Flows
Packets    Bytes      pps      bps   bpp
2008-09-23 22:23:57.823   360.852 any      xxx.yyy.zzz.aaa   23081
248500   49.0 M      688    1.1 M   206

 

 

Filter :  duration < 10000

duration < 1000
Top 10     IP Addr ordered by flows:
Date first seen          Duration Proto          IP Addr    Flows
Packets    Bytes      pps      bps   bpp
2008-09-23 22:24:44.260   312.986 any      xxx.yyy.zzzz.aaa    19445
86390    9.6 M      276   258365   117

 

Filter: duration < 10

nfdump filter:
duration < 10
Top 10     IP Addr ordered by flows:
Date first seen          Duration Proto          IP Addr    Flows
Packets    Bytes      pps      bps   bpp
2008-09-23 22:24:44.200   300.467 any     xxx.yyy.zzz.aaa    15548
15559    2.1 M       51    58565   141

 

Filter duration < 1

nfdump filter:
duration < 1
Top 10     IP Addr ordered by flows:
Date first seen          Duration Proto          IP Addr    Flows
Packets    Bytes      pps      bps   bpp
2008-09-23 22:24:44.200   300.467 any
<http://10.63.129.32/nfsen/nfsen.php#null>  xxx.yyy.zzz.aaa    15546
15556    2.1 M       51    58560   141

 

 

________________________________

From: Adrian Popa [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 24, 2008 10:12 AM
To: Donnelly, Michael (OFT)
Cc: nfsen-discuss@lists.sourceforge.net
Subject: Re: [Nfsen-discuss] NFsen / Nfdump filter by duration
question..?

 

The duration parameter is in miliseconds... Try duration < 1000.

On Wed, Sep 24, 2008 at 4:16 PM, Donnelly, Michael (OFT)
<[EMAIL PROTECTED]> wrote:

Looking to see a report of all "short" conversations by using the
 Duration parameter in the filter expression.. I get all duration sizes
in
 the results .. Why doesn't this work ?

Filter:  duration < 1

Result:

** nfdump -M /usr/local/nfsen/profiles-data/live/xxxxxx  -T  -r
2008/09/24/nfcapd.200809240845 -n 100 -s record/flows -o long
nfdump filter:
duration < 1
Aggregated flows 16725

Top 100 flows ordered by flows:
Date flow start          Duration Proto      Src IP Addr:Port
Dst 2008-09-24 08:45:26.556   220.003 TCP      xxx.xxx.236.75:443   ->
<SNIP>
2008-09-24 08:45:26.720   219.979 TCP       xxx.xxx.172.6:64297 ->
<SNIP>
2008-09-24 08:46:25.504   180.076 TCP      xxx.xxx.236.75:443   ->
<SNIP>

Thanks!

   Mike D


--------------------------------------------------------
This e-mail, including any attachments, may be confidential, privileged
or otherwise legally protected. It is intended only for the addressee.
If you received this e-mail in error or from someone who was not
authorized to send it to you, do not disseminate, copy or otherwise use
this e-mail or its attachments.  Please notify the sender immediately by
reply e-mail and delete the e-mail from your system.


-----Original Message-----

From: Peter Haag [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 24, 2008 7:00 AM
To: Brown, Robin
Cc: nfsen-discuss@lists.sourceforge.net
Subject: Re: [Nfsen-discuss] Alert email address issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Robin,
Indeed, there seem to be a bug. Here is the patch:

- --- NfAlert.pm.orig     Wed Sep 24 12:57:47 2008
+++ NfAlert.pm  Wed Sep 24 12:56:35 2008
@@ -1367,7 +1367,7 @@
               $action_email =~ s/^\s+//;
               $action_email =~ s/\s$//;
               foreach my $email_addr ( split /\s*,\s*/, $action_email
) {
- -                       if ( $action_email !~
/^([A-Z0-9]+[._]?){1,}[A-Z0-9]+\@(([A-Z0-9]+[-]?){1,}[A-Z0-9]+\.){1,}[A-
Z]{2,4}$/i ) {
+                       if ( $action_email !~
/^([A-Z0-9]+[._]?){1,}[A-Z0-9\-]+\@(([A-Z0-9]+[-]?){1,}[A-Z0-9]+\.){1,}[
A-Z]{2,4}$/i ) {
                               print $socket $EODATA;
                               print $socket "ERR action_email
'$action_email' not a valid email address\n";
                               return;



       - Peter

Brown, Robin wrote:
> Hi, nfsen 1.3. I am trying to use an email address in an alert of the
> format
>
> [EMAIL PROTECTED]
>
> Nfsen gives this error:
>
> ERROR: nfsend: action_email '[EMAIL PROTECTED]' not a valid email
> address!
>
> But it is valid.  Is it the '-' or is it the extra part of the domain
> that it doesn't like?  Is there a setting someplace I can change so it
> will accept this as a valid email address?
>
> Thanks and regards,
> Robin Brown
>
>
------------------------------------------------------------------------
-
> This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBSNodo/5AbZRALNr/AQKdJwP8CJXZ72j4dPr3PLIYx5RTx4cTmeKMlwhw
HxiZlIJcEEH17XIINtTNTwjtvh48JGbTDjeXE5i+OzCJX1IEwC4fglQgU/UOCdwx
96Z3OZr78kKjm8qbzhFHlFd/DWfO188ziTUbnzDOHthWBz/Yg1eWy5AkqneuoOrG
FRhPcyLWANY=
=FVmc
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

 


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss