Hello Peter, I have a script that every 5 minutes runs the following command: "nfdump -r /opt/data/netflow/live/nfcapd.time_stamp -n 5 -s dstip:p/pps -l 1000" Most of the times the output is fine but from time to time I get a record like this in the list: Date first seen Duration Proto Dst IP Addr Flows Packets Bytes pps bps bpp 291 290 282 2009-09-08 15:41:50.129 4295023.076 TCP xx.xx.xx.xx 5056 13858 673426 0 1 48 228 225
I looked at all the flows for that particular IP and found this particular one: Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2009-09-08 15:42:46.333 4294966.872 TCP 187.47.192.161:49831 -> xx.xx.xx.xx:14823 3 144 1 Summary: total flows: 1, total bytes: 144, total packets: 3, avg bps: 0, avg pps: 0, avg bpp: 48 Time window: 2009-09-08 15:11:56 - 2009-10-28 08:45:33 Total flows processed: 1438830, Records skipped: 0, Bytes read: 74820240 Sys: 0.076s flows/second: 18689016.5 Wall: 0.076s flows/second: 18909083.7 Or in raw format: Flow Record: Flags = 0x00000000 size = 52 mark = 0 srcaddr = 187.47.192.161 dstaddr = xx.xx.xx.xx first = 1252438966 [2009-09-08 15:42:46] last = 1256733933 [2009-10-28 08:45:33] msec_first = 333 msec_last = 205 dir = 0 tcp_flags = 0x 2 ....S. prot = 6 tos = 0 input = 188 output = 0 srcas = 0 dstas = 0 srcport = 49831 dstport = 14823 dPkts = 3 dOctets = 144 Summary: total flows: 1, total bytes: 144, total packets: 3, avg bps: 0, avg pps: 0, avg bpp: 48 Time window: 2009-09-08 15:11:56 - 2009-10-28 08:45:33 Total flows processed: 1438830, Records skipped: 0, Bytes read: 74820240 Sys: 0.072s flows/second: 19713240.5 Wall: 0.071s flows/second: 20115619.1 I think that the stats are good and that IP should be in the top 5 list but for some reason that particular flow messes the output up. However I seems that it generates the right stats but for some reason it doesn't display it right. Or it uses a different algorithm to generate the stats and another algorithm for the output. I this a known issue? is there a workaround? or a way to filter out these "invalid" records (flows older than the default aging time)? I'm using: nfdump: Version: 1.5.7 nfsen-1.3 Thank you, Bogdan. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
