-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Could you please send me this output in a text file offlist, so it does
not get scrambled by mail. If possible send me an nfcapd.x file.
- Peter
Bogdan Dumitriu wrote:
> Hello Peter,
>
> I have a script that every 5 minutes runs the following command:
>
> "nfdump -r /opt/data/netflow/live/nfcapd.time_stamp -n 5 -s dstip:p/pps
> -l 1000"
>
> Most of the times the output is fine but from time to time I get a
> record like this in the list:
>
> Date first seen Duration Proto Dst IP Addr Flows
> Packets Bytes pps bps bpp
>
> 291
>
> 290
>
> 282
> 2009-09-08 15:41:50.129 4295023.076 TCP xx.xx.xx.xx 5056
> 13858 673426 0 1 48
>
> 228
>
> 225
>
>
> I looked at all the flows for that particular IP and found this
> particular one:
>
> Date flow start Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Packets Bytes Flows
> 2009-09-08 15:42:46.333 4294966.872 TCP 187.47.192.161:49831 ->
> xx.xx.xx.xx:14823 3 144 1
> Summary: total flows: 1, total bytes: 144, total packets: 3, avg bps: 0,
> avg pps: 0, avg bpp: 48
> Time window: 2009-09-08 15:11:56 - 2009-10-28 08:45:33
> Total flows processed: 1438830, Records skipped: 0, Bytes read: 74820240
> Sys: 0.076s flows/second: 18689016.5 Wall: 0.076s flows/second:
> 18909083.7
>
> Or in raw format:
>
> Flow Record:
> Flags = 0x00000000
> size = 52
> mark = 0
> srcaddr = 187.47.192.161
> dstaddr = xx.xx.xx.xx
> first = 1252438966 [2009-09-08 15:42:46]
> last = 1256733933 [2009-10-28 08:45:33]
> msec_first = 333
> msec_last = 205
> dir = 0
> tcp_flags = 0x 2 ....S.
> prot = 6
> tos = 0
> input = 188
> output = 0
> srcas = 0
> dstas = 0
> srcport = 49831
> dstport = 14823
> dPkts = 3
> dOctets = 144
>
> Summary: total flows: 1, total bytes: 144, total packets: 3, avg bps: 0,
> avg pps: 0, avg bpp: 48
> Time window: 2009-09-08 15:11:56 - 2009-10-28 08:45:33
> Total flows processed: 1438830, Records skipped: 0, Bytes read: 74820240
> Sys: 0.072s flows/second: 19713240.5 Wall: 0.071s flows/second:
> 20115619.1
>
>
>
> I think that the stats are good and that IP should be in the top 5 list
> but for some reason that particular flow messes the output up.
>
> However I seems that it generates the right stats but for some reason it
> doesn't display it right. Or it uses a different algorithm to generate
> the stats and another algorithm for the output.
>
> I this a known issue? is there a workaround? or a way to filter out
> these "invalid" records (flows older than the default aging time)?
>
> I'm using:
> nfdump: Version: 1.5.7
> nfsen-1.3
>
> Thank you,
> Bogdan.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSq43Nv5AbZRALNr/AQJxuAP+I+fLCzEFBmtJCiWUBSQAWowREZeFG0xO
swq2PvoJUBzSwbiZPsq9ZI0Ycp1SYIcYNMhXjDQZKtiYhg86fIf9tx6afzZpz+XO
ihDBc/9R9CK78TXKgeID+V0iWsD/weDfeqLO2leqhOBMSWdHd2IY9CiOtDxiD+jy
+GrAomZDMig=
=QLls
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
