Re: [Nfsen-discuss] Size of file (ft2nfdump)

Wed, 13 Jun 2012 04:08:41 -0700 

I assume the difference is in your filter: 'dst net 10.1.1.0/24'

flows, which do not pass the filter are discarded. Both commands build an 
internal flow cache.
The first one of all existing flows, where as the second command only those for 
'dst net 10.1.1.0/24'
This may result in a huge difference in memory usage. nfdump needs to allocate 
more and more memory, which may slow down
your system, if it starts paging/swapping. The individual statistics ( -s ) are 
calculated from the resulted cache.

Hope, this helps

        - Peter

On 6/12/12 23:58, John Elliot wrote:
> Thanks Peter.
> 
> 
>> The resulting file of your command is not compressed. Use -z in order to 
>> compress the output.
>> To compress the existing file, run ./nfdump -j netflow_dump.20120606
>> This should considerably shrink the size.
>> Maybe I should make compression the default, as compatibility to those 
>> uncompressed days is long back ....
> 
> 
> Did as you suggested, and the file reduced to ~1.7Gb, which is a huge 
> improvement, but I am unable to run nfdump on that
> file (unable as in it has now been running for nearly 24hours, with load 
> average of 4.7), this was with a:
> 
> 
> nfdump  -R netflow_dump.20120606 -a| more
> 
> 
> but, if I run something like:
> 
> 
> nfdump  -R netflow_dump.20120606  'dst net 10.1.1.0/24' -s srcip/bytes -s 
> dstip/bytes -s port/bytes -s record/bytes  -n
> 20| more
> 
> 
> completes in ~20 seconds?
> 
> 
> Very new to nfdump, so the above may be expected behaviour?
> 
> 
> Cheers.

-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to