Thanks Peter
>
> I assume the difference is in your filter: 'dst net 10.1.1.0/24'
>
> flows, which do not pass the filter are discarded. Both commands build an
> internal flow cache.
> The first one of all existing flows, where as the second command only those
> for 'dst net 10.1.1.0/24'
> This may result in a huge difference in memory usage. nfdump needs to
> allocate more and more memory, which may slow down
> your system, if it starts paging/swapping. The individual statistics ( -s )
> are calculated from the resulted cache.
We do perform a lot of "daily" (i.e. 24hours) analysis of flow data for
EC's...so the 20seconds to analyse ~1.7G of data with filters is more than
fine. What we also do is to dump daily(24hrs) into a
src/dst/flows/octets/packets file for import into sql for billing(We can adjust
this to suit the csv file format from nfdump)....is the flow-tools -> nfdump
conversion creating an "unusual" file for nfdump to process? (As the original
~900Mb flow-tools file we can process with flow-tools in 10min or less, and
results in a ~250Mb file?)
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
