Hi Adrian,
Thanks for the feedback. There could be a pretty easy solution for that - I
could update 'pblock end' to ('pblock start'
+ 'pblock size' -1 ) if pblock end is 0 - Then you can test port 10249 < pblock
end
Would that be a solution for you?
- Peter
On 19.05.14 08:55, Adrian Popa wrote:
> Hello,
>
> We are currently experimenting with accounting for CGN and wish to be able
> to quickly identify which customer had a specific "public" IP and "public"
> port.
>
> We are collecting data with NSEL and NEL attributes, but it seems there
> isn't any way to search all records that have allocated a portblock that
> contains port x (through nfdump).
>
> For instance, let's assume that our customer is allocated ip 8.8.8.132 and
> uses port 10249 as a source port. I would like to be able to filter by xip
> 8.8.8.132 (which I currently can do) and by port 10249 > pblock start and
> port 10249 < pblock start + pblock size (I noticed that pblock end is 0 in
> our captures). (So list all records that have that port inside the port
> range).
>
> I realize this might be harder to implement (since it has to do additions
> of two different fields), but I wanted to ask the following:
>
> 1. Is this filtering something that's planned for the future? Or, at least,
> adding the option to filter by pblock start?
> 2. Is it something that you thinks is "doable" and I could do (my C skills
> are rusty, but in need of a brush-up). Where should I start to look?
>
> Here is how a record that I want filtered currently looks like:
>
> I am using nfdump: Version: NSEL-NEL1.6.12 $Date: 2014-04-02 20:08:48 +0200
> (Wed, 02 Apr 2014) $
>
> Here is a raw flow record:
> Flow Record:
> Flags = 0x46 EVENT, Unsampled
> export sysid = 1
> size = 104
> first = 1399277842 [2014-05-05 11:17:22]
> last = 1399277842 [2014-05-05 11:17:22]
> msec_first = 127
> msec_last = 127
> src addr = 10.1.6.83
> dst addr = 0.0.0.0
> src port = 0
> dst port = 0
> fwd status = 0
> tcp flags = 0x00 ......
> proto = 6 TCP
> (src)tos = 0
> (in)packets = 0
> (in)bytes = 0
> connect ID = 0
> fw event = 1: CREATE
> fw ext event = 0
> Event time = 1399277842127 [2014-05-05 11:17:22.127]
> src xlt ip = 8.8.8.132
> dst xlt ip = 0.0.0.0
> nat event = 1: ADD
> ingress VRF = 3
> egress VRF = 0
> pblock start = 10240
> pblock end = 0
> pblock step = 1
> pblock size = 1024
>
> Regards,
> Adrian
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
>
>
>
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
