Hi Tristram,
I don’t know an config switch to enable something like this in pmacct.
And I believe this can’t be done while recording flows as you never know which
traffic relation will become big beforehand :-)
If your output is in json or csv format I would accomplish this by post
processing the output files with awk.
Here is an example:
awk -F '[",:]' '{ if($(NF-12)>18801490000) print } input-file.json
Details:
-F '[",:]’ in brackets are the delimiters. This works for the json output. For
csv it’s just -F '[,]’
$(NF-12) this is the column where your bytes field is for me it is the 12th
field from backwards. If you want to read the 12th field from the beginning use
$12 instead.
18801490000 is your threshold.
input-file.json it the input file and can be json or csv.
This would print only rows with a value greater than 18801490000.
A possibly more elegant solution for your problem would be to sort the flows by
size and then only print the top-n flows.
You could use “sort -t, -n -r -k <column> <file> | head -n <rows>" to sort a
csv file and print the top rows.
Hope this helps.
Cheers
Daniel
On 13 Dec 2015, at 00:07, Tristram Cheer
<[email protected]<mailto:[email protected]>> wrote:
Hi All,
I've been struggling a little bit for a day or so now trying to figure out a
way to remove all the small flows from our system.
We're catching traffic by AS only to try and look at where out traffic is going
but we're only interested in big flow's. Is there any config I can use that
would ignore flows until they reach X bytes?
Cheers
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
