Thanks for the reply.
I clearly see the difference. However, what I would really like to know
is whether will there be any difference in the per router statistics or
aggregation output of nfdump if I just use -l.
Also, with -l, it would be easier for me to just keep pointing routers
to a single ip/port without bringing down the nfcapd. With -n, I guess,
I will have to bring down nfcapd and add this new router ident, ip, dir
and restart it. Or is there a better way of adding a new router without
bringing down nfcapd and keep collecting data in separate directory?
On Fri, 2012-10-12 at 10:28 +0200, Peter Haag wrote:
> The difference is, where the data gets stored:
> -l /flow_base_dir/router1 puts everything into one file located under
> the given directory. If you need to now, which router sent which flows
> you have to filter according the sending router address, or according
> the exporter id of a given router ( v.1.6.8 )
> -n router1,192.168.1.1,/flow_base_dir/router1 -n router2,192.168.1.2,/flow_base_dir/router2
> separates the flows according the sending IP address and stores the flows
> into individual directories.
> So, in the end it depends on what you prefer for processing your data
> - Peter
> On 10/10/12 13:15, Veerapuram Varadhan wrote:
> > Hi,
> > Greetings!
> > Thanks for a great tool.
> > In recent versions of nfcapd, I read about the "-n" option through which
> > multiple-netflow source streams can be captured by a single instance of
> > nfcapd.
> > However, I have been running my tests/analysis of netflow from 3
> > different netflow routers pointing to a single instance of nfcapd
> > without the "-n" option.
> > For example:- Currently, I am running nfcapd like this:
> > nfcapd -b 220.127.116.11 -T +13 -w -B 102400000 -l /flow_base_dir/router1
> > -p 9999
> > and using the following nfdump command/options, I am post processing the
> > results:
> > nfdump -r /flow_base_dir/router1/nfcapd.201210081340 -o "fmt:%ra %ts %td
> > %pr %sap -> %dap %flg %tos %pkt %byt %fl" -s router
> > and get:
> > Top 10 Router IP ordered by flows:
> > Date first seen Duration Proto Router IP Flows(%)
> > Packets(%) Bytes(%) pps bps bpp
> > 2012-07-03 22:24:44.368 8321360.751 any 18.104.22.168
> > 3500(42.2) 186070(42.7) 5.2 M(42.0) 0 5 28
> > 2012-07-04 07:45:50.457 8289479.403 any 22.214.171.124
> > 2720(32.8) 145925(33.5) 4.2 M(33.6) 0 4 28
> > 2012-07-05 09:15:01.152 8190071.749 any 126.96.36.199
> > 2070(25.0) 104218(23.9) 3.1 M(24.5) 0 2 29
> > (grouped by router)
> > So, was wondering whether using "-n" option in the nfcapd would get me a
> > different report than this?
> > And/or whether the way that I am collecting netflow data from the three
> > routers is correct?
> > Thanks in advance,
> > V. Varadhan.
> > ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Nfdump-discuss mailing list
> > Nfdump-discuss@...
> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss