Re: [Nfdump-discuss] nfdump is not showing srcmask or dstmask information.

[Guy, N. <Nea...@nt...>]

Hi Peter,

Many thanks its working great now.
Is there a way of displaying the full subnet info (eg: 192.168.33.0/24) rather than just the '24'?

-o "fmt:%ts %td %pr %sap %smk -> %dap %dmk %flg %tos %pkt %byt %fl"
Only gives the '24':
2011-05-12 09:54:52.288   275.269 TCP      192.168.14.59:2444    24 ->      10.31.60.46:8080    24 .APRSF   0     2934   390580   145

Cheers,

Neale

-----Original Message-----
From: Peter Haag [mailto:ph...@us...]
Sent: 12 May 2011 07:26
To: Guy, Neale
Cc: nfd...@li...
Subject: Re: [Nfdump-discuss] nfdump is not showing srcmask or dstmask information.


Have you told nfcapd to collect the mask? Since nfdump's support for FNF you have to enable those extension you need - see nfcapd(1) At least you need nfcapd -T3.

        - Peter

On 11/5/11 1:10 PM, Guy, Neale wrote:
> I cannot get nfdump to display the subnets and the raw nfdump output does not seem to include this information:
> Flow Record:
>   Flags        =              0x00 Unsampled
>   size         =                52
>   first        =        1305017995 [2011-05-10 09:59:55]
>   last         =        1305017996 [2011-05-10 09:59:56]
>   msec_first   =               899
>   msec_last    =               259
>   src addr     =     192.168.228.87
>   dst addr     =     192.168.21.37
>   src port     =             36887
>   dst port     =                80
>   fwd status   =                 0
>   tcp flags    =              0x1e .APRS.
>   proto        =                 6
>   (src)tos     =                 0
>   (in)packets  =                 7
>   (in)bytes    =              2884
>   input        =               173
>   output       =               175
>   src as       =                 0
>   dst as       =                 0
>
>
> /usr/local/bin/nfdump -M /data/nfcapd/flows/router -R
> 2011/05/10/nfcapd.201105100000:2011/05/10/nfcapd.201105102355 -n 5 -s
> mask:p/bps
>
> Top 5 Mask ordered by bps:
> Date first seen          Duration Proto              Mask    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
> 2011-05-09 23:58:56.717 86461.844 any                   0   50.9 M(200.0)    1.7 G(200.0)  744.0 G(200.0)    19734   68.8 M   436
>
> Summary: total flows: 25471290, total bytes: 372.0 G, total packets:
> 853.1 M, avg bps: 34.4 M, avg pps: 9867, avg bpp: 436 Time window:
> 2011-05-09 23:58:56 - 2011-05-10 23:59:58 Total flows processed:
> 25471290, Blocks skipped: 0, Bytes read: 1324528668
> Sys: 3.330s flows/second: 7649036.0  Wall: 28.248s flows/second:
> 901670.8
>
>
> We are using Netflow v5 is this information only included in a certain version of netflow packet?
> Looking at the docs for v5 it shows
> 44           src_mask             Source address prefix mask bits
> 45           dst_mask            Destination address prefix mask bits.
>
> Neale Guy
> Nexus System Developer | System development | NTT Europe Ltd.
> ICT Solutions<http://www.eu.ntt.com/en/products.html> |
> Web<http://www.eu.ntt.com/en/index.html> |
> News<http://www.eu.ntt.com/en/about-us/newsroom.html>
>
> [cid:image001.gif@01CC0FCF.940B30B0]<http://www.eu.ntt.com/en/index.ht
> ml>
>
> ________________________________
> This e-mail (and any attachments) contains information which is intended solely for the attention of the person to whom it has been sent. If you are not the intended recipient, you are not authorised to copy, distribute or use it for any purpose or disclose the contents to any person. If you have received this e-mail in error, please notify us immediately at le...@nt... and delete this e-mail from your systems. NTT Europe makes no warranty that this message is error or virus free. Any comments or opinions expressed are those of the originator not of NTT Europe Ltd. unless otherwise expressly stated. NTT Europe Limited is a company registered in England and Wales with company number 2307625. Registered Address: 3rd Floor, Devon House, 58-60 St. Katharine's Way, London, E1W 1LB, UK.
>
>
>
>
> ----------------------------------------------------------------------
> -------- Achieve unprecedented app performance and reliability What
> every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools to
> help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfd...@li...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

--
Be nice to your netflow data. Use NfSen and nfdump :)

This e-mail (and any attachments) contains information which is intended solely for the attention of the person to whom it has been sent. If you are not the intended recipient, you are not authorised to copy, distribute or use it for any purpose or disclose the contents to any person. If you have received this e-mail in error, please notify us immediately at le...@nt...  and delete this e-mail from your systems.  NTT Europe makes no warranty that this message is error or virus free. Any comments or opinions expressed are those of the originator not of NTT Europe Ltd. unless otherwise expressly stated.  NTT Europe Limited is a company registered in England and Wales with company number 2307625. Registered Address: 3rd Floor, Devon House, 58-60 St. Katharine's Way, London, E1W 1LB, UK.