nfdump-discuss Mailing List for NFDUMP - Netflow processing tools (Page 53)
netflow collecting and processing tools
Brought to you by:
phaag
You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
(4) |
Sep
(1) |
Oct
(1) |
Nov
(4) |
Dec
(4) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
(20) |
Feb
(14) |
Mar
(12) |
Apr
(4) |
May
(9) |
Jun
(15) |
Jul
(23) |
Aug
(12) |
Sep
(5) |
Oct
(5) |
Nov
(1) |
Dec
(5) |
2007 |
Jan
(7) |
Feb
(9) |
Mar
(6) |
Apr
(9) |
May
(11) |
Jun
(6) |
Jul
(25) |
Aug
(35) |
Sep
(10) |
Oct
(21) |
Nov
(13) |
Dec
(10) |
2008 |
Jan
(3) |
Feb
(5) |
Mar
(9) |
Apr
(5) |
May
(1) |
Jun
(2) |
Jul
(13) |
Aug
(10) |
Sep
(1) |
Oct
(5) |
Nov
(1) |
Dec
|
2009 |
Jan
|
Feb
(4) |
Mar
(1) |
Apr
(4) |
May
(5) |
Jun
(17) |
Jul
(17) |
Aug
(18) |
Sep
(4) |
Oct
(11) |
Nov
(22) |
Dec
(24) |
2010 |
Jan
(13) |
Feb
(6) |
Mar
(5) |
Apr
(9) |
May
(4) |
Jun
(43) |
Jul
(4) |
Aug
(11) |
Sep
(7) |
Oct
(6) |
Nov
(4) |
Dec
(7) |
2011 |
Jan
(14) |
Feb
(20) |
Mar
(19) |
Apr
(2) |
May
(6) |
Jun
(15) |
Jul
(17) |
Aug
(10) |
Sep
(14) |
Oct
(15) |
Nov
(7) |
Dec
(1) |
2012 |
Jan
(16) |
Feb
(7) |
Mar
(6) |
Apr
(6) |
May
(5) |
Jun
(14) |
Jul
(15) |
Aug
(27) |
Sep
(9) |
Oct
(11) |
Nov
(10) |
Dec
(8) |
2013 |
Jan
(25) |
Feb
(11) |
Mar
(11) |
Apr
(15) |
May
(22) |
Jun
(17) |
Jul
(27) |
Aug
(32) |
Sep
(18) |
Oct
(3) |
Nov
(37) |
Dec
(12) |
2014 |
Jan
(11) |
Feb
(10) |
Mar
(2) |
Apr
(15) |
May
(10) |
Jun
(5) |
Jul
(12) |
Aug
(4) |
Sep
(10) |
Oct
(6) |
Nov
(11) |
Dec
(3) |
2015 |
Jan
(7) |
Feb
(6) |
Mar
(8) |
Apr
(9) |
May
(12) |
Jun
(1) |
Jul
(16) |
Aug
(18) |
Sep
(11) |
Oct
(12) |
Nov
(15) |
Dec
(3) |
2016 |
Jan
(2) |
Feb
(12) |
Mar
(3) |
Apr
(14) |
May
(14) |
Jun
(18) |
Jul
(5) |
Aug
|
Sep
|
Oct
(27) |
Nov
(15) |
Dec
(5) |
2017 |
Jan
(2) |
Feb
|
Mar
(6) |
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
(1) |
Sep
(3) |
Oct
(4) |
Nov
(1) |
Dec
(8) |
2018 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(3) |
Dec
(2) |
2019 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
(2) |
Nov
|
Dec
|
2020 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(11) |
Nov
(2) |
Dec
(1) |
2021 |
Jan
(2) |
Feb
(1) |
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(2) |
From: Peter H. <ha...@sw...> - 2007-06-05 07:44:13
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On June 4, 2007 3:56:43 PM -0700 "Mark D. Nagel" <mn...@wi...> wrote: | I have been through the list archive and found nothing specific on this | -- . The problem is we see consistently high levels of sequence errors | (40-50 per interval) in the nfcapd logs from Catalyst 6509 exports. I | suspect this is because the RP flow export sequence number is not kept | in sync with the SP (MLS) export sequence number, but wanted to check if | that is the case or whether there is anything I can do differently in my | export configuration to prevent it from happening. More importantly, | does that indicate that flows are dropped, or is it innocuous? - From the collector side, there is no impact other than the report. It simply tells you, that somewhere flows are missing ( the number sequence errors ) for whatever reason. Most of the time it's difficult to spot, where the flows get lost - most likely in the router itself. - Peter | | Thanks, | Mark | | -- | Mark D. Nagel, CCIE #3177 <mn...@wi...> | Principal Consultant, Willing Minds LLC (http://www.willingminds.com) | cell: 949-279-5817, desk: 714-630-4772, fax: 949-623-9854 | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBRmUUTP5AbZRALNr/AQJ2rQP7BAQvsJ6CD9XwPSoIuUU4qTlOlSrOAZ9g PWupvRiBXL6CupT2Wgqi1E54aiPwzujC8N+JmBORX2AFfFNYUoJQsZ/ZvlKOFdHa bM/RNUC4i7pIRf6ZOLkzSp/2ZePGNSzRxtLH6ypDTJ5ofsR9YUxJG8l/0AuQZkZy H8H8oXCznkU= =DDTb -----END PGP SIGNATURE----- |
From: Mark D. N. <mn...@wi...> - 2007-06-04 22:56:42
|
I have been through the list archive and found nothing specific on this -- . The problem is we see consistently high levels of sequence errors (40-50 per interval) in the nfcapd logs from Catalyst 6509 exports. I suspect this is because the RP flow export sequence number is not kept in sync with the SP (MLS) export sequence number, but wanted to check if that is the case or whether there is anything I can do differently in my export configuration to prevent it from happening. More importantly, does that indicate that flows are dropped, or is it innocuous? Thanks, Mark -- Mark D. Nagel, CCIE #3177 <mn...@wi...> Principal Consultant, Willing Minds LLC (http://www.willingminds.com) cell: 949-279-5817, desk: 714-630-4772, fax: 949-623-9854 |
From: Peter H. <ha...@sw...> - 2007-05-10 17:19:24
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hash: SHA1 Hi Devon, - - --On May 10, 2007 12:04:39 PM -0400 Devon True <de...@no...> wrote: | All: | | Using nfdump-snapshot-20070312 I am unable to read the .current files | using the -r option. I searched the mailing list and found a thread, | <http://thread.gmane.org/gmane.network.nfsen.general/262/focus=5>, that | mentions a patch on the 20070110 snapshot, but I was unable to find it | on SourceForge or in the tar.gz file. | | nfdump does read the .DATE files fine. | | Any ideas? This is the intended behaviour. The .current file is open by the collector and changes dynamically, it grows. Therefore you may get unexpected results, in the event of a concurrent access. If you know, what you do, do may patch nffile.c: After line 391 in function OpenNewFile add: file_header->version = VERSION; and recompile nfdump. However, bear in mind, that all open files are now accessible by any other nfdump process. - Peter | | nfdump -V | nfdump: Version: snapshot-20070312 $LastChangedDate: 2007-03-13 08:36:17 | +0100 (Tue, 13 Mar 2007) $ | $Id: nfdump.c 88 2007-03-06 08:49:26Z peter $ | | nfdump -r nfcapd.current.16539 | Date flow start Duration Proto Src IP Addr:Port | Dst IP Addr:Port Packets Bytes Flows | Open file nfcapd.current.16539: bad version: 0 | | nfdump -r nfcapd.200705101115 -c 10 | Date flow start Duration Proto Src IP Addr:Port | Dst IP Addr:Port Packets Bytes Flows | 2007-05-10 11:25:06.782 42.660 TCP x.x.x.x:110 -> | y.y.y.y:1546 15 5602 1 | 2007-05-10 11:25:51.417 1.908 TCP x.x.x.x:110 -> | y.y.y.y:63638 2 2840 1 | 2007-05-10 11:25:46.506 6.819 TCP x.x.x.x:110 -> | y.y.y.y:63638 7 1070 1 | 2007-05-10 11:24:59.734 0.000 TCP x.x.x.x:80 -> | y.y.y.y:50913 1 48 1 | 2007-05-10 11:25:52.514 0.000 TCP x.x.x.x:25 -> | y.y.y.y:44257 1 89 1 | 2007-05-10 11:25:53.721 0.000 TCP x.x.x.x:110 -> | y.y.y.y:10812 1 1420 1 | 2007-05-10 11:24:56.537 52.562 TCP x.x.x.x:110 -> | y.y.y.y:10812 2 2834 1 | 2007-05-10 11:25:49.172 0.000 TCP x.x.x.x:110 -> y.y.y.y:3450 | 1 40 1 | 2007-05-10 11:25:14.468 23.266 TCP x.x.x.x:110 -> y.y.y.y:1178 | 4 5680 1 | 2007-05-10 11:25:14.468 27.373 TCP x.x.x.x:110 -> y.y.y.y:1178 | 11 5402 1 | Summary: total flows: 10, total bytes: 25025, total packets: 45, avg | bps: 3500, avg pps: 0, avg bpp: 556 | Time window: 2007-05-10 11:24:53 - 2007-05-10 11:27:53 | Total flows processed: 16149, skipped: 0, Bytes read: 839760 | Sys: 0.012s flows/second: 1345750.0 Wall: 0.010s flows/second: 1566799.3 | | -- | Devon | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBRkNUGv5AbZRALNr/AQJPpgP/UCeMM7hNZIly+lzYOtvh0ItnnhHhpl6A 9Ctcm/Xoj+jienbRayfHhUeMBICs13vZfElufBDN/baVxZVs8hhrzr7LFADfLVC7 KPDuQ3bSQWZ5UM6tumMo3pkjIKnjiuD4ExuEQLwb+75eRFOnazYsECjweuS40TRj N87lSkrpTPk= =wRlU -----END PGP SIGNATURE----- |
From: Peter H. <ha...@sw...> - 2007-05-10 17:13:36
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Devon, - --On May 10, 2007 12:04:39 PM -0400 Devon True <de...@no...> wrote: | All: | | Using nfdump-snapshot-20070312 I am unable to read the .current files | using the -r option. I searched the mailing list and found a thread, | <http://thread.gmane.org/gmane.network.nfsen.general/262/focus=5>, that | mentions a patch on the 20070110 snapshot, but I was unable to find it | on SourceForge or in the tar.gz file. | | nfdump does read the .DATE files fine. | | Any ideas? This is the intended behaviour. The .current file is open by the collector and changes dynamically, it grows. Therefore you may get unexpected results, in the event of a concurrent access. If you know, what you do, do may patch nffile.c: After line 391 in function OpenNewFile add: file_header->version = VERSION; and recompile nfdump. However, bear in mind, that all open files are now accessible by any other nfdump process. - Peter | | nfdump -V | nfdump: Version: snapshot-20070312 $LastChangedDate: 2007-03-13 08:36:17 | +0100 (Tue, 13 Mar 2007) $ | $Id: nfdump.c 88 2007-03-06 08:49:26Z peter $ | | nfdump -r nfcapd.current.16539 | Date flow start Duration Proto Src IP Addr:Port | Dst IP Addr:Port Packets Bytes Flows | Open file nfcapd.current.16539: bad version: 0 | | nfdump -r nfcapd.200705101115 -c 10 | Date flow start Duration Proto Src IP Addr:Port | Dst IP Addr:Port Packets Bytes Flows | 2007-05-10 11:25:06.782 42.660 TCP x.x.x.x:110 -> | y.y.y.y:1546 15 5602 1 | 2007-05-10 11:25:51.417 1.908 TCP x.x.x.x:110 -> | y.y.y.y:63638 2 2840 1 | 2007-05-10 11:25:46.506 6.819 TCP x.x.x.x:110 -> | y.y.y.y:63638 7 1070 1 | 2007-05-10 11:24:59.734 0.000 TCP x.x.x.x:80 -> | y.y.y.y:50913 1 48 1 | 2007-05-10 11:25:52.514 0.000 TCP x.x.x.x:25 -> | y.y.y.y:44257 1 89 1 | 2007-05-10 11:25:53.721 0.000 TCP x.x.x.x:110 -> | y.y.y.y:10812 1 1420 1 | 2007-05-10 11:24:56.537 52.562 TCP x.x.x.x:110 -> | y.y.y.y:10812 2 2834 1 | 2007-05-10 11:25:49.172 0.000 TCP x.x.x.x:110 -> y.y.y.y:3450 | 1 40 1 | 2007-05-10 11:25:14.468 23.266 TCP x.x.x.x:110 -> y.y.y.y:1178 | 4 5680 1 | 2007-05-10 11:25:14.468 27.373 TCP x.x.x.x:110 -> y.y.y.y:1178 | 11 5402 1 | Summary: total flows: 10, total bytes: 25025, total packets: 45, avg | bps: 3500, avg pps: 0, avg bpp: 556 | Time window: 2007-05-10 11:24:53 - 2007-05-10 11:27:53 | Total flows processed: 16149, skipped: 0, Bytes read: 839760 | Sys: 0.012s flows/second: 1345750.0 Wall: 0.010s flows/second: 1566799.3 | | -- | Devon | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBRkNRe/5AbZRALNr/AQJA3AP/Q17HMTfJh292SXmASw7LDhHwWbeNfBrl VnWLOfgrHg2R6X9uIenZXO+xmvpGRKT7ukbNSM0Y4JvpH4UI5/h8+r3kyF9xcevC jxCJzv366w0+JhSEXWG6BTDyzzsm0ifPuCovc8ZbwepzDhoiJ1vHjy1uu39P25m8 ILO9YktzRFI= =KzML -----END PGP SIGNATURE----- |
From: Peter H. <ha...@sw...> - 2007-05-10 17:11:18
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 in snapshot 20070312 it's after line 321 *NOT* 391 as stated in my previous mail. Sorry for the confusion. - --On May 10, 2007 12:04:39 PM -0400 Devon True <de...@no...> wrote: | All: | | Using nfdump-snapshot-20070312 I am unable to read the .current files | using the -r option. I searched the mailing list and found a thread, | <http://thread.gmane.org/gmane.network.nfsen.general/262/focus=5>, that | mentions a patch on the 20070110 snapshot, but I was unable to find it | on SourceForge or in the tar.gz file. | | nfdump does read the .DATE files fine. | | Any ideas? | | nfdump -V | nfdump: Version: snapshot-20070312 $LastChangedDate: 2007-03-13 08:36:17 | +0100 (Tue, 13 Mar 2007) $ | $Id: nfdump.c 88 2007-03-06 08:49:26Z peter $ | | nfdump -r nfcapd.current.16539 | Date flow start Duration Proto Src IP Addr:Port | Dst IP Addr:Port Packets Bytes Flows | Open file nfcapd.current.16539: bad version: 0 | | nfdump -r nfcapd.200705101115 -c 10 | Date flow start Duration Proto Src IP Addr:Port | Dst IP Addr:Port Packets Bytes Flows | 2007-05-10 11:25:06.782 42.660 TCP x.x.x.x:110 -> | y.y.y.y:1546 15 5602 1 | 2007-05-10 11:25:51.417 1.908 TCP x.x.x.x:110 -> | y.y.y.y:63638 2 2840 1 | 2007-05-10 11:25:46.506 6.819 TCP x.x.x.x:110 -> | y.y.y.y:63638 7 1070 1 | 2007-05-10 11:24:59.734 0.000 TCP x.x.x.x:80 -> | y.y.y.y:50913 1 48 1 | 2007-05-10 11:25:52.514 0.000 TCP x.x.x.x:25 -> | y.y.y.y:44257 1 89 1 | 2007-05-10 11:25:53.721 0.000 TCP x.x.x.x:110 -> | y.y.y.y:10812 1 1420 1 | 2007-05-10 11:24:56.537 52.562 TCP x.x.x.x:110 -> | y.y.y.y:10812 2 2834 1 | 2007-05-10 11:25:49.172 0.000 TCP x.x.x.x:110 -> y.y.y.y:3450 | 1 40 1 | 2007-05-10 11:25:14.468 23.266 TCP x.x.x.x:110 -> y.y.y.y:1178 | 4 5680 1 | 2007-05-10 11:25:14.468 27.373 TCP x.x.x.x:110 -> y.y.y.y:1178 | 11 5402 1 | Summary: total flows: 10, total bytes: 25025, total packets: 45, avg | bps: 3500, avg pps: 0, avg bpp: 556 | Time window: 2007-05-10 11:24:53 - 2007-05-10 11:27:53 | Total flows processed: 16149, skipped: 0, Bytes read: 839760 | Sys: 0.012s flows/second: 1345750.0 Wall: 0.010s flows/second: 1566799.3 | | -- | Devon | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBRkNSM/5AbZRALNr/AQIUUwP/fSO+JHWS66fqgSkydiP9Jrx51GADWvgL dsawV81HJWZ/TxDh/gjmpR5+WEuFEdtVIy9MAxKyMdvPMd25FlWrRi/3Kosuty2g K3b6Jld3o27gsL0RkEqz0G2uEXEarBe3LL5kWl7ArCqgNEHnty+7zNWrMtEZh6LI yCnVlkxXuzs= =c0Zg -----END PGP SIGNATURE----- |
From: Devon T. <de...@no...> - 2007-05-10 16:36:47
|
All: Using nfdump-snapshot-20070312 I am unable to read the .current files using the -r option. I searched the mailing list and found a thread, <http://thread.gmane.org/gmane.network.nfsen.general/262/focus=5>, that mentions a patch on the 20070110 snapshot, but I was unable to find it on SourceForge or in the tar.gz file. nfdump does read the .DATE files fine. Any ideas? nfdump -V nfdump: Version: snapshot-20070312 $LastChangedDate: 2007-03-13 08:36:17 +0100 (Tue, 13 Mar 2007) $ $Id: nfdump.c 88 2007-03-06 08:49:26Z peter $ nfdump -r nfcapd.current.16539 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows Open file nfcapd.current.16539: bad version: 0 nfdump -r nfcapd.200705101115 -c 10 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2007-05-10 11:25:06.782 42.660 TCP x.x.x.x:110 -> y.y.y.y:1546 15 5602 1 2007-05-10 11:25:51.417 1.908 TCP x.x.x.x:110 -> y.y.y.y:63638 2 2840 1 2007-05-10 11:25:46.506 6.819 TCP x.x.x.x:110 -> y.y.y.y:63638 7 1070 1 2007-05-10 11:24:59.734 0.000 TCP x.x.x.x:80 -> y.y.y.y:50913 1 48 1 2007-05-10 11:25:52.514 0.000 TCP x.x.x.x:25 -> y.y.y.y:44257 1 89 1 2007-05-10 11:25:53.721 0.000 TCP x.x.x.x:110 -> y.y.y.y:10812 1 1420 1 2007-05-10 11:24:56.537 52.562 TCP x.x.x.x:110 -> y.y.y.y:10812 2 2834 1 2007-05-10 11:25:49.172 0.000 TCP x.x.x.x:110 -> y.y.y.y:3450 1 40 1 2007-05-10 11:25:14.468 23.266 TCP x.x.x.x:110 -> y.y.y.y:1178 4 5680 1 2007-05-10 11:25:14.468 27.373 TCP x.x.x.x:110 -> y.y.y.y:1178 11 5402 1 Summary: total flows: 10, total bytes: 25025, total packets: 45, avg bps: 3500, avg pps: 0, avg bpp: 556 Time window: 2007-05-10 11:24:53 - 2007-05-10 11:27:53 Total flows processed: 16149, skipped: 0, Bytes read: 839760 Sys: 0.012s flows/second: 1345750.0 Wall: 0.010s flows/second: 1566799.3 -- Devon |
From: Brown, R. <rob...@uc...> - 2007-05-10 09:53:34
|
Thanks for this info. When I switched to a static version of nprobe 4.1, the numbers looked much more 'on target'. So there is something going on with fprobe unfortunately. At this point I'm going to compile nprobe 4.1 using the mmap patched libpcap I have on the box and see if it can keep up with the traffic better. Even though the static nprobe was reporting loss, the flows sent to nfdump/nfsen were much more accurate and lined up with the snmp stats of the interface. So far, response on the nfdump/nfsen install have been very favorable, thanks for a great piece of work!! -Robin -----Original Message----- From: Peter Haag [mailto:ha...@sw...]=20 Sent: Thursday, May 10, 2007 5:17 AM To: Brown, Robin; nfd...@li... Subject: Re: [Nfdump-discuss] Discrepency in BPS when using nfcapd vs flow-capture -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robin, I can not really tell you what could be wrong. The number we see, seem pretty what we expect. Maybe a few remarks on how the numbers are generated. The statistics is created for every 5 min slot according the accumulated values from the flows, exported during that 5 min timeslot. The accumulated byte counter from all flows is=20 divided by 300s to get the average bps for that time slot. This is also the value pumped into the=20 RRD DB for creating the graphs. Scaling of RRD and the values in the stat table are 1K =3D 1000 as of snapshot 20070312. If your flows are sampled, then your values may be ways off, as sampling is not (yet) taken into=20 account. The rough guess is a multiplication with the sampling rate. The error you see in your log file does not do any harm. It simply says, that there was 1 sequence=20 error during the last 5 minutes when collecting the flow data. So 1 packet was missing in that flow=20 sequence. If you take the Bytes count and divide it by 300, you get the average bps value. - Peter - --On May 9, 2007 11:44:16 -0400 "Brown, Robin" <rob...@uc...> wrote: | I was using flow-capture/flowscan, but it couldn't keep up. Flowscan | took longer than 5 minutes to process the flow file so by the end of the | day it got really far behind. But the data that was reported in bps was | very close to the interface stats pulled via snmp. | | I'm trying nfdump/nfsen and the numbers are way off. I am not exporting | flows from a router, I have fprobe running and converting span traffic | to flows and sending those to the server running nfdump/nfsen. This was | the same configuration when I was using the flow-tools suite, fprobe to | the server running flow-capture and flowscan. The bps shown in the | graphs generated by nfdump/nfsen are not even close to the interface | stats. | | I'm using nfdump-snapshot-20070312 and nfsen-snapshot-20070312. Am I | missing something? Do I need to tweak something? I like nfdump/nfsen | it is faster when searching thru flow data. I'm just not sure I'm | seeing accurate data right now. | | The only errors in the log are an occasional sequence error: | /usr/local/bin/nfcapd[12071]: Ident: 'ehprobe2' Flows: 3558830, Packets: | 28941156, Bytes: 6628366421, Sequence Errors: 1, Bad Packets: 0 | | Would that be enough to cause this issue? I'm probably also dropping | some flows but I was b4 with flow-tools and the numbers were not this | far off. | | Any assistance will be appreciated. | | Regards, | Robin | | | ------------------------------------------------------------------------ - | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRkLjGv5AbZRALNr/AQLbMAQAmYPUV9SxrwZN/bNdM6cZwAHzWeFh/5Xd OGkGMBa/BpAJhba1hkT5tPmBWx13PUun6ZORKzrkTgIqrd5ljRn8JNPXgPjlVG4O vENy2jIMAURTyXbxOF5jy9v0fNff/QHNpujADVut8Y2dhL5YzHD+zqYPgEgOMEdm aGxGF0P2g6c=3D =3DwZ7y -----END PGP SIGNATURE----- |
From: Peter H. <ha...@sw...> - 2007-05-10 09:16:52
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robin, I can not really tell you what could be wrong. The number we see, seem pretty what we expect. Maybe a few remarks on how the numbers are generated. The statistics is created for every 5 min slot according the accumulated values from the flows, exported during that 5 min timeslot. The accumulated byte counter from all flows is divided by 300s to get the average bps for that time slot. This is also the value pumped into the RRD DB for creating the graphs. Scaling of RRD and the values in the stat table are 1K = 1000 as of snapshot 20070312. If your flows are sampled, then your values may be ways off, as sampling is not (yet) taken into account. The rough guess is a multiplication with the sampling rate. The error you see in your log file does not do any harm. It simply says, that there was 1 sequence error during the last 5 minutes when collecting the flow data. So 1 packet was missing in that flow sequence. If you take the Bytes count and divide it by 300, you get the average bps value. - Peter - --On May 9, 2007 11:44:16 -0400 "Brown, Robin" <rob...@uc...> wrote: | I was using flow-capture/flowscan, but it couldn't keep up. Flowscan | took longer than 5 minutes to process the flow file so by the end of the | day it got really far behind. But the data that was reported in bps was | very close to the interface stats pulled via snmp. | | I'm trying nfdump/nfsen and the numbers are way off. I am not exporting | flows from a router, I have fprobe running and converting span traffic | to flows and sending those to the server running nfdump/nfsen. This was | the same configuration when I was using the flow-tools suite, fprobe to | the server running flow-capture and flowscan. The bps shown in the | graphs generated by nfdump/nfsen are not even close to the interface | stats. | | I'm using nfdump-snapshot-20070312 and nfsen-snapshot-20070312. Am I | missing something? Do I need to tweak something? I like nfdump/nfsen | it is faster when searching thru flow data. I'm just not sure I'm | seeing accurate data right now. | | The only errors in the log are an occasional sequence error: | /usr/local/bin/nfcapd[12071]: Ident: 'ehprobe2' Flows: 3558830, Packets: | 28941156, Bytes: 6628366421, Sequence Errors: 1, Bad Packets: 0 | | Would that be enough to cause this issue? I'm probably also dropping | some flows but I was b4 with flow-tools and the numbers were not this | far off. | | Any assistance will be appreciated. | | Regards, | Robin | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRkLjGv5AbZRALNr/AQLbMAQAmYPUV9SxrwZN/bNdM6cZwAHzWeFh/5Xd OGkGMBa/BpAJhba1hkT5tPmBWx13PUun6ZORKzrkTgIqrd5ljRn8JNPXgPjlVG4O vENy2jIMAURTyXbxOF5jy9v0fNff/QHNpujADVut8Y2dhL5YzHD+zqYPgEgOMEdm aGxGF0P2g6c= =wZ7y -----END PGP SIGNATURE----- |
From: Brown, R. <rob...@uc...> - 2007-05-09 15:44:23
|
I was using flow-capture/flowscan, but it couldn't keep up. Flowscan took longer than 5 minutes to process the flow file so by the end of the day it got really far behind. But the data that was reported in bps was very close to the interface stats pulled via snmp. I'm trying nfdump/nfsen and the numbers are way off. I am not exporting flows from a router, I have fprobe running and converting span traffic to flows and sending those to the server running nfdump/nfsen. This was the same configuration when I was using the flow-tools suite, fprobe to the server running flow-capture and flowscan. The bps shown in the graphs generated by nfdump/nfsen are not even close to the interface stats. I'm using nfdump-snapshot-20070312 and nfsen-snapshot-20070312. Am I missing something? Do I need to tweak something? I like nfdump/nfsen it is faster when searching thru flow data. I'm just not sure I'm seeing accurate data right now. The only errors in the log are an occasional sequence error: /usr/local/bin/nfcapd[12071]: Ident: 'ehprobe2' Flows: 3558830, Packets: 28941156, Bytes: 6628366421, Sequence Errors: 1, Bad Packets: 0 Would that be enough to cause this issue? I'm probably also dropping some flows but I was b4 with flow-tools and the numbers were not this far off. Any assistance will be appreciated. Regards, Robin |
From: Brown, R. <rob...@uc...> - 2007-05-08 13:22:48
|
Thanks Stephen!!! Worked like a charm! -Robin -----Original Message----- From: Stephen W. Bradley [mailto:bra...@mu...]=20 Sent: Tuesday, May 08, 2007 9:05 AM To: Brown, Robin Subject: RE: [Nfdump-discuss] nfdump compile issue when using --enable-nfprofile I think as far as open source tools go this had got to be in my top 5 from what I have seen the last two weeks. I run nfdump and nfsen for the GUI. As far as librrd goes I put it everywhere I thought it might look. I just did a=20 cp /usr/local/soft/rrdtool-1.2.18/lib/librrd* /usr/lib and=20 cp /usr/local/soft/rrdtool-1.2.18/include/rrd.h /usr/include That should fix the problem. -----Original Message----- From: Brown, Robin [mailto:rob...@uc...]=20 Sent: Tuesday, May 08, 2007 8:57 AM To: Stephen W. Bradley Subject: RE: [Nfdump-discuss] nfdump compile issue when using --enable-nfprofile Not yet, Peter thinks it cannot find my librrd, I'm just not sure exactly what and where it is looking. I can symlink it if necessary. I did try to specify where it is using --with-rrdptah but it fails the same. Thanks for the input, I appreciate it! Do you like the nfdump tools? Are they faster than flowscan? I have flow-tools and flowscan working, it just cannot keep up. Thanks!!!! -Robin -----Original Message----- From: Stephen W. Bradley [mailto:bra...@mu...]=20 Sent: Tuesday, May 08, 2007 8:55 AM To: Brown, Robin Subject: RE: [Nfdump-discuss] nfdump compile issue when using --enable-nfprofile Did you get it working? -----Original Message----- From: Brown, Robin [mailto:rob...@uc...]=20 Sent: Tuesday, May 08, 2007 8:53 AM To: Stephen W. Bradley Subject: RE: [Nfdump-discuss] nfdump compile issue when using --enable-nfprofile No, not 64 bit. Unless that's the latest snapshot on the sourceforge download? -----Original Message----- From: Stephen W. Bradley [mailto:bra...@mu...]=20 Sent: Tuesday, May 08, 2007 7:06 AM To: Brown, Robin Subject: RE: [Nfdump-discuss] nfdump compile issue when using --enable-nfprofile Are you using the 64bit version? You need to install the librrd into /usr/lib64. I just went through all this two weeks ago so while it is still fresh you better pick my brain. :-) steve -----Original Message----- From: nfd...@li... [mailto:nfd...@li...] On Behalf Of Brown, Robin Sent: Monday, May 07, 2007 8:54 PM To: nfd...@li... Subject: [Nfdump-discuss] nfdump compile issue when using --enable-nfprofile nfdump-snapshot-20070312 on Fedora 5, configure fails with the following: checking for void *... yes checking size of void *... configure: error: cannot compute sizeof (void *), 77 See `config.log' for more details. Configure seems to go ok if I leave off the --enable-nfprofile option. I'd like to try nfsen with nfdump and the README for nfsen says I need to enable it as it is no longer enabled by default. Any advice? Thanks! -Robin ------------------------------------------------------------------------ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Nfdump-discuss mailing list Nfd...@li... https://lists.sourceforge.net/lists/listinfo/nfdump-discuss |
From: Peter H. <ha...@sw...> - 2007-05-08 04:28:40
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robin, - --On May 7, 2007 8:54:08 PM -0400 "Brown, Robin" <rob...@uc...> wrote: | nfdump-snapshot-20070312 on Fedora 5, configure fails with the | following: | | checking for void *... yes | checking size of void *... configure: error: cannot compute sizeof (void | *), 77 | See `config.log' for more details. If you check the config.log you will most likely see, that there was a link error withe librrd, when linking the void * test. It does not find librrd. autoconf is not very precise here. I need to change that. Hope this helps - Peter | | Configure seems to go ok if I leave off the --enable-nfprofile option. | I'd like to try nfsen with nfdump and the README for nfsen says I need | to enable it as it is no longer enabled by default. | | Any advice? | | Thanks! | | -Robin | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBRj/8c/5AbZRALNr/AQKceAQAmMFXgvc0il3R6Uw4BlgUcZNr8+EU+uSm 3nbPNoPhFpN7fzTMaAcuEU03fbQG8XGGx1m1ajBavGcJ9BVXv9Ufg0zg9HiAwHMr 3M7OSYf6g1V2TMArU81zPLS+vzsx3jdKCj5L6BaCtL9/VklmR11vOWsjoY/4VHA0 TrjPK9V5C3U= =g0iM -----END PGP SIGNATURE----- |
From: Brown, R. <rob...@uc...> - 2007-05-08 00:54:12
|
nfdump-snapshot-20070312 on Fedora 5, configure fails with the following: checking for void *... yes checking size of void *... configure: error: cannot compute sizeof (void *), 77 See `config.log' for more details. Configure seems to go ok if I leave off the --enable-nfprofile option. I'd like to try nfsen with nfdump and the README for nfsen says I need to enable it as it is no longer enabled by default. Any advice? Thanks! -Robin |
From: <run...@un...> - 2007-05-04 13:47:57
|
Hi, Is there a possibility to filter the output after the data have been aggregated? My problem is that I'm trying to find a way to locate scanners. I think I'm near, but at the end of the list I get IP-addresses that have only a few flows to few machines. Is there a way to say I only want records where one ip-address has i.e. flows > 200? nfdump -r nfcapd.200705021200 -K<key> -A srcip,dstport -s record/flows 'dst port 1433 or dst port 5900 or dst port 135 and bytes < 129' (The IP addresses is anonymized and the address 124.191.156.252 corresponds to 0.0.0.0) Aggregated flows 26 Top 10 flows ordered by flows: Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2007-05-02 11:59:57.988 737.542 0 5.28.12.111:0 -> 124.191.156.252:1433 5302 341005 1062 2007-05-02 12:12:09.814 87.585 0 226.181.211.53:0 -> 124.191.156.252:135 462 22160 234 2007-05-02 12:01:23.502 776.290 0 158.24.108.121:0 -> 124.191.156.252:1433 62 3968 31 2007-05-02 12:00:45.841 810.843 0 158.24.108.121:0 -> 124.191.156.252:5900 52 3328 26 2007-05-02 11:59:44.968 893.845 0 158.27.184.11:0 -> 124.191.156.252:5900 41 1968 20 2007-05-02 12:00:02.397 752.949 0 158.24.108.121:0 -> 124.191.156.252:135 36 2304 18 2007-05-02 11:59:44.116 38.645 0 150.95.70.250:0 -> 124.191.156.252:1433 16 768 8 2007-05-02 12:07:32.905 397.687 0 158.25.157.51:0 -> 124.191.156.252:1433 15 875 3 2007-05-02 12:14:54.853 2.596 0 6.90.165.109:0 -> 124.191.156.252:1433 15 821 3 2007-05-02 12:09:16.559 107.702 0 100.148.151.105:0 -> 124.191.156.252:135 2 60 2 IP addresses anonymized Summary: total flows: 1424, total bytes: 384246, total packets: 6051, avg bps: 3365, avg pps: 6, avg bpp: 63 Time window: 2007-05-02 11:30:13 - 2007-05-02 12:14:58 Total flows processed: 173490, skipped: 0, Bytes read: 9021612 Sys: 0.032s flows/second: 5421393.1 Wall: 0.031s flows/second: 5478400.9 -------------------------------------- I also have a problem aggregating data unless I'm doing statistics (as I did above) of the records afterwards. rune@cia:/data/netflow/teknobyen-gw/2007/05/02$ nfdump -r nfcapd.200705021200 -K<key> -A srcip,dstport 'dst port 5900' Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2007-05-02 11:59:44.968 2.908 TCP 158.27.184.11:1632 -> 158.27.141.57:5900 2 96 1 2007-05-02 11:59:53.156 2.968 TCP 158.27.184.11:2398 -> 158.27.254.216:5900 2 96 1 2007-05-02 12:00:22.629 2.968 TCP 158.27.184.11:1146 -> 158.27.254.210:5900 2 96 1 2007-05-02 12:00:45.841 2.980 TCP 158.24.108.121:3838 -> 158.24.84.128:5900 2 128 1 2007-05-02 12:00:46.569 2.952 TCP 158.24.108.121:3892 -> 158.24.84.44:5900 2 128 1 2007-05-02 12:01:06.666 2.984 TCP 158.24.108.121:1396 -> 158.24.84.5:5900 2 128 1 2007-05-02 12:01:43.318 2.984 TCP 158.24.108.121:3589 -> 158.24.84.181:5900 2 128 1 2007-05-02 12:02:08.975 2.964 TCP 158.24.108.121:1421 -> 158.24.84.65:5900 2 128 1 2007-05-02 12:02:09.355 2.984 TCP 158.24.108.121:1460 -> 158.24.84.88:5900 2 128 1 2007-05-02 12:02:12.027 3.148 UDP 158.25.171.38:56912 -> 38.179.14.114:5900 2 429 1 2007-05-02 12:02:15.103 2.944 TCP 158.24.108.121:1793 -> 158.24.84.104:5900 2 128 1 2007-05-02 12:02:56.568 2.928 TCP 158.27.184.11:3204 -> 158.27.141.6:5900 2 96 1 2007-05-02 12:03:17.372 2.944 TCP 158.27.184.11:4990 -> 158.27.141.90:5900 2 96 1 2007-05-02 12:03:22.432 3.016 TCP 158.27.184.11:1397 -> 158.27.141.236:5900 2 96 1 2007-05-02 12:03:51.941 2.980 TCP 158.27.184.11:4151 -> 158.27.203.50:5900 2 96 1 2007-05-02 12:04:14.885 2.932 TCP 158.24.108.121:1423 -> 158.24.84.26:5900 2 128 1 <snip> Clearly I have several records here where srcip and dstport is the same. It's late on a friday and it might be that I don't see the obvious. :-) Can anyone see what I'm doing wrong? Regards, Rune Sydskjør, UNINETT |
From: Stephen W. B. <bra...@mu...> - 2007-04-30 14:32:05
|
I will check with the network guys feeding me the data to make sure of exactly where it comes from and then collect a stream of it for you. Thx steve -----Original Message----- From: Peter Haag [mailto:ha...@sw...] Sent: Monday, April 30, 2007 10:29 AM To: Stephen W. Bradley; nfd...@li... Subject: Re: [Nfdump-discuss] Logfile question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On April 30, 2007 10:13:01 -0400 "Stephen W. Bradley" <bra...@mu...> wrote: | It comes directly from the Cisco switches. Up to now all data from Cisco equipment worked. Anyway, If you can capture exported netflow traffic using tcpdump, which includes v9 template and data packets, I'll have a look into that. - Peter | | -----Original Message----- | From: Peter Haag [mailto:ha...@sw...] | Sent: Monday, April 30, 2007 8:50 AM | To: Stephen W. Bradley; nfd...@li... | Subject: Re: [Nfdump-discuss] Logfile question | | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | | | - --On April 30, 2007 8:03:36 -0400 "Stephen W. Bradley" | <bra...@mu...> wrote: | | | Are these log entries normal or do I have something screwed up in my | | install? | | No - they are not normal. For any reason your exporter sends more data in a | UDP | packet, than your data flow set requires. It does not harm record | processing, as it | re-syncs with the next packet. What type of exporter are you using? | | - Peter | | | | | | | | | | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 44 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 7 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 34 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 16 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 44 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 10 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 29 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 32 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 39 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 13 | | | | | | | | | | | | | | | | Thanks | | | | Steve | | | | | | | | | | | | Stephen W. Bradley GCIH CISSP | | | | Network Security Specialist | | | | Miami University | | | | Information Security Office | | | | 513-529-8129 | | | | bra...@mu... | | | | | | | | Quis custodiet ipsos custodes? | | | | | | | | | | - -- | _______ SWITCH - The Swiss Education and Research Network ______ | Peter Haag, Security Engineer, Member of SWITCH CERT | PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 | SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland | E-mail: pet...@sw... Web: http://www.switch.ch/ | -----BEGIN PGP SIGNATURE----- | Version: GnuPG v1.4.3 (Darwin) | | iQCVAwUBRjXl6v5AbZRALNr/AQLucgP9H+wTIg0jTbex52/y84TTAYzwo0Zirwne | T5CiItFfJAYxAF9E63Cg6ZraHAlfcAmmfzu6N3UJP5ciblatBwqW5Q5uqYxjMGFP | U2P/bY34ooxr9Rv4aXwPSIYBjNo1gTIuELSfX7cOiAHbhVyNAc3oITLUn3yu4oKW | 97Il+98j/D4= | =orR5 | -----END PGP SIGNATURE----- | | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRjX9KP5AbZRALNr/AQKWGwP/R0l14TuXRGZlfbACu8eoGYUL/AV2536d JcyNURiE3q3ptGIdxIZHsYe4vCf595X3wmeuwX01/CyabRe3irLiRmspkH0DAUbS ugw0cAHvVE49f0OdSP0eqK4tjCfqeQuYkmSzC8ZRIlcQ6o9VO8Fss2fp3HNUYPh2 Rj1QRXR4cEg= =ULuF -----END PGP SIGNATURE----- |
From: Peter H. <ha...@sw...> - 2007-04-30 14:28:38
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On April 30, 2007 10:13:01 -0400 "Stephen W. Bradley" <bra...@mu...> wrote: | It comes directly from the Cisco switches. Up to now all data from Cisco equipment worked. Anyway, If you can capture exported netflow traffic using tcpdump, which includes v9 template and data packets, I'll have a look into that. - Peter | | -----Original Message----- | From: Peter Haag [mailto:ha...@sw...] | Sent: Monday, April 30, 2007 8:50 AM | To: Stephen W. Bradley; nfd...@li... | Subject: Re: [Nfdump-discuss] Logfile question | | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | | | - --On April 30, 2007 8:03:36 -0400 "Stephen W. Bradley" | <bra...@mu...> wrote: | | | Are these log entries normal or do I have something screwed up in my | | install? | | No - they are not normal. For any reason your exporter sends more data in a | UDP | packet, than your data flow set requires. It does not harm record | processing, as it | re-syncs with the next packet. What type of exporter are you using? | | - Peter | | | | | | | | | | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 44 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 7 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 34 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 16 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 44 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 10 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 29 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 32 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 39 | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: | Corrupt | | data flowset? Pad bytes: 13 | | | | | | | | | | | | | | | | Thanks | | | | Steve | | | | | | | | | | | | Stephen W. Bradley GCIH CISSP | | | | Network Security Specialist | | | | Miami University | | | | Information Security Office | | | | 513-529-8129 | | | | bra...@mu... | | | | | | | | Quis custodiet ipsos custodes? | | | | | | | | | | - -- | _______ SWITCH - The Swiss Education and Research Network ______ | Peter Haag, Security Engineer, Member of SWITCH CERT | PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 | SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland | E-mail: pet...@sw... Web: http://www.switch.ch/ | -----BEGIN PGP SIGNATURE----- | Version: GnuPG v1.4.3 (Darwin) | | iQCVAwUBRjXl6v5AbZRALNr/AQLucgP9H+wTIg0jTbex52/y84TTAYzwo0Zirwne | T5CiItFfJAYxAF9E63Cg6ZraHAlfcAmmfzu6N3UJP5ciblatBwqW5Q5uqYxjMGFP | U2P/bY34ooxr9Rv4aXwPSIYBjNo1gTIuELSfX7cOiAHbhVyNAc3oITLUn3yu4oKW | 97Il+98j/D4= | =orR5 | -----END PGP SIGNATURE----- | | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRjX9KP5AbZRALNr/AQKWGwP/R0l14TuXRGZlfbACu8eoGYUL/AV2536d JcyNURiE3q3ptGIdxIZHsYe4vCf595X3wmeuwX01/CyabRe3irLiRmspkH0DAUbS ugw0cAHvVE49f0OdSP0eqK4tjCfqeQuYkmSzC8ZRIlcQ6o9VO8Fss2fp3HNUYPh2 Rj1QRXR4cEg= =ULuF -----END PGP SIGNATURE----- |
From: Stephen W. B. <bra...@mu...> - 2007-04-30 14:13:07
|
It comes directly from the Cisco switches. -----Original Message----- From: Peter Haag [mailto:ha...@sw...] Sent: Monday, April 30, 2007 8:50 AM To: Stephen W. Bradley; nfd...@li... Subject: Re: [Nfdump-discuss] Logfile question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On April 30, 2007 8:03:36 -0400 "Stephen W. Bradley" <bra...@mu...> wrote: | Are these log entries normal or do I have something screwed up in my | install? No - they are not normal. For any reason your exporter sends more data in a UDP packet, than your data flow set requires. It does not harm record processing, as it re-syncs with the next packet. What type of exporter are you using? - Peter | | | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 44 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 7 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 34 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 16 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 44 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 10 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 29 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 32 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 39 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 13 | | | | | | | | Thanks | | Steve | | | | | | Stephen W. Bradley GCIH CISSP | | Network Security Specialist | | Miami University | | Information Security Office | | 513-529-8129 | | bra...@mu... | | | | Quis custodiet ipsos custodes? | | | - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRjXl6v5AbZRALNr/AQLucgP9H+wTIg0jTbex52/y84TTAYzwo0Zirwne T5CiItFfJAYxAF9E63Cg6ZraHAlfcAmmfzu6N3UJP5ciblatBwqW5Q5uqYxjMGFP U2P/bY34ooxr9Rv4aXwPSIYBjNo1gTIuELSfX7cOiAHbhVyNAc3oITLUn3yu4oKW 97Il+98j/D4= =orR5 -----END PGP SIGNATURE----- |
From: Peter H. <ha...@sw...> - 2007-04-30 12:49:27
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On April 30, 2007 8:03:36 -0400 "Stephen W. Bradley" <bra...@mu...> wrote: | Are these log entries normal or do I have something screwed up in my | install? No - they are not normal. For any reason your exporter sends more data in a UDP packet, than your data flow set requires. It does not harm record processing, as it re-syncs with the next packet. What type of exporter are you using? - Peter | | | | | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 44 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 7 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 34 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 16 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 44 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 10 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 29 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 32 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 39 | | Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt | data flowset? Pad bytes: 13 | | | | | | | | Thanks | | Steve | | | | | | Stephen W. Bradley GCIH CISSP | | Network Security Specialist | | Miami University | | Information Security Office | | 513-529-8129 | | bra...@mu... | | | | Quis custodiet ipsos custodes? | | | - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRjXl6v5AbZRALNr/AQLucgP9H+wTIg0jTbex52/y84TTAYzwo0Zirwne T5CiItFfJAYxAF9E63Cg6ZraHAlfcAmmfzu6N3UJP5ciblatBwqW5Q5uqYxjMGFP U2P/bY34ooxr9Rv4aXwPSIYBjNo1gTIuELSfX7cOiAHbhVyNAc3oITLUn3yu4oKW 97Il+98j/D4= =orR5 -----END PGP SIGNATURE----- |
From: Stephen W. B. <bra...@mu...> - 2007-04-30 12:03:40
|
Are these log entries normal or do I have something screwed up in my install? Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 44 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 7 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 34 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 16 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 44 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 10 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 29 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 32 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 39 Apr 30 07:40:21 scorpious /usr/local/bin/nfcapd[30673]: Process_v9: Corrupt data flowset? Pad bytes: 13 Thanks Steve Stephen W. Bradley GCIH CISSP Network Security Specialist Miami University Information Security Office 513-529-8129 bra...@mu... Quis custodiet ipsos custodes? |
From: Peter H. <ha...@sw...> - 2007-04-19 12:16:12
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi gijs, - --On April 18, 2007 17:09:03 +0200 Gijs Molenaar <gij...@su...> wrote: | Hello, | | We want to directly read and understand nfdump files from Java (don't | ask why ;) ). We can write a parser for nfdump, but we also discovered Why? | JNI, an java-to-other_language API builder. Did anyone already tried to | to this with nfdump? | | Next to that, how likely is the storage format of nfdump / nfcapd going | to change in the future? My problem is; if we write a Java API for | reading nfdump files, we will base this on the current version of | nfdump. We would like this code to be able to read nfcapd exported files | also in the future. nfdump is going to accept more v9 data in future => flexible netflow, and therefore will have new data fields in the current extendable file format. For your JNI, it's best to base on current C file reader functions, and work with the master record. I posted some time ago a bare-bone nfdump file reader on this list. If you link this bare-bone reader with your Java-JNI app, it should work. Do not re-implement a flow reader in Java. If you need more detailed info, contact me offlist. - Peter | | any great insights or opinions, anybody? | | - gijs | | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRiddlv5AbZRALNr/AQLUAgP+IF/Rlgef8UfoDdukVTX4F3lPbLTWoqUW DYFhYGj8RF7bMAeQt3ObiFUqY7hr9vJu7tR8HyhOgNK5qCKQDw/Okki1Zgp0cYyN 9mqNHSZSzXF+wirb127q7NhIqKeD5HORu7xaoPu6tqRFLeYThFQEqqH/cUkwf01s 4tEvPN65TKE= =AmfU -----END PGP SIGNATURE----- |
From: Gijs M. <gij...@su...> - 2007-04-18 15:09:28
|
Hello, We want to directly read and understand nfdump files from Java (don't ask why ;) ). We can write a parser for nfdump, but we also discovered JNI, an java-to-other_language API builder. Did anyone already tried to to this with nfdump? Next to that, how likely is the storage format of nfdump / nfcapd going to change in the future? My problem is; if we write a Java API for reading nfdump files, we will base this on the current version of nfdump. We would like this code to be able to read nfcapd exported files also in the future. any great insights or opinions, anybody? - gijs |
From: Peter H. <ha...@sw...> - 2007-04-13 10:12:28
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The user defined format -o fmt works only for entire netflow records and not for record element statistics. Using Perl ,you may check wether the beginning of the line is a number ( date ), to process a line and skipping header lines. Alternatively you may use -o pipe, which gives a '|' separated record list without any additional lines/headers. - Peter - --On April 12, 2007 13:39:55 -0700 Chris Waters <CW...@je...> wrote: | I am working with nfsen/nfdump to create some reports(plugins eventually | that I will release) based off of netflow data and I seem to be having a | problem with formatting the output. I see from the man pages for nfdump | that I should be able to use fmt: to specify a certain output but I am | unsuccessful. Essentially, I want to return the top "n" ips for a given | time period ordered by ip/bytes. What I don't want is fields other than | IP and Bytes. | | Here is the command I am currently using (without a -o fmt:): | | /usr/local/bin/nfdump -qNM /data/nfsen/profiles/live/rus-kla-ops-1 -T | -R nfcapd.200704110000:nfcapd.200704120000 -n 10 -s ip/bytes | | | 1. Is there anyway to suppress the column names? I am using -q but it | still adds these 2 lines in the output: | | Top 10 IP Addr ordered by bytes: | Date first seen Duration Proto IP Addr | Flows Packets Bytes pps bps bpp | | 2. What does a properly formatted fmt: look like to return just the IP | and the Bytes for the above results? I don't see/understand a way to | return Any IP (instead of just srcip or dstip) and just the bytes. -o | fmt:???%byt | | I also saw in an earlier thread the -s can override some output values. | Is that part of what I am encountering? | | So basically I want to go from : | | Top 10 IP Addr ordered by bytes: | Date first seen Duration Proto IP Addr Flows | Packets Bytes pps bps bpp | 2007-04-10 23:44:56.652 87168.973 any 172.16.10.108 38 17.0 | M 16.5 G 204 1.6 M 993 | | To: | | 172.16.10.108 16.5 G | | Currently I do a lot of parsing with perl to accomplish this. Is there | a better way? | | | Thanks. | | Chris Waters | | Technology Services - Networks Group | | | | JELD-WEN, inc. | | Information Systems | | cw...@je... | | RELIABILITY for real life(r) | | This correspondence is for the named person's use only. It may contain | confidential or legally privileged information and is intended solely | for the named addressee. If you receive this correspondence in error, | please notify the sender and delete it from your system. You must not | disclose, copy or rely on any part of this correspondence if you are not | the intended recipient. | | | ------------------------------------------------------------------------- | Take Surveys. Earn Cash. Influence the Future of IT | Join SourceForge.net's Techsay panel and you'll get the chance to share your | opinions on IT & business topics through brief surveys-and earn cash | http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRh9Xlf5AbZRALNr/AQLfFAP/fAvU555VI6A4fomp6rX2Yj0cw/iDmUsS SfXkoaVUjb22cNozh64pXMSG3F5qwlWlvsqqMAebOvoTwpOm/cPN+AzZHdcR08CO 3eU7Yp5JMEapjoGtPEDmNHgddVDJEbTub/pYf9FeaXpK/Lxwl3vFgnkdSq6bxZ72 /k61mfdqr3E= =qTbx -----END PGP SIGNATURE----- |
From: Chris W. <CW...@je...> - 2007-04-12 20:39:49
|
I am working with nfsen/nfdump to create some reports(plugins eventually that I will release) based off of netflow data and I seem to be having a problem with formatting the output. I see from the man pages for nfdump that I should be able to use fmt: to specify a certain output but I am unsuccessful. Essentially, I want to return the top "n" ips for a given time period ordered by ip/bytes. What I don't want is fields other than IP and Bytes. =20 Here is the command I am currently using (without a -o fmt:): /usr/local/bin/nfdump -qNM /data/nfsen/profiles/live/rus-kla-ops-1 -T -R nfcapd.200704110000:nfcapd.200704120000 -n 10 -s ip/bytes =20 =20 1. Is there anyway to suppress the column names? I am using -q but it still adds these 2 lines in the output: =20 Top 10 IP Addr ordered by bytes: Date first seen Duration Proto IP Addr Flows Packets Bytes pps bps bpp 2. What does a properly formatted fmt: look like to return just the IP and the Bytes for the above results? I don't see/understand a way to return Any IP (instead of just srcip or dstip) and just the bytes. -o fmt:???%byt I also saw in an earlier thread the -s can override some output values. Is that part of what I am encountering? So basically I want to go from : Top 10 IP Addr ordered by bytes: Date first seen Duration Proto IP Addr Flows Packets Bytes pps bps bpp 2007-04-10 23:44:56.652 87168.973 any 172.16.10.108 38 17.0 M 16.5 G 204 1.6 M 993 To: 172.16.10.108 16.5 G Currently I do a lot of parsing with perl to accomplish this. Is there a better way? Thanks. Chris Waters Technology Services - Networks Group =20 JELD-WEN, inc. Information Systems cw...@je... RELIABILITY for real life(r) This correspondence is for the named person's use only. It may contain confidential or legally privileged information and is intended solely for the named addressee. If you receive this correspondence in error, please notify the sender and delete it from your system. You must not disclose, copy or rely on any part of this correspondence if you are not the intended recipient. |
From: Peter H. <ha...@sw...> - 2007-03-02 08:11:07
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Kieran, - --On March 1, 2007 11:13:44 -0700 Kieran Rhysling <Kie...@no...> wrote: | | I have a setup where a load balancer is sending sessions to multiple | devices that produce netflows. Each device is seeing unique traffic. | | I was planning to have each device send to a separate nfcapd process | listening on a different port on a single collector box. However, that | makes searching through flows more of a hassle. | | Are there any potential problems with having each device send to the | same nfcapd process, listening on one port. It would basically be | recombining what the load balancer split up. | | I can't see any problems but wanted some feedback before I implement it | this way. I'd hate to find out later it caused me to lose flows somehow. This should work, if you think of these points: - - You can no longer separate the two stream, once they hit the collector. - - The collector will report a lot of sequence errors, as both streams will disturb each others flow sequence. This has no further consequences unless entries in the log files and the sequence error info in the flow header in each file. - - If you export v9, make sure each exporter has a unique ID or they must at least export exactly the same flow templates, otherwise data is decodes as completely rubbish. Future versions of the collector will be able to separate streams. - Peter | | Thanks, | Kieran | | | ------------------------------------------------------------------------- | Take Surveys. Earn Cash. Influence the Future of IT | Join SourceForge.net's Techsay panel and you'll get the chance to share your | opinions on IT & business topics through brief surveys-and earn cash | http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV | _______________________________________________ | Nfdump-discuss mailing list | Nfd...@li... | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRefb7v5AbZRALNr/AQLUCgP+N1q9pspkm4pbv8YYJG8Gatfu/Rsz3to8 RGU2KHTFkkjibXLHe3LMYD+c0QFkMoo1frP5EhCR3oxgUnB4VvcVR3uZVoPlcfit 6Vx0swYY11PIyXKhlQ/taFzwv8LRCrmbpsUZhEbmOPgOqZmmz72adFVcmgdmkpZv 4JjXDwEZ0kc= =NvPx -----END PGP SIGNATURE----- |
From: Kieran R. <Kie...@no...> - 2007-03-01 18:13:45
|
I have a setup where a load balancer is sending sessions to multiple devices that produce netflows. Each device is seeing unique traffic. I was planning to have each device send to a separate nfcapd process listening on a different port on a single collector box. However, that makes searching through flows more of a hassle. Are there any potential problems with having each device send to the same nfcapd process, listening on one port. It would basically be recombining what the load balancer split up. I can't see any problems but wanted some feedback before I implement it this way. I'd hate to find out later it caused me to lose flows somehow. Thanks, Kieran |
From: Tristan R. <tri...@we...> - 2007-03-01 16:30:17
|