nfdump -f filters and stdin (-r -)

netflow collecting and processing tools

Brought to you by: phaag

#54 nfdump -f filters and stdin (-r -)

Milestone: v1.6

Status: open

Owner: Peter Haag

Labels: nfdump (15)

Priority: 5

Updated: 2012-10-16

Created: 2012-10-16

Creator: gregg conklin

Private: No

$ nfdump -V
nfdump: Version: 1.6.3p1 $LastChangedDate: 2011-02-26 12:49:02 +0100 (Sat, 26 Feb 2011) $
$Id: nfdump.c 69 2010-09-09 07:17:43Z haag $

When using a filter and reading from stdin, lots of errors are sent to stderr.

$ zcat nfcapd.201210140855.gz | nfdump -f nf-filter.txt -r - 2> blah-nf2
$ sort blah-nf2|uniq -c|sort -rn
1044463 Skip unknown record type 0
17474 Skip unknown record type 15360
4096 Skip unknown record type 256
1 Skip unknown record type 65520
1 Skip unknown record type 32512
1 Skip corrupt data file '(null)': 'Corrupt data file: Requested buffer size 2116485499 exceeds max. buffer size.
1 Can't process block type 17476. Skip block.
1 '
$ wc -l blah-nf2
1066038 blah-nf2

Same thing happens without -f and just putting the filter on the command line. Example filter:
HOST 1.2.3.4

It's interesting to note that uncompressing the nfcapd file and then using:
cat nfcapd.201210140855 | nfdump -f nf-filter.txt -r -
worked fine.

nfdump -f filters and stdin (-r -)

netflow collecting and processing tools

Group

Searches

Help

#54 nfdump -f filters and stdin (-r -)

Discussion