Re: [Nfdump-discuss] as information

[Chelo M. R. <che...@re...>]

Hello.
In my case is worst :-( When I run the same command I get a=20
Segmentation fault

nfdump -r nfcapd.200603081515 -n 500 -s record/bytes -o raw 'dstas 766 an=
d dst port 80'
Aggregated flows 0
Top 500 flows ordered by bytes:
Violaci=C3=B3n de segmento

if I run this one:
 nfdump -r nfcapd.200603081515 -n 500 -s record/bytes -o raw
I get a lot of information, but analyzing it I realised all the flow=20
record has the field   srcas  and dstas to 0, which seems not to=20
be normal, no?

If I run=20

 nfdump -r nfcapd.200603081515 -n 500 -s record/bytes -o raw 'dstas 0'=20
I dont get the segmentation fault

Any idea? Running nfsen-1.2.3 + nfdump-1.5-beta-4

Cheers,
Chelo


El d=EDa Tue, 7 Mar 2006 14:33:11 -0500  "Jones, Brian" escribi=F3:
>=20
> Hello,
>=20
>=20
> I am trying to use nfdump to gather some information on traffic to
> certain destination AS's.
>=20
> The data I am getting back from my filter does not seem to be correct.
> I don't know if it is a problem with the query or the actual informatio=
n
> exported from netflow.
>=20
> Doing the query following query to see web traffic to Google's AS:
>=20
> -r nfcapd.200603071310 -n 500 -s record/bytes -o raw 'dst AS 15169 and
> dst port 80'
>=20
> I get:
>=20
> Flow Record:=3D20
>   addr        =3D3D   1.1.1.1
>   dstaddr     =3D3D    2.2.2.2
>   nexthop     =3D3D     0.x.y.z
>   input       =3D3D           37720
>   output      =3D3D           53182
>   dPkts       =3D3D              20
>   dOctets     =3D3D           10241
>   First       =3D3D      1141755007 [2006-03-07 13:10:07]
>   Last        =3D3D      1141755266 [2006-03-07 13:14:26]
>   port        =3D3D            1636
>   dstport     =3D3D              80
>   tcp_flags   =3D3D               0
>   prot        =3D3D               6
>   tos         =3D3D               0
>   src_as      =3D3D           25538
>   dst_as      =3D3D            2784
>   msec_first  =3D3D             896
>   msec_last   =3D3D             982
>=20
>=20
> Problems I am seeing:
> 	The dst_as (2784) is not what I searched for (15169); issued to
> RIPE:
> 	The src_as (25538) is not on my network; it's registered to
> RIPE:
> 	The nexthops don't seem to make sense - they are all in the
> format of 	0.x.y.z.=3D20
>=20
> Is there a way to see the output of the dst_as and src_as in the normal
> output (without doing a -o raw)?
>=20
> We are using version 1.4.1.
>=20
>=20
> Thanks for your help.
>=20
> Brian Jones
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting lang=
uage
> that extends applications into web and mobile media. Attend the live we=
bcast
> and join the prime developer group breaking into this new coding territ=
ory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=
=3D121642
> _______________________________________________
> Nfdump-discuss mailing list
> Nfd...@li...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>=20