Re: [Nfdump-discuss] as information

[Peter H. <ha...@sw...>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi Chelo,


- --On March 8, 2006 15:32:39 +0100 Chelo Malagon RedIRIS <che...@re...> wrote:

| Hello.
| In my case is worst :-( When I run the same command I get a
| Segmentation fault

The seg faults are a collateral damage of a zero match of your flows.
The today released nfdump-1.5 has fixed that.

AS 0 may be a valid value and depends on your exporter/setup/routing information.
AS information is not always available.

    - Peter

|
| nfdump -r nfcapd.200603081515 -n 500 -s record/bytes -o raw 'dstas 766 and dst port 80'
| Aggregated flows 0
| Top 500 flows ordered by bytes:
| Violaci=C3=83=C2=B3n de segmento
|
| if I run this one:
|  nfdump -r nfcapd.200603081515 -n 500 -s record/bytes -o raw
| I get a lot of information, but analyzing it I realised all the flow
| record has the field   srcas  and dstas to 0, which seems not to
| be normal, no?
|
| If I run
|
|  nfdump -r nfcapd.200603081515 -n 500 -s record/bytes -o raw 'dstas 0'
| I dont get the segmentation fault
|
| Any idea? Running nfsen-1.2.3 + nfdump-1.5-beta-4
|
| Cheers,
| Chelo
|
|
| El d=C3=ADa Tue, 7 Mar 2006 14:33:11 -0500  "Jones, Brian" escribi=C3=B3:
| >
| > Hello,
| >
| >
| > I am trying to use nfdump to gather some information on traffic to
| > certain destination AS's.
| >
| > The data I am getting back from my filter does not seem to be correct.
| > I don't know if it is a problem with the query or the actual information
| > exported from netflow.
| >
| > Doing the query following query to see web traffic to Google's AS:
| >
| > -r nfcapd.200603071310 -n 500 -s record/bytes -o raw 'dst AS 15169 and
| > dst port 80'
| >
| > I get:
| >
| > Flow Record:=3D20
| >   addr        =3D3D   1.1.1.1
| >   dstaddr     =3D3D    2.2.2.2
| >   nexthop     =3D3D     0.x.y.z
| >   input       =3D3D           37720
| >   output      =3D3D           53182
| >   dPkts       =3D3D              20
| >   dOctets     =3D3D           10241
| >   First       =3D3D      1141755007 [2006-03-07 13:10:07]
| >   Last        =3D3D      1141755266 [2006-03-07 13:14:26]
| >   port        =3D3D            1636
| >   dstport     =3D3D              80
| >   tcp_flags   =3D3D               0
| >   prot        =3D3D               6
| >   tos         =3D3D               0
| >   src_as      =3D3D           25538
| >   dst_as      =3D3D            2784
| >   msec_first  =3D3D             896
| >   msec_last   =3D3D             982
| >
| >
| > Problems I am seeing:
| > 	The dst_as (2784) is not what I searched for (15169); issued to
| > RIPE:
| > 	The src_as (25538) is not on my network; it's registered to
| > RIPE:
| > 	The nexthops don't seem to make sense - they are all in the
| > format of 	0.x.y.z.=3D20
| >
| > Is there a way to see the output of the dst_as and src_as in the normal
| > output (without doing a -o raw)?
| >
| > We are using version 1.4.1.
| >
| >
| > Thanks for your help.
| >
| > Brian Jones
| >
| >
| >
| >
| > -------------------------------------------------------
| > This SF.Net email is sponsored by xPML, a groundbreaking scripting language
| > that extends applications into web and mobile media. Attend the live webcast
| > and join the prime developer group breaking into this new coding territory!
| > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D121642
| > _______________________________________________
| > Nfdump-discuss mailing list
| > Nfd...@li...
| > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
| >
|
|
|
|
| -------------------------------------------------------
| This SF.Net email is sponsored by xPML, a groundbreaking scripting language
| that extends applications into web and mobile media. Attend the live webcast
| and join the prime developer group breaking into this new coding territory!
| http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=110944&bid$1720&dat=121642
| _______________________________________________
| Nfdump-discuss mailing list
| Nfd...@li...
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
|



- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: pet...@sw... Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iQCVAwUBRA71uP5AbZRALNr/AQEo+wP/UXgmWVaUCwwYWNPXHpD8i1MnLNP93F1m
mJ0nbYN2H3cy2/Y2+MA0lJFSkPEiSQ0Tney8AwyZa6O7aJBtcWir2RoALf+V5Ued
+TCcYDy6k3+SAQBsZU8OXQC40a5Un7jaL0JTW2qlyPTdYdfxBn2EHnFPM2uN1EtD
uGs8+MHbv1Q=3D
=3DvL8b
-----END PGP SIGNATURE-----