[Nfdump-discuss] Missing traffic in pipe format

[Jens S. <sha...@sh...>]

Hi there,

yesterday I encountered a very strange thing, as our accounting system
which is based on nfdump generated traffic information seems to have
missed traffic for a huge bunch of our IPs. As we need to have a running
system, we still field version 1.5 of nfdump as it prooved working.

The case: I have three files from three different routers for five
minutes, and do the following operations:

/usr/local/bin/nfdump -a -q -o extended -M /daten/flowdata/ix:my:ix400 -r nfcapd.200610222230 > ~/ascalion_extended.txt

-> all seems fine, my example IP is there

/usr/local/bin/nfdump -a -q -o extended -M /daten/flowdata/ix:my:ix400 -r nfcapd.200610222230 'ip 193.110.43.196' > ~/ascalion_extended_filtered.txt

-> all fine, only traffic with my IP as it should be

/usr/local/bin/nfdump -a -q -o pipe -M /daten/flowdata/ix:my:ix400 -r nfcapd.200610222230 > ~/ascalion_pipe.txt

-> can't find the integer representation of my IP in the entire file

/usr/local/bin/nfdump -a -q -o pipe -M /daten/flowdata/ix:my:ix400 -r nfcapd.200610222230 'ip 193.110.43.196' > ~/ascalion_pipe_filtered.txt

-> only piped traffic of my IP there

The last two are very strange, as I thought the later one is only a
filtered subset of the first one, but the IP and therefor the traffic
isn't there.

Does it make sense to carefully first upgrade to nfdump 1.5.2 and redo
the tests? If the problem persists, I may be able to handle out data to
recreate the case (without sending GB of datafiles).

Jens