flowd does filter, but not stats. I use flow-report for that. You could also import into nfdump, I s'pose (what's one more pipe?).
However, you're right that the current nfdump (v1.6) does look promising. The docs suggest that you still need to identify exporters in advance with -n, but the source code reveals that if you just specify a base directory with -l, it'll store all exporters into a single set of files. I'll give it a try. I do like how nfdump's author has done an admirable job adding v9/ipfix extended fields - ipv6, mpls labels, MAC addrs, vlan tags, etc. However, if one is looking at moving their code from flow-tools to something else, I wonder if it's not better to go with a package like Silk that fully-supports ipfix's flexible record, vendor-extensible format. A minor strike is that nfdump lacks FT's *-count reports for identifying which IPs are talking to the most other IP's (not the most bytes, packets, or flows). Room for a patch there. -Craig On Wed, 27 Oct 2010, Ed Ravin wrote: > On Wed, Oct 27, 2010 at 10:00:24AM -0500, Craig Weinhold wrote: > > One unfortunate architectural flaw of nfdump is that each exporter > > requires its own daemon running on a unique udp port. This doesn't > > lend itself to MPLS WAN environments, where you might have hundreds > > or thousands of exporters, changing daily. > > Is that still the case with the current version? The nfcapd man page > describes an options for multiple exporters, which I haven't tried yet: > > -n <Ident,IP,base_directory> > Configures a netflow source named Ident and identified by source IP > address IP. The base directory for the flow files is base_direc- > tory. If a sub hierarchy is specified with -S the final directory is > concatenated to base_directory/sub_hierarchy. Multiple netflow > sources can be specified. All data is sent to the same port speci- > fied by -p. Note: You must not mix -n option with -I and -l. Use > either syntax. > > > > I've found 'flowd' to be a pretty good collector. It's closer in > > spirit to flow-tools, but also uses tcpdump syntax. > > But it's just a collector - if you want tools to summarize and report > on the data, looks like you need to write them yourself? I have a bunch > of post-processing scripts summarizing our flow-tools data, so it was > nice that they were easy to convert with nfdump. > > Also, nfdump comes with a script to convert flow-tools data (actually, > almost any printable network trace data) into its own format, so there's > some limited backward compatibility. > > -- Ed > _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
