On Wed, Mar 06, 2013 at 06:04:33, Peter Haag wrote: > Subject: Re: [Nfdump-discuss] nfreplay not showing correct time window > on old data > > Hi Ryan, > Nfcapd is a real time collector. It puts data in files and timestamps > them according the received date. Therefore you get a 2013 stamp. > Hence, the data goes into a single file as long as the transfer to the > collector completes in 5min real time. >
How about I reclassify the data based on the timestamp of last? I was originally using the field received, but changed to first and last later. I can re-encode the data with the identity and received fields set properly, should nfsen -r live work at that point? Thanks! -ryan > On 3/5/13 23:06, Ryan West wrote: > > Hi, > > > > With the help of another member I was able to convert months of ASA > syslog data to Netflow v9. Thanks again for that. The data was > converted into nsel-nfdump 1.6.9 format and then the intention was to > use nfreply to push all the data into two collectors. The SiLK > collector is reading the dates fine. However, nfsen puts the data into a > single 5 minute chunk. > > > > 450871655 Mar 5 15:30 nfcapd.201303051525 > > 25829 Mar 5 15:35 nfcapd.201303051530 > > 22279 Mar 5 15:40 nfcapd.201303051535 > > > > If I dump the file, I can see the proper timestamps: > > > > 2012-10-25 22:36:43.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > > 2012-10-25 22:36:50.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > > 2012-10-25 22:36:50.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > > 2012-10-25 22:36:57.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > > 2012-10-25 22:36:57.296 IGNORE Ignore TCP 192.168.0.12:443 -> > x.x.x.x:51796 0.0.0.0:0 -> 0.0.0.0:51796 2129 > > > > nfdump -r nfcapd.201303051525 -t 2012/10/25.23:36:43- > 2013/01/01.00:00:00 > > Date first seen Event XEvent Proto Src IP Addr:Port > > Dst IP > Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port Bytes > > Empty file list. No files to process No matched flows > > > > Any idea what I might be missing or another recommended way to get > > the > data usable by nfsen? Also, I wanted to point out the cosmetic bug on > the xdstport field. > > > > Thanks, > > > > -ryan > > > > -------------------------------------------------------------------- > > -- > > -------- Symantec Endpoint Protection 12 positioned as A LEADER in > > The Forrester > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in > > the endpoint security space. For insight on selecting the right > > partner to tackle endpoint security challenges, access the full report. > > http://p.sf.net/sfu/symantec-dev2dev > > _______________________________________________ > > Nfdump-discuss mailing list > > Nfdump-discuss@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > > > > -- > -- > Be nice to your netflow data ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
