If you aggregate dstip then only dst IP is relevant. nfdump-1.6.3 did not mask
out zero other fields, which was a bug.
- Peter
On 16/5/13 4:31 PM, marcello pisano wrote:
> Hello Mr Haag,
>
> thank you for you answer. Sorry I didn't see that difference on command. My
> target was only the option -A. Here another Example:
>
>
>
> *nfdump: Version: 1.6.3 $LastChangedDate: 2011-01-09 12:28:32 +0100 (Sun,
> 09 Jan 2011) $*
> *$Id: nfdump.c 69 2010-09-09 07:17:43Z haag $*
>
> * nfdump -T -r nfcapd.201305161546 -A dstip -o extended -c 20*
> *Date flow start Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows*
> *Skip unknown record type 7*
> *Skip unknown record type 9*
> *Skip unknown record type 8*
> *2013-05-16 15:45:59.952 58.997 UDP 172.16.162.137:58175 ->
> 239.255.255.250:1900 ...... 0 51 7035 0 953 137
> 51*
> *2013-05-16 15:45:59.900 59.099 UDP 172.28.129.60:3000 ->
> 225.0.48.12:3000 ...... 28 159575 216.4 M 2700 29.3 M 1355
> 603*
> *2013-05-16 15:45:59.900 59.099 UDP 172.16.130.50:2000 ->
> 239.0.1.2:3000 ...... 0 216648 291.2 M 3665 39.4 M 1343 603*
> *2013-05-16 15:45:59.900 59.100 UDP 172.16.130.53:2000 ->
> 239.0.1.3:3000 ...... 0 216650 291.2 M 3665 39.4 M 1343 604*
> *2013-05-16 15:45:59.900 59.099 UDP 172.30.5.1:3000 ->
> 226.0.5.12:3000 ...... 0 56992 77.3 M 964 10.5 M 1355 601
> *
> *2013-05-16 15:45:59.900 59.099 UDP 172.28.129.63:3000 ->
> 225.0.52.6:3000 ...... 0 28496 38.6 M 482 5.2 M 1355 601
> *
> *2013-05-16 15:45:59.900 59.100 UDP 172.28.129.60:3000 ->
> 225.0.48.9:3000 ...... 28 159574 216.4 M 2700 29.3 M 1355 603
> *
> *2013-05-16 15:45:59.900 59.099 UDP 172.30.6.1:3000 ->
> 226.0.4.12:3000 ...... 0 56992 77.3 M 964 10.5 M 1355 603
> *
> *2013-05-16 15:45:59.900 59.100 UDP 172.16.129.40:3001 ->
> 239.0.1.1:3000 ...... 0 216650 291.2 M 3665 39.4 M 1343 603*
> *2013-05-16 15:45:59.904 59.094 UDP 172.30.6.1:3000 ->
> 226.0.4.13:3000 ...... 0 11399 15.5 M 192 2.1 M 1355 601
> *
> *Summary: total flows: 5473, total bytes: 1.5 G, total packets: 1.1 M, avg
> bps: 205.1 M, avg pps: 19002, avg bpp: 1348*
> *Time window: 2013-05-16 15:45:59 - 2013-05-16 15:46:59*
>
>
>
> - For the same file I use the same command but nfdump version is
> different:
>
>
> *nfdump: Version: 1.6.9 $Date: 2013-03-02 16:19:58 +0100 (Sat, 02 Mar 2013)
> $*
>
>
> *[ nfdump -T -r nfcapd.201305161546 -a -A dstip -o extended -c 20*
> *Date first seen Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows*
> *2013-05-16 15:45:59.952 58.997 0 0.0.0.0:0 ->
> 239.255.255.250:0 ...... 0 51 7035 0 953 137
> 51*
> *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> 225.0.48.12:0 ...... 0 159575 216.4 M 2700 29.3 M 1355
> 603*
> *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> 239.0.1.2:0 ...... 0 216648 291.2 M 3665 39.4 M 1343 603*
> *2013-05-16 15:45:59.900 59.100 0 0.0.0.0:0 ->
> 239.0.1.3:0 ...... 0 216650 291.2 M 3665 39.4 M 1343 604*
> *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> 226.0.5.12:0 ...... 0 56992 77.3 M 964 10.5 M 1355 601
> *
> *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> 225.0.52.6:0 ...... 0 28496 38.6 M 482 5.2 M 1355 601
> *
> *2013-05-16 15:45:59.900 59.100 0 0.0.0.0:0 ->
> 225.0.48.9:0 ...... 0 159574 216.4 M 2700 29.3 M 1355 603
> *
> *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> 226.0.4.12:0 ...... 0 56992 77.3 M 964 10.5 M 1355 603
> *
> *2013-05-16 15:45:59.900 59.100 0 0.0.0.0:0 ->
> 239.0.1.1:0 ...... 0 216650 291.2 M 3665 39.4 M 1343 603*
> *2013-05-16 15:45:59.904 59.094 0 0.0.0.0:0 ->
> 226.0.4.13:0 ...... 0 11399 15.5 M 192 2.1 M 1355 601
> *
> *Summary: total flows: 5473, total bytes: 1.5 G, total packets: 1.1 M, avg
> bps: 205.1 M, avg pps: 19002, avg bpp: 1348*
> *Time window: 2013-05-16 15:45:59 - 2013-05-16 15:46:59*
>
>
> Note that for all flows source is always the same. I use the option "-A
> dstip" only because my sampling is very high and whitout that option output
> is very long. Here an example:
>
> *[root@test_netadmins 16]# nfdump -T -r nfcapd.201305161546 -o extended -c
> 20*
> Date first seen Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
> 2013-05-16 15:45:59.901 0.097 UDP 172.28.129.63:3000 ->
> 225.0.52.6:3000 ...... 0 47 63732 484 5.3 M 1356 1
> 2013-05-16 15:45:59.900 0.099 UDP 172.30.6.1:3000 ->
> 226.0.4.12:3000 ...... 0 95 128820 959 10.4 M 1356 1
> 2013-05-16 15:45:59.904 0.095 UDP 172.30.6.1:3000 ->
> 226.0.4.13:3000 ...... 0 19 25764 200 2.2 M 1356 1
> 2013-05-16 15:45:59.900 0.099 UDP 172.16.129.50:2000 ->
> 239.0.1.2:3000 ...... 0 361 485184 3646 39.2 M 1344 1
> 2013-05-16 15:45:59.900 0.099 UDP 172.30.6.1:3000 ->
> 226.0.4.12:3000 ...... 0 95 128820 959 10.4 M 1356 1
> 2013-05-16 15:45:59.900 0.099 UDP 172.28.129.60:3000 ->
> 225.0.48.9:3000 ...... 28 266 360696 2686 29.1 M 1356 1
> 2013-05-16 15:45:59.900 0.099 UDP 172.16.129.53:2000 ->
> 239.0.1.3:3000 ...... 0 361 485184 3646 39.2 M 1344 1
> 2013-05-16 15:45:59.900 0.099 UDP 172.16.129.40:3001 ->
> 239.0.1.1:3000 ...... 0 361 485184 3646 39.2 M 1344 1
> 2013-05-16 15:45:59.900 0.099 UDP 172.28.129.60:3000 ->
> 225.0.48.12:3000 ...... 28 266 360696 2686 29.1 M 1356
> 1
> 2013-05-16 15:45:59.900 0.099 UDP 172.28.129.63:3000 ->
> 225.0.52.6:3000 ...... 0 48 65088 484 5.3 M 1356 1
> .
>
> .
> .
> .
>
> I hope that my problem now is understandable.Sorry and thank you very much
> for your help.
>
>
>
>
>
>
>
> On Thu, May 16, 2013 at 3:27 PM, Peter Haag
> <[email protected]>wrote:
>
>> Hi,
>> I don't see anything wrong. The two output listings represent, what you
>> were nfdump asking for.
>>
>> -a is equiv to -a -A proto,srcip,dstip,srcport,dstport
>>
>> so you compare -a -A proto,srcip,dstip,srcport,dstport wiht -a -A dstip
>> which obviously results in two different output
>> listings. Unused elements in a flow are zeroed out.
>>
>> Hope, that helps.
>>
>> - Peter
>>
>> On 5/15/13 W20 12:57, marcello pisano wrote:
>>> Hello to all,
>>>
>>> I did an upgrade from nfdump 1.6.3 to 1.6.9. I use often option "-A" to
>> aggregate flows, but after upgrade I have that
>>> if I use that option source address of all flow becomes this:
>>>
>>>
>>> //[root@test2 15]# nfdump -r nfcapd.201305151054 -a -A dstip -o
>> extended -c 2
>>>
>>> /Date first seen Duration Proto Src IP Addr:Port
>> Dst IP Addr:Port Flags Tos Packets
>>> Bytes pps bps Bpp Flows//
>>> //2013-05-15 10:53:59.903 59.077 0 //*0.0.0.0:0 <
>> http://0.0.0.0:0>*// -> 224.0.0.1:0
>>> <http://224.0.0.1:0> ...... 0 250 71370 4 9664
>> 285 176//
>>> //2013-05-15 10:54:00.900 58.000 0 //*0.0.0.0:0 <
>> http://0.0.0.0:0>*// -> 172.16.50.212:0
>>> <http://172.16.50.212:0> ...... 0 59 7744 1
>> 1068 131 59//
>>> /
>>> If I don't use that option results is:
>>>
>>> /[root@test2 15]# nfdump -r nfcapd.201305151054 -a -o extended -c 2/
>>>
>>> /Date first seen Duration Proto Src IP Addr:Port
>> Dst IP Addr:Port Flags Tos Packets
>>> Bytes pps bps Bpp Flows//
>>> //2013-05-15 10:53:59.928 48.972 UDP 172.16.50.221:137 <
>> http://172.16.50.221:137> -> 172.16.51.255:137
>>> <http://172.16.51.255:137> ...... 0 43 3354 0
>> 547 78 43//
>>> //2013-05-15 10:54:00.900 58.000 ICMP 172.16.50.217:0 <
>> http://172.16.50.217:0> -> 172.16.50.212:3.3
>>> ...... 192 59 7744 1 1068 131 59//
>>> /
>>>
>>>
>>> Anyone know if this is a normal behavior of new version of Nfdump or if
>> it can be a problem ?
>>>
>>> Thank you to all
>>>
>>>
>>>
>> ------------------------------------------------------------------------------
>>> AlienVault Unified Security Management (USM) platform delivers complete
>>> security visibility with the essential security capabilities. Easily and
>>> efficiently configure, manage, and operate all of your security controls
>>> from a single console and one unified framework. Download a free trial.
>>> http://p.sf.net/sfu/alienvault_d2d
>>>
>>>
>>>
>>> _______________________________________________
>>> Nfdump-discuss mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>>
>>
>> --
>> --
>> Be nice to your netflow data
>>
>
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
