Ok Mr Haag, thank you for your help
regards
Marcello
On Thu, May 16, 2013 at 6:43 PM, Peter Haag <[email protected]>wrote:
> If you aggregate dstip then only dst IP is relevant. nfdump-1.6.3 did not
> mask out zero other fields, which was a bug.
>
> - Peter
>
> On 16/5/13 4:31 PM, marcello pisano wrote:
> > Hello Mr Haag,
> >
> > thank you for you answer. Sorry I didn't see that difference on command.
> My
> > target was only the option -A. Here another Example:
> >
> >
> >
> > *nfdump: Version: 1.6.3 $LastChangedDate: 2011-01-09 12:28:32 +0100 (Sun,
> > 09 Jan 2011) $*
> > *$Id: nfdump.c 69 2010-09-09 07:17:43Z haag $*
> >
> > * nfdump -T -r nfcapd.201305161546 -A dstip -o extended -c 20*
> > *Date flow start Duration Proto Src IP Addr:Port
> Dst
> > IP Addr:Port Flags Tos Packets Bytes pps bps Bpp
> Flows*
> > *Skip unknown record type 7*
> > *Skip unknown record type 9*
> > *Skip unknown record type 8*
> > *2013-05-16 15:45:59.952 58.997 UDP 172.16.162.137:58175 ->
> > 239.255.255.250:1900 ...... 0 51 7035 0 953
> 137
> > 51*
> > *2013-05-16 15:45:59.900 59.099 UDP 172.28.129.60:3000 ->
> > 225.0.48.12:3000 ...... 28 159575 216.4 M 2700 29.3 M 1355
> > 603*
> > *2013-05-16 15:45:59.900 59.099 UDP 172.16.130.50:2000 ->
> > 239.0.1.2:3000 ...... 0 216648 291.2 M 3665 39.4 M 1343
> 603*
> > *2013-05-16 15:45:59.900 59.100 UDP 172.16.130.53:2000 ->
> > 239.0.1.3:3000 ...... 0 216650 291.2 M 3665 39.4 M 1343
> 604*
> > *2013-05-16 15:45:59.900 59.099 UDP 172.30.5.1:3000 ->
> > 226.0.5.12:3000 ...... 0 56992 77.3 M 964 10.5 M 1355
> 601
> > *
> > *2013-05-16 15:45:59.900 59.099 UDP 172.28.129.63:3000 ->
> > 225.0.52.6:3000 ...... 0 28496 38.6 M 482 5.2 M 1355
> 601
> > *
> > *2013-05-16 15:45:59.900 59.100 UDP 172.28.129.60:3000 ->
> > 225.0.48.9:3000 ...... 28 159574 216.4 M 2700 29.3 M 1355
> 603
> > *
> > *2013-05-16 15:45:59.900 59.099 UDP 172.30.6.1:3000 ->
> > 226.0.4.12:3000 ...... 0 56992 77.3 M 964 10.5 M 1355
> 603
> > *
> > *2013-05-16 15:45:59.900 59.100 UDP 172.16.129.40:3001 ->
> > 239.0.1.1:3000 ...... 0 216650 291.2 M 3665 39.4 M 1343
> 603*
> > *2013-05-16 15:45:59.904 59.094 UDP 172.30.6.1:3000 ->
> > 226.0.4.13:3000 ...... 0 11399 15.5 M 192 2.1 M 1355
> 601
> > *
> > *Summary: total flows: 5473, total bytes: 1.5 G, total packets: 1.1 M,
> avg
> > bps: 205.1 M, avg pps: 19002, avg bpp: 1348*
> > *Time window: 2013-05-16 15:45:59 - 2013-05-16 15:46:59*
> >
> >
> >
> > - For the same file I use the same command but nfdump version is
> > different:
> >
> >
> > *nfdump: Version: 1.6.9 $Date: 2013-03-02 16:19:58 +0100 (Sat, 02 Mar
> 2013)
> > $*
> >
> >
> > *[ nfdump -T -r nfcapd.201305161546 -a -A dstip -o extended -c 20*
> > *Date first seen Duration Proto Src IP Addr:Port
> Dst
> > IP Addr:Port Flags Tos Packets Bytes pps bps Bpp
> Flows*
> > *2013-05-16 15:45:59.952 58.997 0 0.0.0.0:0 ->
> > 239.255.255.250:0 ...... 0 51 7035 0 953
> 137
> > 51*
> > *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> > 225.0.48.12:0 ...... 0 159575 216.4 M 2700 29.3 M 1355
> > 603*
> > *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> > 239.0.1.2:0 ...... 0 216648 291.2 M 3665 39.4 M 1343
> 603*
> > *2013-05-16 15:45:59.900 59.100 0 0.0.0.0:0 ->
> > 239.0.1.3:0 ...... 0 216650 291.2 M 3665 39.4 M 1343
> 604*
> > *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> > 226.0.5.12:0 ...... 0 56992 77.3 M 964 10.5 M 1355
> 601
> > *
> > *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> > 225.0.52.6:0 ...... 0 28496 38.6 M 482 5.2 M 1355
> 601
> > *
> > *2013-05-16 15:45:59.900 59.100 0 0.0.0.0:0 ->
> > 225.0.48.9:0 ...... 0 159574 216.4 M 2700 29.3 M 1355
> 603
> > *
> > *2013-05-16 15:45:59.900 59.099 0 0.0.0.0:0 ->
> > 226.0.4.12:0 ...... 0 56992 77.3 M 964 10.5 M 1355
> 603
> > *
> > *2013-05-16 15:45:59.900 59.100 0 0.0.0.0:0 ->
> > 239.0.1.1:0 ...... 0 216650 291.2 M 3665 39.4 M 1343
> 603*
> > *2013-05-16 15:45:59.904 59.094 0 0.0.0.0:0 ->
> > 226.0.4.13:0 ...... 0 11399 15.5 M 192 2.1 M 1355
> 601
> > *
> > *Summary: total flows: 5473, total bytes: 1.5 G, total packets: 1.1 M,
> avg
> > bps: 205.1 M, avg pps: 19002, avg bpp: 1348*
> > *Time window: 2013-05-16 15:45:59 - 2013-05-16 15:46:59*
> >
> >
> > Note that for all flows source is always the same. I use the option "-A
> > dstip" only because my sampling is very high and whitout that option
> output
> > is very long. Here an example:
> >
> > *[root@test_netadmins 16]# nfdump -T -r nfcapd.201305161546 -o
> extended -c
> > 20*
> > Date first seen Duration Proto Src IP Addr:Port
> Dst
> > IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
> > 2013-05-16 15:45:59.901 0.097 UDP 172.28.129.63:3000 ->
> > 225.0.52.6:3000 ...... 0 47 63732 484 5.3 M 1356
> 1
> > 2013-05-16 15:45:59.900 0.099 UDP 172.30.6.1:3000 ->
> > 226.0.4.12:3000 ...... 0 95 128820 959 10.4 M 1356
> 1
> > 2013-05-16 15:45:59.904 0.095 UDP 172.30.6.1:3000 ->
> > 226.0.4.13:3000 ...... 0 19 25764 200 2.2 M 1356
> 1
> > 2013-05-16 15:45:59.900 0.099 UDP 172.16.129.50:2000 ->
> > 239.0.1.2:3000 ...... 0 361 485184 3646 39.2 M 1344
> 1
> > 2013-05-16 15:45:59.900 0.099 UDP 172.30.6.1:3000 ->
> > 226.0.4.12:3000 ...... 0 95 128820 959 10.4 M 1356
> 1
> > 2013-05-16 15:45:59.900 0.099 UDP 172.28.129.60:3000 ->
> > 225.0.48.9:3000 ...... 28 266 360696 2686 29.1 M 1356
> 1
> > 2013-05-16 15:45:59.900 0.099 UDP 172.16.129.53:2000 ->
> > 239.0.1.3:3000 ...... 0 361 485184 3646 39.2 M 1344
> 1
> > 2013-05-16 15:45:59.900 0.099 UDP 172.16.129.40:3001 ->
> > 239.0.1.1:3000 ...... 0 361 485184 3646 39.2 M 1344
> 1
> > 2013-05-16 15:45:59.900 0.099 UDP 172.28.129.60:3000 ->
> > 225.0.48.12:3000 ...... 28 266 360696 2686 29.1 M 1356
> > 1
> > 2013-05-16 15:45:59.900 0.099 UDP 172.28.129.63:3000 ->
> > 225.0.52.6:3000 ...... 0 48 65088 484 5.3 M 1356
> 1
> > .
> >
> > .
> > .
> > .
> >
> > I hope that my problem now is understandable.Sorry and thank you very
> much
> > for your help.
> >
> >
> >
> >
> >
> >
> >
> > On Thu, May 16, 2013 at 3:27 PM, Peter Haag <[email protected]
> >wrote:
> >
> >> Hi,
> >> I don't see anything wrong. The two output listings represent, what you
> >> were nfdump asking for.
> >>
> >> -a is equiv to -a -A proto,srcip,dstip,srcport,dstport
> >>
> >> so you compare -a -A proto,srcip,dstip,srcport,dstport wiht -a -A dstip
> >> which obviously results in two different output
> >> listings. Unused elements in a flow are zeroed out.
> >>
> >> Hope, that helps.
> >>
> >> - Peter
> >>
> >> On 5/15/13 W20 12:57, marcello pisano wrote:
> >>> Hello to all,
> >>>
> >>> I did an upgrade from nfdump 1.6.3 to 1.6.9. I use often option "-A" to
> >> aggregate flows, but after upgrade I have that
> >>> if I use that option source address of all flow becomes this:
> >>>
> >>>
> >>> //[root@test2 15]# nfdump -r nfcapd.201305151054 -a -A dstip -o
> >> extended -c 2
> >>>
> >>> /Date first seen Duration Proto Src IP Addr:Port
> >> Dst IP Addr:Port Flags Tos Packets
> >>> Bytes pps bps Bpp Flows//
> >>> //2013-05-15 10:53:59.903 59.077 0 //*0.0.0.0:0 <
> >> http://0.0.0.0:0>*// -> 224.0.0.1:0
> >>> <http://224.0.0.1:0> ...... 0 250 71370 4
> 9664
> >> 285 176//
> >>> //2013-05-15 10:54:00.900 58.000 0 //*0.0.0.0:0 <
> >> http://0.0.0.0:0>*// -> 172.16.50.212:0
> >>> <http://172.16.50.212:0> ...... 0 59 7744 1
> >> 1068 131 59//
> >>> /
> >>> If I don't use that option results is:
> >>>
> >>> /[root@test2 15]# nfdump -r nfcapd.201305151054 -a -o extended -c
> 2/
> >>>
> >>> /Date first seen Duration Proto Src IP Addr:Port
> >> Dst IP Addr:Port Flags Tos Packets
> >>> Bytes pps bps Bpp Flows//
> >>> //2013-05-15 10:53:59.928 48.972 UDP 172.16.50.221:137 <
> >> http://172.16.50.221:137> -> 172.16.51.255:137
> >>> <http://172.16.51.255:137> ...... 0 43 3354 0
> >> 547 78 43//
> >>> //2013-05-15 10:54:00.900 58.000 ICMP 172.16.50.217:0 <
> >> http://172.16.50.217:0> -> 172.16.50.212:3.3
> >>> ...... 192 59 7744 1 1068 131 59//
> >>> /
> >>>
> >>>
> >>> Anyone know if this is a normal behavior of new version of Nfdump or if
> >> it can be a problem ?
> >>>
> >>> Thank you to all
> >>>
> >>>
> >>>
> >>
> ------------------------------------------------------------------------------
> >>> AlienVault Unified Security Management (USM) platform delivers complete
> >>> security visibility with the essential security capabilities. Easily
> and
> >>> efficiently configure, manage, and operate all of your security
> controls
> >>> from a single console and one unified framework. Download a free trial.
> >>> http://p.sf.net/sfu/alienvault_d2d
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Nfdump-discuss mailing list
> >>> [email protected]
> >>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> >>>
> >>
> >> --
> >> --
> >> Be nice to your netflow data
> >>
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > AlienVault Unified Security Management (USM) platform delivers complete
> > security visibility with the essential security capabilities. Easily and
> > efficiently configure, manage, and operate all of your security controls
> > from a single console and one unified framework. Download a free trial.
> > http://p.sf.net/sfu/alienvault_d2d
> >
> >
> >
> > _______________________________________________
> > Nfdump-discuss mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> >
>
> --
> Be nice to your netflow data. Use NfSen and nfdump :)
>
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
