Of course, that makes sense. I hadn't noticed that the output included two ifindex lines that weren’t specified in the query (642,635) which are the second interfaces that the flows pass through. Your reply made me take a closer look at the output to see what was actually there and not what I expected to be there. :)
Thank you Peter. -paul On 10/10/14, 12:34 AM, "Peter Haag" <[email protected]> wrote: >Hi Paul, >It looks to me ok. The filter does not matter. Your statistics is about >interfaces. The same traffic flows through two interface - in/out. >The stat counts each interface individually and therefore counts twice >the numbers in the summary. > >Hope that helps > >- Peter > >On 08/10/14 17:40, Wefel, Paul wrote: >> Hello all, >> >> I searched the archives for this issue and found references to byte >>total discrepancies but I didn’t find anything like what I am seeing. >> With this query, the returned bytes and packet count summary is exactly >>half of the total of the returned flows. >> I have tried this on nfdump 1.6.12 and 1.6.10 with the same result. I >>suspect something in the query may be wrong and I’m not seeing it. >> Anyone have any ideas? Thanks. >> >> nfdump -M /a/flowdata/exit_east/2014/07 -R . -N -s if/bytes '((port = >>5001) and (IF 735 or IF 736 or IF 737 or IF 738 or IF 739 or IF 740 or >>IF 741 or IF 742))' >> >> >> Top 10 In/Out If ordered by bytes: >> Date first seen Duration Proto In/Out If Flows(%) >> Packets(%) Bytes(%) pps bps bpp >> 2014-07-01 03:02:58.859 2505970.212 any 642 >>21(58.3) 19919550(68.1) 114895526933(61.4) 7 366789 5767 >> 2014-07-01 03:02:58.859 2442523.524 any 635 >>15(41.7) 9316049(31.9) 72199731206(38.6) 3 236475 7750 >> 2014-07-08 19:09:55.257 1843153.814 any 739 >>13(36.1) 8605194(29.4) 55251361230(29.5) 4 239812 6420 >> 2014-07-02 02:06:21.216 1357925.591 any 737 >>6(16.7) 8405002(28.7) 53630047936(28.7) 6 315952 6380 >> 2014-07-06 02:52:57.297 1466902.533 any 736 >>7(19.4) 6845484(23.4) 43987579560(23.5) 4 239893 6425 >> 2014-07-05 10:41:26.015 2069416.368 any 740 >>8(22.2) 5102322(17.5) 32474238205(17.4) 2 125539 6364 >> 2014-07-01 03:02:58.859 30.330 any 735 2( >>5.6) 277597( 0.9) 1752031208( 0.9) 9152 462124947 6311 >> >> Summary: total flows: 36, total bytes: 187095258139, total packets: >>29235599, avg bps: 597278, avg pps: 11, avg bpp: 6399 >> Time window: 2014-05-12 19:30:50 - 2014-08-22 18:14:33 >> Total flows processed: 1403144094, Blocks skipped: 0, Bytes read: >>95420264796 >> Sys: 223.963s flows/second: 6265044.5 Wall: 680.974s flows/second: >>2060493.6 >> >> -paul >> >> >> >>------------------------------------------------------------------------- >>----- >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> >>http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clk >>trk >> >> >> >> _______________________________________________ >> Nfdump-discuss mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss >> ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://p.sf.net/sfu/Zoho _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
