Hi Dmitry,
Pls test with the laste Github version. If it is still an issue, let me know.
- Peter
On 31.12.15 09:52, Dmitry Petuhov wrote:
> Found strange behaviour on flow aggregation with binary output:
> # nfdump -V
> nfdump: Version: NSEL-NEL1.6.13
> # nfdump -r nfcapd.201512311115 -a -w nfcapd.201512311115.a
> # nfdump -r nfcapd.201512311115.a -o long | head
> Date first seen Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Flags Tos Packets Bytes Flows
> 2015-12-31 11:16:34.976 38.936 UDP 0.0.0.4:25813 ->
> 70.140.177.12:49001 ...... 0 168.8 M 2 1572669509
> 2015-12-31 11:19:35.406 698.030 UDP 0.0.0.13:57288 ->
> 10.2.11.6:10006 ...... 0 1.2 G 0 0
> 2015-12-31 11:18:08.535 30.090 UDP 0.0.0.1:47574 ->
> 10.4.139.190:30017 ...... 0 1.9 G 0 0
> 2015-12-31 11:16:15.211 184.629 TCP 0.0.0.12:51654 ->
> 10.33.169.110:443 ...... 0 1.6 G 0 0
> 2015-12-31 11:26:19.012 11.944 TCP 0.0.0.6:443 ->
> 217.69.139.42:50176 .AP.SF 0 168.4 M 55 1572669507
> 2015-12-31 11:17:56.516 129.004 TCP 0.0.0.12:58815 ->
> 10.33.174.230:39959 ...... 0 3.0 G 0 0
>
> Aggregation with text output seems work fine:
> # nfdump -r nfcapd.201512311115 -a -o long | head
> Date first seen Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Flags Tos Packets Bytes Flows
> 2015-12-31 11:16:34.976 38.936 UDP 70.140.177.12:25813 ->
> 10.15.12.133:49001 ...... 0 2 973 2
> 2015-12-31 11:16:15.211 184.629 TCP 10.33.169.110:51654 ->
> 95.83.191.12:443 ...... 0 0 0 2
> 2015-12-31 11:26:19.012 11.944 TCP 217.69.139.42:443 ->
> 10.9.73.230:50176 .AP.SF 0 55 62365 1
> 2015-12-31 11:18:18.884 0.108 TCP 94.140.201.98:80 ->
> 10.33.170.28:58715 .AP.SF 0 179 261739 1
> 2015-12-31 11:27:38.988 60.940 UDP 110.32.96.78:18946 ->
> 10.34.135.66:62348 ...... 0 2 340 2
> 2015-12-31 11:28:36.548 11.448 TCP 217.20.156.21:443 ->
> 10.4.89.29:21317 .AP.SF 0 19 15595 1
> 2015-12-31 11:31:15.952 1.040 TCP 64.233.164.132:443 ->
> 10.2.241.198:50284 .AP.S. 0 106 124096 1
> 2015-12-31 11:15:46.181 401.232 UDP 85.95.188.69:20467 ->
> 95.83.148.178:62470 ...... 0 9 432 3
> 2015-12-31 11:17:04.928 0.000 UDP 120.29.73.76:51413 ->
> 10.162.24.138:49001 ...... 0 1 328 1
>
> Maybe this is important: input files are written with nfcapd of
> different version:
> # nfcapd -V
> nfcapd: Version: 1.6.11 $Date: 2013-11-16 09:04:43 +0100 (Sat, 16 Nov
> 2013) $
>
> And have netflow v5 and v9+NEL.
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
