[Nfsen-discuss] How do I filter flows with duration > x?

Adrian Popa Tue, 26 Dec 2006 23:53:51 -0800

Hello.

First of all, Happy Hollidays!


I have 2 questions:

1. How do I filter flows (with nfdump) with a duration greater than x 
seconds? I found that 'duration > 1' is a correct statement, but I get 
flows with a duration lower than 1 second as output.
Here's an example:

nfdump -M /data/nfsen/profiles/testprofile/7304bb2:7304bcnt2 -R 
nfcapd.200612251505:nfcapd.200612251615 -n 100 -s record/pps -o extended 
'duration > 1'

Aggregated flows 362407
Top 100 flows ordered by pps:
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP 
Addr:Port   Flags Tos  Packets    Bytes      pps      bps    Bpp Flows
2006-12-25 16:01:39.163     0.002 UDP        66.117.5.37:4679  ->   
86.107.108.183:31291 .A....   0       18     1116     9000    4.3 M     62     1
2006-12-25 15:29:30.355     0.006 ICMP     203.144.161.5:0     ->   
86.107.111.120:2816  .A....   0       53     2968     8833    3.8 M     56     1
2006-12-25 15:16:07.112     0.002 UDP      72.232.94.186:4679  ->   
86.107.108.183:31291 .A....   0       17     1054     8500    4.0 M     62     1
2006-12-25 16:07:07.168     0.002 UDP      212.146.94.44:2036  ->   
86.107.107.117:21757 .A....   0       11     2103     5500    8.0 M    191     1
2006-12-25 15:58:44.665     0.002 UDP      85.204.104.60:1799  ->   
86.107.108.241:21215 .A....   8       10     1890     5000    7.2 M    189     1
2006-12-25 15:59:28.141     0.002 UDP      89.34.169.243:2862  ->   
86.107.108.241:21215 .A....   0       10     2080     5000    7.9 M    208     1
2006-12-25 16:06:23.669     0.002 UDP     84.232.161.146:1488  ->   
86.107.107.117:21757 .A....   0       10     1626     5000    6.2 M    162     1

... output omitted...

2. I want to be able to filter floods that come from the same source to 
the same destination, but with different port numbers. These are 
regarded as different flows by nfsen (and cisco), but is there a way to 
aggregate them in statistics (increasing the flows number)? I don't want 
to use the '-s ip/pps' switch, because it would be hard for me do 
differentiate between legitimate traffic for servers and flooding 
attacks (because both have similar values in my case).

Here's an example:

nfdump -M /data/nfsen/profiles/testprofile/7304bb2:7304bcnt2 -R 
nfcapd.200612251505:nfcapd.200612251615 -n 100 -s record/pps -o extended 'host 
86.107.104.28'

Aggregated flows 65012
Top 100 flows ordered by pps:
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP 
Addr:Port   Flags Tos  Packets    Bytes      pps      bps    Bpp Flows
... output omitted ...
2006-12-25 15:19:28.585  2276.005 UDP       141.161.3.25:38129 ->    
86.107.104.28:9589  .A....   0     3355    97295        1      341     29    15
2006-12-25 15:19:37.024  2268.203 UDP       141.161.3.25:38129 ->    
86.107.104.28:47623 .A....   0     3124    90596        1      319     29    14
2006-12-25 15:19:35.051  2269.962 UDP       141.161.3.25:38129 ->    
86.107.104.28:34898 .A....   0     3403    98687        1      347     29    15
2006-12-25 15:19:34.078  2223.652 UDP       141.161.3.25:38129 ->    
86.107.104.28:32824 .A....   0     2914    84506        1      304     29    16
2006-12-25 15:19:35.057  2222.664 UDP       141.161.3.25:38129 ->    
86.107.104.28:36475 .A....   0     3494   101326        1      364     29    15
2006-12-25 15:19:38.982  2218.135 UDP       141.161.3.25:38129 ->    
86.107.104.28:60941 .A....   0     3115    90335        1      325     29    14
2006-12-25 15:19:29.564  2228.963 UDP       141.161.3.25:38129 ->    
86.107.104.28:29364 .A....   0     3684   106836        1      383     29    14
2006-12-25 15:19:43.364  2214.819 UDP       141.161.3.25:38129 ->    
86.107.104.28:15056 .A....   0     3122    90538        1      327     29    14
2006-12-25 15:19:30.560  2226.116 UDP       141.161.3.25:38129 ->    
86.107.104.28:363   .A....   0     3354    97266        1      349     29    13
2006-12-25 15:19:29.567  2228.708 UDP       141.161.3.25:38129 ->    
86.107.104.28:34062 .A....   0     3294    95526        1      342     29    13
2006-12-25 15:19:28.584  2224.559 UDP       141.161.3.25:38129 ->    
86.107.104.28:62463 .A....   0     3080    89320        1      321     29    15
2006-12-25 15:19:37.014  2221.000 UDP       141.161.3.25:38129 ->    
86.107.104.28:38773 .A....   0     3286    95294        1      343     29    13
2006-12-25 15:19:33.102  2225.302 UDP       141.161.3.25:38129 ->    
86.107.104.28:60149 .A....   0     3492   101268        1      364     29    14
2006-12-25 15:19:49.109  2207.792 UDP       141.161.3.25:38129 ->    
86.107.104.28:53962 .A....   0     3446    99934        1      362     29    13
2006-12-25 15:19:34.074  2223.695 UDP       141.161.3.25:38129 ->    
86.107.104.28:53403 .A....   0     3423    99267        1      357     29    21

... output omitted ...

I know I can filter duration and source/destination using a perl module 
(as a plugin), but I'm afraid it may be too intensive and sluggish for 
the hardware I use, so I hope there's a way to do it using nfdump.

Thanks for your time

Adrian Popa


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

[Nfsen-discuss] How do I filter flows with duration > x?

Reply via email to