Forget the first question - after some man reading I noticed that duration is in miliseconds. Now, with duration > 1000, everything works fine.
But I still don't know the answer to the second question. Will keep digging. :) Adrian Popa wrote: > Hello. > > First of all, Happy Hollidays! > > I have 2 questions: > > 1. How do I filter flows (with nfdump) with a duration greater than x > seconds? I found that 'duration > 1' is a correct statement, but I get > flows with a duration lower than 1 second as output. > Here's an example: > > nfdump -M /data/nfsen/profiles/testprofile/7304bb2:7304bcnt2 -R > nfcapd.200612251505:nfcapd.200612251615 -n 100 -s record/pps -o > extended 'duration > 1' > > Aggregated flows 362407 > Top 100 flows ordered by pps: > Date flow start Duration Proto Src IP Addr:Port > Dst IP Addr:Port Flags Tos Packets Bytes pps bps > Bpp Flows > 2006-12-25 16:01:39.163 0.002 UDP 66.117.5.37:4679 -> > 86.107.108.183:31291 .A.... 0 18 1116 9000 4.3 > M 62 1 > 2006-12-25 15:29:30.355 0.006 ICMP 203.144.161.5:0 -> > 86.107.111.120:2816 .A.... 0 53 2968 8833 3.8 > M 56 1 > 2006-12-25 15:16:07.112 0.002 UDP 72.232.94.186:4679 -> > 86.107.108.183:31291 .A.... 0 17 1054 8500 4.0 > M 62 1 > 2006-12-25 16:07:07.168 0.002 UDP 212.146.94.44:2036 -> > 86.107.107.117:21757 .A.... 0 11 2103 5500 8.0 M > 191 1 > 2006-12-25 15:58:44.665 0.002 UDP 85.204.104.60:1799 -> > 86.107.108.241:21215 .A.... 8 10 1890 5000 7.2 M > 189 1 > 2006-12-25 15:59:28.141 0.002 UDP 89.34.169.243:2862 -> > 86.107.108.241:21215 .A.... 0 10 2080 5000 7.9 M > 208 1 > 2006-12-25 16:06:23.669 0.002 UDP 84.232.161.146:1488 -> > 86.107.107.117:21757 .A.... 0 10 1626 5000 6.2 M > 162 1 > > ... output omitted... > > 2. I want to be able to filter floods that come from the same source > to the same destination, but with different port numbers. These are > regarded as different flows by nfsen (and cisco), but is there a way > to aggregate them in statistics (increasing the flows number)? I don't > want to use the '-s ip/pps' switch, because it would be hard for me do > differentiate between legitimate traffic for servers and flooding > attacks (because both have similar values in my case). > > Here's an example: > > nfdump -M /data/nfsen/profiles/testprofile/7304bb2:7304bcnt2 -R > nfcapd.200612251505:nfcapd.200612251615 -n 100 -s record/pps -o > extended 'host 86.107.104.28' > > Aggregated flows 65012 > Top 100 flows ordered by pps: > Date flow start Duration Proto Src IP Addr:Port > Dst IP Addr:Port Flags Tos Packets Bytes pps bps > Bpp Flows > ... output omitted ... > 2006-12-25 15:19:28.585 2276.005 UDP 141.161.3.25:38129 -> > 86.107.104.28:9589 .A.... 0 3355 97295 1 341 > 29 15 > 2006-12-25 15:19:37.024 2268.203 UDP 141.161.3.25:38129 -> > 86.107.104.28:47623 .A.... 0 3124 90596 1 319 > 29 14 > 2006-12-25 15:19:35.051 2269.962 UDP 141.161.3.25:38129 -> > 86.107.104.28:34898 .A.... 0 3403 98687 1 347 > 29 15 > 2006-12-25 15:19:34.078 2223.652 UDP 141.161.3.25:38129 -> > 86.107.104.28:32824 .A.... 0 2914 84506 1 304 > 29 16 > 2006-12-25 15:19:35.057 2222.664 UDP 141.161.3.25:38129 -> > 86.107.104.28:36475 .A.... 0 3494 101326 1 364 > 29 15 > 2006-12-25 15:19:38.982 2218.135 UDP 141.161.3.25:38129 -> > 86.107.104.28:60941 .A.... 0 3115 90335 1 325 > 29 14 > 2006-12-25 15:19:29.564 2228.963 UDP 141.161.3.25:38129 -> > 86.107.104.28:29364 .A.... 0 3684 106836 1 383 > 29 14 > 2006-12-25 15:19:43.364 2214.819 UDP 141.161.3.25:38129 -> > 86.107.104.28:15056 .A.... 0 3122 90538 1 327 > 29 14 > 2006-12-25 15:19:30.560 2226.116 UDP 141.161.3.25:38129 -> > 86.107.104.28:363 .A.... 0 3354 97266 1 349 > 29 13 > 2006-12-25 15:19:29.567 2228.708 UDP 141.161.3.25:38129 -> > 86.107.104.28:34062 .A.... 0 3294 95526 1 342 > 29 13 > 2006-12-25 15:19:28.584 2224.559 UDP 141.161.3.25:38129 -> > 86.107.104.28:62463 .A.... 0 3080 89320 1 321 > 29 15 > 2006-12-25 15:19:37.014 2221.000 UDP 141.161.3.25:38129 -> > 86.107.104.28:38773 .A.... 0 3286 95294 1 343 > 29 13 > 2006-12-25 15:19:33.102 2225.302 UDP 141.161.3.25:38129 -> > 86.107.104.28:60149 .A.... 0 3492 101268 1 364 > 29 14 > 2006-12-25 15:19:49.109 2207.792 UDP 141.161.3.25:38129 -> > 86.107.104.28:53962 .A.... 0 3446 99934 1 362 > 29 13 > 2006-12-25 15:19:34.074 2223.695 UDP 141.161.3.25:38129 -> > 86.107.104.28:53403 .A.... 0 3423 99267 1 357 > 29 21 > > ... output omitted ... > > I know I can filter duration and source/destination using a perl > module (as a plugin), but I'm afraid it may be too intensive and > sluggish for the hardware I use, so I hope there's a way to do it > using nfdump. > > Thanks for your time > > Adrian Popa > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
