-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'll have to check that. Give me some time.
- Peter
- --On April 24, 2007 16:54:55 +0000 Paul Vlaar <[EMAIL PROTECTED]> wrote:
| Hi all.
|
| In nfsen, I have $SUBDIRLAYOUT = 1;, and so I have a directory structure
| that consists of <profile>/<source>/<year>/<month>/<day>/nfcapd.<timestamp>
|
| I would like to get some netflow statistics that spans multiple days, so
| first of all I try this using the nfsen web interface, by selecting a
| time window and then running the Stat TopN function over it. The time
| window selected is 2007-04-21-15-05 to 2007-04-24-15-10 but what I see
| is that the result of the "process" only makes it to roughly 00:00 on
| 2007-04-21, no further:
|
| nfdump -R
|
/opt/netflow/nfsen/profiles/./live/myrouter/2007/04/21/nfcapd.200704211505:nfcapd.200704241510
-n
| 10 -s dstport/packets
|
| Top 10 Dst Port ordered by packets:
| Date first seen Duration Proto Dst Port Flows Packets
Bytes pps
| bps bpp 2007-04-21 15:04:48.819 32103.274 any 25 37326
39102 4.1 M
| 1 1067 109 2007-04-21 15:04:59.815 32081.786 any 53
3895 3977
| 284750 0 71 71 2007-04-21 17:20:26.063 23566.947 any
3102 17
| 224 304763 0 103 1360 2007-04-21 15:08:43.187 31285.996 any
113
| 150 153 6969 0 1 45 2007-04-21 15:36:10.204
27374.256 any
| 2378 13 149 209089 0 61 1403 2007-04-21
15:31:14.003 30067.599 any
| 2321 14 145 198457 0 52 1368 2007-04-21
15:19:01.806 26485.057 any
| 2444 10 143 197758 0 59 1382 2007-04-21
15:29:25.617 25955.168 any
| 1574 19 123 167863 0 51 1364 2007-04-21
15:17:21.832 30593.236 any
| 80 113 123 11232 0 2 91 2007-04-21 15:41:44.725
10058.798 any
| 49427 6 104 140648 0 111 1352
|
| Summary: total flows: 131499, total bytes: 96.2 M, total packets: 152557, avg
bps: 25100, avg
| pps: 4, avg bpp: 660 Time window: 2007-04-21 15:03:58 - 2007-04-21 23:59:57
| Total flows processed: 2461470, skipped: 0, Bytes read: 127999008
| Sys: 0.480s flows/second: 5127218.6 Wall: 8.955s flows/second: 274866.4
|
|
| I want more than just that limited time window, so I try this using nfdump
| directly, and I think I need to use a -M / -R combination according to the
| man page:
|
| $ nfdump -M /opt/netflow/nfsen/profiles/./live/myrouter/2007/04/21:22:23:24 -R
| nfcapd.200704211505:nfcapd.200704241510 -n 10 -s dstport/packets
|
| Top 10 Dst Port ordered by packets:
| Date first seen Duration Proto Dst Port Flows Packets
Bytes pps
| bps bpp 2007-04-21 15:04:00.499 259843.564 any 53 5.9 M
7.2 M 648.8 M
| 29 20946 89 2007-04-21 15:04:32.775 259810.220 any 123
4.4 M 4.6 M
| 345.8 M 18 11166 75 2007-04-21 15:04:08.707 259848.148 any
80 1.2
| M 1.8 M 159.6 M 7 5152 86 2007-04-21 15:04:25.447
259819.592 any
| 22 238196 1.1 M 266.9 M 4 8617 240 2007-04-21 15:04:32.007
259810.712 any
| 2048 670209 706080 31.9 M 2 1030 47 2007-04-21
15:04:44.947 259808.244 any
| 25 427251 476236 107.1 M 1 3458 235 2007-04-21 15:04:22.339
259820.848 any
| 32768 343978 418339 40.9 M 1 1322 102 2007-04-21
15:04:44.311 259798.812 any
| 2816 206620 228431 14.3 M 0 462 65 2007-04-21
15:04:24.715 259807.524 any
| 873 8918 191816 11.6 M 0 374 63 2007-04-21
15:07:00.917 259201.426 any
| 5432 2746 186060 9.6 M 0 309 53
|
| Summary: total flows: 22286340, total bytes: 9.9 G, total packets: 31.1 M,
avg bps: 326373, avg
| pps: 125, avg bpp: 325 Time window: 2007-04-21 15:03:58 - 2007-04-24 15:14:58
| Total flows processed: 22286340, skipped: 0, Bytes read: 1158912336
| Sys: 5.536s flows/second: 4025618.6 Wall: 46.991s flows/second: 474265.1
|
|
| The latter try works, so my guess is that nfsen is buggy in it's call to
| nfdump for when the directory layout is not flat. I am running version
| snapshot-20070208.
|
|
| Paul Vlaar
|
| --
| [EMAIL PROTECTED] - ISC Operations - PGP 0x294EC062
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by DB2 Express
| Download DB2 Express C - the FREE version of DB2 express and take
| control of your XML. No limits. Just data. Click to get it now.
| http://sourceforge.net/powerbar/db2/
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRi9RDv5AbZRALNr/AQJgfQP/bvWA4UCh1AGhNDEnw1jUvAazVPncI9cz
EQPnupbqdJ3ABhVfCgL7PjfUL952X70/ijmC8EifkoKoskBp0qEqHdsIPtDIFqHQ
6PwUxRLx+RnZBq3XpwlpiJ7o7qrQC1F6mlsx6E46i25wWJ3HrG198QCKbVy8LpUL
66FYAG7oPmY=
=wpxL
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
