---------- Forwarded message ----------
From: Adrian Popa <[EMAIL PROTECTED]>
Date: Jul 11, 2007 12:32 PM
Subject: Re: [Nfsen-discuss] dynamically created graphs
To: Koen <[EMAIL PROTECTED]>
Hi Koen,
It would be quite difficult and pointless to keep all the details from the
nfcapd files in rrd files. This is because both formats were designed for
different things. You can keep a small number of details in the rrd files,
but keep in mind, the details are in the format:
label1: (time, value), (time, value), (time, value)
label2: (time, value), (time, value)....
The labels are also known as data sources and are a bit tricky to modify
after the rrd was created. The values in the rrd should be integers/floats;
no complex data structures (such as ip addresses) are allowed.
You could successfully store in a rrd the number of packets per second,
bytes per packet, flows, etc, but you can't really store (or it wouldn't be
useful to store) things like IP addresses, ports, AS numbers, interface
indexes.
This is why I was saying you can't keep all the details from the nfcapd file
in a rrd (also the minimum distance between two records is one second, while
the nfcapd can keep several records in the same second).
As far as condensing the data in the rrd file, I know that you can create
the rrd file with the desired mediation schemes (for instance, if you want
to store 5 minute samples for 2 months, it can be done).
Good luck,
Adrian
On 7/10/07, Koen <[EMAIL PROTECTED]> wrote:
Hi Adrian,
You're absolutely right about the disk space when i am not using
rrdfiles. I have to check if it's feasible to store all netflow info in
a rrdfile (the 5 minute details problem you noted was already worrying
me). Choices, choices : )
Thanks again, i am off cracking my head,
Koen
Adrian Popa wrote:
> Hi Koen,
>
> Remember, the rrd files store only values that are used to draw the
> graphs. If you already see the graphs you are interested in, you can
> parse the rrd files to get the actual values. If what you need is a
> subset of a graph you see, you'll need to get the data from the much
> more voluminous nfcapd files (but which contain more data). The catch is
> that the rrd files can hold data for up to a year (although it doesn't
> have a time interval of 5 minutes for the whole year), and the nfcapd
> files can grow to a very large size in one year. The problem is if you
> don't have the right graphs and you don't have all the old nfcapd files,
> you won't be able to retrive the data you want.
>
> You can do this via a plugin (advantage: it's called automatically every
> 5 minutes), or if you don't need such frequent processing, you can
> create your own bash/perl/whatever script that calls nfdump and then
> parses the output and does whatever you want to do with it.
>
> The choice is yours! I opted for a plugin because I wanted to graph the
> traffic using various criteria and I needed to update the graphs asap.
>
> Take care,
> Adrian
>
> On 7/7/07, *Koen* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
>
> Hi Adrian,
>
> Thanks for the reply.
>
> I know i can do this with a profile/channel but this way you can't
use
> your old nfcapd/rrd files. So you can't go back in time....
>
> Building a plugin which creates graphs for the top 10 AS numbers is
a
> option. But still, if i want to see something else than AS numbers i
> can't use the old nfcapd files and have to build a new plugin for
this
> something else : )
>
> I was also hoping to get this done without hacking the code or
making a
> plugin so that it always works with future nfsen versions...
>
> I guess the rrdfiles of the live profile contain al netflow data so
if
> it is possible to filter information from these files to create the
> graphs i like i am there...
>
> Another option is to use the nfcapd files to do this. Nfsen uses the
> nfcapd files for the raw output on the details page. So i can use
this
> to create graphs is guess...
> Thanks,
>
> Koen
>
>
> Adrian Popa wrote:
> > Hello,
> >
> > Yes, you can create such graphs, by creating new profiles or new
> > channels. Simply specify in the new profile/channel that you want
to
> > filter SRC AS 12345 and you will get traffic for src as 12345. It
> will
> > not do a top or anything else.
> >
> > If you want to draw some graphs based on the results of (for
> instance)
> > top 10 src as, you will need to build a plugin that does the top
> 10, and
> > then, for each result it updates it's own rrd files and graphs. I
> have a
> > plugin that does this, but because of new features I wanted to
> add, it's
> > a bit broken at the moment and it's still under development.
> >
> > take care,
> > Adrian Popa
> >
> > On 7/5/07, *Koen* < [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote:
> >
> > Hi all,
> >
> > Is it possible to generated graphs from the selection
> criteria given on
> > the bottom of the Details page?
> >
> > So lets say i filter on SRC AS 12345, Stat TopN 10, the
> output of this
> > is the input of the graph generating code and would give the
> > Packets/Traffic/TCP/UDP/ICMP/other graphs for this filter.
> >
> > Thanks,
> >
> > Koen
> >
> >
>
-------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and
> take
> > control of your XML. No limits. Just data. Click to get it
now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Nfsen-discuss mailing list
> > [email protected]
> <mailto:[email protected]>
> > <mailto: [email protected]
> <mailto:[email protected]>>
> > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
> >
> >
>
>
-------------------------------------------------------------------------
>
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
