I tried to analyze a very high pks/s peak. For this I selected one single timeslot "Feb 18 2008 - 10:45", called nfdump and got this output:
** nfdump -M /sw/pkg/nfsen/profiles-data/live/mucwan -T -r 2008/02/18/nfcapd.200802181045 -n 20 -s record/packets -o long nfdump filter: any Aggregated flows 22705 Top 20 flows ordered by packets: Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes Flows 2008-02-12 12:56:04.110 510524.741 TCP 10.40.232.5:445 -> 10.40.200.5:1814 .APR.. 0 5.1 M 1.5 G 1 2008-02-12 12:56:04.110 510524.741 TCP 10.40.200.5:1814 -> 10.40.232.5:445 .AP... 0 4.9 M 659.2 M 1 2008-02-12 12:56:30.231 510498.626 TCP 10.40.232.5:445 -> 10.40.208.5:1388 .APR.. 0 4.6 M 1.4 G 1 2008-02-12 12:56:30.231 510498.626 TCP 10.40.208.5:1388 -> 10.40.232.5:445 .AP... 0 4.4 M 603.7 M 1 2008-02-12 12:55:58.184 510530.659 TCP 10.40.232.5:445 -> 10.40.216.5:3228 .APR.. 0 1.9 M 648.2 M 1 2008-02-12 12:55:58.184 510530.659 TCP 10.40.216.5:3228 -> 10.40.232.5:445 .AP... 0 1.8 M 238.9 M 1 2008-02-12 12:56:32.902 510495.941 TCP 10.40.232.5:445 -> 10.40.224.5:1779 .APR.. 0 1.7 M 624.4 M 1 2008-02-12 12:55:58.184 510530.674 TCP 10.40.232.5:445 -> 10.40.204.5:2848 .APR.. 0 1.7 M 620.6 M 1 2008-02-12 12:56:32.902 510495.941 TCP 10.40.224.5:1779 -> 10.40.232.5:445 .AP... 0 1.5 M 209.8 M 1 2008-02-12 12:55:58.184 510530.674 TCP 10.40.204.5:2848 -> 10.40.232.5:445 .AP... 0 1.5 M 208.3 M 1 2008-02-16 07:31:50.615 184378.288 TCP 10.40.232.5:445 -> 10.40.240.32:1084 .APRS. 0 871746 262.1 M 1 2008-02-16 07:31:50.615 184378.288 TCP 10.40.240.32:1084 -> 10.40.232.5:445 .AP.S. 0 827661 110.1 M 1 2008-02-17 18:10:15.823 59673.029 TCP 10.40.232.5:445 -> 10.40.220.5:3577 .APRS. 0 452797 159.3 M 1 2008-02-17 18:10:15.823 59673.029 TCP 10.40.220.5:3577 -> 10.40.232.5:445 .AP.S. 0 422606 55.0 M 1 2008-02-18 10:35:23.499 565.379 TCP 10.40.212.5:1083 -> 10.40.232.5:445 .AP.S. 0 26698 4.0 M 1 2008-02-18 10:35:23.499 565.379 TCP 10.40.232.5:445 -> 10.40.212.5:1083 .APRS. 0 26084 4.0 M 1 2008-02-18 10:22:39.148 1108.766 TCP 80.90.99.41:3505 -> 10.40.224.6:1152 .AP.SF 0 15114 16.6 M 1 2008-02-18 10:45:40.760 45.540 TCP 10.40.232.7:8080 -> 10.40.208.7:33746 .AP.S. 0 13181 18.4 M 1 Summary: total flows: 22707, total bytes: 7.4 G, total packets: 32.0 M, avg bps: 124932, avg pps: 65, avg bpp: 237 Time window: 2008-02-12 12:55:58 - 2008-02-18 10:46:44 Total flows processed: 22707, Records skipped: 0, Bytes read: 1180788 Sys: 0.032s flows/second: 709571.6 Wall: 0.030s flows/second: 744174.6 Are the numbers of pkts/s, bytes/s that are printed in the table the number of pakets and bytes that flew during the 5-minute interval from 10:40 - 10:45 or are these the packets and bytes that flew since flowstart, which are mostly some days in the past. The "Time window" given in the "Summary" information could lead to this opinion - but this is not the intention if I select a single timeslot to inspect. How can nfdump know when the flow started when I give it only one single timeslot to inspect? Does nfdump read all the old data as well to find the flow start or is this information collected by nfcapd and stored in the five minutes dump files? And what about the "Flags" - Is this a cummulation of TCP-Flags during this inspection interval (given as single timeslot 10:45) or since flow start? And can I conclude that if there have been "R"eset Flags seen in the flow that this flow has ended during the inspection interval and the others are potentially still active? Joerg ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
