I have a central repository for all my flow data. Flows are sucked down about every 5 minutes Here is what the directory structure looks like... /flow/array1/netflow/atla:chic:denv:hous:losa:newy:seat:wash Which contain nfcapd flow files. I wold like to 'replay'/fanout these flows to nfsen. So far the only way I have been able to replay these flows is by using nfdump to process all the flows and piping the output to nfreplay. As you pointed out , the process terminates once it has reached the end of the flows. Is there a better way?
Thanks, -Chad On Mar 3, 2008, at 2:58 AM, Peter Haag wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > - --On February 29, 2008 15:32:42 -0500 Chad Kotil <[EMAIL PROTECTED] > > wrote: > > | Hi, > | Im looking for a better way to 'replay' my flows for nfsen capture. > | > | Currently I have all my flows on an external array and I am > reading in > | the flows w/ nfdump and then piping the flows to nfreplay which fans > | out to my localhost so nfsen can capture and parse the flows. > | > | Here is my command.. > | nfdump -M /flow/array1/netflow/ > atla:chic:denv:hous:losa:newy:seat:wash > | -R . -w - | nfreplay & > | > | My question: Is there a better way for nfsen to read in nfcapd flows > | that are already written to disk? > > nfreplay usually only reads flows from a single file. It's function > was a > kind of replaced by the fact, that nfcapd itself can forward packets > it receives > to another host/port i.e. another collector. This works in a > constant mode, whereas > your version sends all flows from all directories to another host, > and terminates > afterwards, even if new files come in. So what exactly do you want > to do? > Use the right tool for the right task. > > - Peter > > | > | Thanks, > | > | Chad E. Kotil > | Global Research NOC > | > | > | > | > | > | > ------------------------------------------------------------------------- > | This SF.net email is sponsored by: Microsoft > | Defy all challenges. Microsoft(R) Visual Studio 2008. > | http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > | _______________________________________________ > | Nfsen-discuss mailing list > | [email protected] > | https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > > > - -- > _______ SWITCH - The Swiss Education and Research Network ______ > Peter Haag, Security Engineer, Member of SWITCH CERT > PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland > E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (Darwin) > > iQCVAwUBR8uvvP5AbZRALNr/AQLqbAQAjxTehIEp7h/R2FkLybHfHj+w47dh1mWw > nOwVHfaDcJYBOP63OQJBormvm7SbVKxwUkqzFRhNSXyH8FxVzs3ej8MqgZm99++m > YWTQnAHPb+Vz6VSomoUdrJw1SuyCFy1XkxVpvPntSg1Rsj6a19JylV/UeDYt0Fmr > yVEnT9siM1A= > =1e4l > -----END PGP SIGNATURE----- Chad E. Kotil Global Research NOC [EMAIL PROTECTED] Phone: 812 855-5288 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
