The duration parameter is in miliseconds... Try duration < 1000.
On Wed, Sep 24, 2008 at 4:16 PM, Donnelly, Michael (OFT) <
[EMAIL PROTECTED]> wrote:
> Looking to see a report of all "short" conversations by using the
> Duration parameter in the filter expression.. I get all duration sizes
> in
> the results .. Why doesn't this work ?
>
> Filter: duration < 1
>
> Result:
>
> ** nfdump -M /usr/local/nfsen/profiles-data/live/xxxxxx -T -r
> 2008/09/24/nfcapd.200809240845 -n 100 -s record/flows -o long
> nfdump filter:
> duration < 1
> Aggregated flows 16725
>
> Top 100 flows ordered by flows:
> Date flow start Duration Proto Src IP Addr:Port
> Dst 2008-09-24 08:45:26.556 220.003 TCP xxx.xxx.236.75:443 ->
> <SNIP>
> 2008-09-24 08:45:26.720 219.979 TCP xxx.xxx.172.6:64297 ->
> <SNIP>
> 2008-09-24 08:46:25.504 180.076 TCP xxx.xxx.236.75:443 ->
> <SNIP>
>
> Thanks!
>
> Mike D
>
>
> --------------------------------------------------------
> This e-mail, including any attachments, may be confidential, privileged or
> otherwise legally protected. It is intended only for the addressee. If you
> received this e-mail in error or from someone who was not authorized to send
> it to you, do not disseminate, copy or otherwise use this e-mail or its
> attachments. Please notify the sender immediately by reply e-mail and
> delete the e-mail from your system.
>
>
> -----Original Message-----
>
> From: Peter Haag [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24, 2008 7:00 AM
> To: Brown, Robin
> Cc: [email protected]
> Subject: Re: [Nfsen-discuss] Alert email address issue
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Robin,
> Indeed, there seem to be a bug. Here is the patch:
>
> - --- NfAlert.pm.orig Wed Sep 24 12:57:47 2008
> +++ NfAlert.pm Wed Sep 24 12:56:35 2008
> @@ -1367,7 +1367,7 @@
> $action_email =~ s/^\s+//;
> $action_email =~ s/\s$//;
> foreach my $email_addr ( split /\s*,\s*/, $action_email
> ) {
> - - if ( $action_email !~
> /^([A-Z0-9]+[._]?){1,}[A-Z0-9]+\@(([A-Z0-9]+[-]?){1,}[A-Z0-9]+\.){1,}[A-
> Z]{2,4}$/i ) {
> + if ( $action_email !~
> /^([A-Z0-9]+[._]?){1,}[A-Z0-9\-]+\@(([A-Z0-9]+[-]?){1,}[A-Z0-9]+\.){1,}[
> A-Z]{2,4}$/i ) {
> print $socket $EODATA;
> print $socket "ERR action_email
> '$action_email' not a valid email address\n";
> return;
>
>
>
> - Peter
>
> Brown, Robin wrote:
> > Hi, nfsen 1.3. I am trying to use an email address in an alert of the
> > format
> >
> > [EMAIL PROTECTED]
> >
> > Nfsen gives this error:
> >
> > ERROR: nfsend: action_email '[EMAIL PROTECTED]' not a valid email
> > address!
> >
> > But it is valid. Is it the '-' or is it the extra part of the domain
> > that it doesn't like? Is there a setting someplace I can change so it
> > will accept this as a valid email address?
> >
> > Thanks and regards,
> > Robin Brown
> >
> >
> ------------------------------------------------------------------------
> -
> > This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> > Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the
> world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Nfsen-discuss mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
> - --
> _______ SWITCH - The Swiss Education and Research Network ______
> Peter Haag, Security Engineer, Member of SWITCH CERT
> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iQCVAwUBSNodo/5AbZRALNr/AQKdJwP8CJXZ72j4dPr3PLIYx5RTx4cTmeKMlwhw
> HxiZlIJcEEH17XIINtTNTwjtvh48JGbTDjeXE5i+OzCJX1IEwC4fglQgU/UOCdwx
> 96Z3OZr78kKjm8qbzhFHlFd/DWfO188ziTUbnzDOHthWBz/Yg1eWy5AkqneuoOrG
> FRhPcyLWANY=
> =FVmc
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------
> -
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
