Hello,
It works for me:
** nfdump -M /data/nfsen/profiles/live/router -T -r
nfcapd.200809242045 -o long -c 20
nfdump filter:
duration > 1000
Date flow start Duration Proto Src IP Addr:Port
Dst IP Addr:Port Flags Tos Packets Bytes Flows
2008-09-24 20:44:54.344 1.028 TCP xxx.yyy.zzz.ttt:123 ->
xxx.yyy.zzz.ttt:321 ....S. 0 3 144 1
2008-09-24 20:45:26.676 8.936 TCP xxx.yyy.zzz.ttt:123 ->
xxx.yyy.zzz.ttt:321 .A..S. 0 5 236 1
2008-09-24 20:45:57.868 2.936 TCP xxx.yyy.zzz.ttt:123 ->
xxx.yyy.zzz.ttt:321 ....S. 0 2 96 1
2008-09-24 20:48:10.804 8.980 TCP xxx.yyy.zzz.ttt:123 ->
xxx.yyy.zzz.ttt:321 .A..S. 0 5 236 1
** nfdump -M /data/nfsen/profiles/live/7609NxData -T -r
nfcapd.200809242045 -o long -c 20
nfdump filter:
duration > 100
Date flow start Duration Proto Src IP Addr:Port
Dst IP Addr:Port Flags Tos Packets Bytes Flows
2008-09-24 20:44:51.765 0.128 TCP xxx.yyy.zzz.ttt:123 ->
xxx.yyy.zzz.ttt:321 ...... 0 23 1058 1
2008-09-24 20:44:54.344 1.028 TCP xxx.yyy.zzz.ttt:123 ->
xxx.yyy.zzz.ttt:321 ....S. 0 3 144 1
2008-09-24 20:44:59.200 0.452 ICMP xxx.yyy.zzz.ttt:123 ->
xxx.yyy.zzz.ttt:321 .A.... 0 10 840 1
My nfsen version is:
[EMAIL PROTECTED] /]# nfdump -V
nfdump: Version: 1.5.7 $LastChangedDate: 2008-02-21 10:50:02 +0100 (Thu, 21
Feb 2008) $
$Id: nfdump.c 98 2008-02-22 09:13:12Z peter $
On Wed, Sep 24, 2008 at 5:37 PM, Donnelly, Michael (OFT) <
[EMAIL PROTECTED]> wrote:
> Then my query of duration < 1 should not have given me results with
> durations
>
> In the 200's and better as listed in my original post, right? .. my point
> is that
>
> It looks to me like the duration filter is being disregarded when using
> the less
>
> than operator. I'm missing something basic here I suspect .. Observe..
>
>
>
> Filter: duration < 1000000
>
> duration < 1000000
>
> Top 10 IP Addr ordered by flows:
>
> Date first seen Duration Proto IP Addr Flows Packets
> Bytes pps bps bpp
>
> 2008-09-23 22:23:57.823 360.852 any xxx.yyy.zzz.aaa 23081 248500
> 49.0 M 688 1.1 M 206
>
>
>
>
>
> Filter : duration < 10000
>
> duration < 1000
>
> Top 10 IP Addr ordered by flows:
>
> Date first seen Duration Proto IP Addr Flows Packets
> Bytes pps bps bpp
>
> 2008-09-23 22:24:44.260 312.986 any xxx.yyy.zzzz.aaa 19445 86390
> 9.6 M 276 258365 117
>
>
>
> Filter: duration < 10
>
> nfdump filter:
>
> duration < 10
>
> Top 10 IP Addr ordered by flows:
>
> Date first seen Duration Proto IP Addr Flows Packets
> Bytes pps bps bpp
>
> 2008-09-23 22:24:44.200 300.467 any xxx.yyy.zzz.aaa 15548 15559
> 2.1 M 51 58565 141
>
>
>
> Filter duration < 1
>
> nfdump filter:
>
> duration < 1
>
> Top 10 IP Addr ordered by flows:
>
> Date first seen Duration Proto IP Addr Flows Packets
> Bytes pps bps bpp
>
> 2008-09-23 22:24:44.200 300.467 any
> <http://10.63.129.32/nfsen/nfsen.php#null> xxx.yyy.zzz.aaa 15546 15556
> 2.1 M 51 58560 141
>
>
>
>
> ------------------------------
>
> *From:* Adrian Popa [mailto:[EMAIL PROTECTED]
> *Sent:* Wednesday, September 24, 2008 10:12 AM
> *To:* Donnelly, Michael (OFT)
> *Cc:* [email protected]
> *Subject:* Re: [Nfsen-discuss] NFsen / Nfdump filter by duration
> question..?
>
>
>
> The duration parameter is in miliseconds... Try duration < 1000.
>
> On Wed, Sep 24, 2008 at 4:16 PM, Donnelly, Michael (OFT) <
> [EMAIL PROTECTED]> wrote:
>
> Looking to see a report of all "short" conversations by using the
> Duration parameter in the filter expression.. I get all duration sizes
> in
> the results .. Why doesn't this work ?
>
> Filter: duration < 1
>
> Result:
>
> ** nfdump -M /usr/local/nfsen/profiles-data/live/xxxxxx -T -r
> 2008/09/24/nfcapd.200809240845 -n 100 -s record/flows -o long
> nfdump filter:
> duration < 1
> Aggregated flows 16725
>
> Top 100 flows ordered by flows:
> Date flow start Duration Proto Src IP Addr:Port
> Dst 2008-09-24 08:45:26.556 220.003 TCP xxx.xxx.236.75:443 ->
> <SNIP>
> 2008-09-24 08:45:26.720 219.979 TCP xxx.xxx.172.6:64297 ->
> <SNIP>
> 2008-09-24 08:46:25.504 180.076 TCP xxx.xxx.236.75:443 ->
> <SNIP>
>
> Thanks!
>
> Mike D
>
>
> --------------------------------------------------------
> This e-mail, including any attachments, may be confidential, privileged or
> otherwise legally protected. It is intended only for the addressee. If you
> received this e-mail in error or from someone who was not authorized to send
> it to you, do not disseminate, copy or otherwise use this e-mail or its
> attachments. Please notify the sender immediately by reply e-mail and
> delete the e-mail from your system.
>
>
> -----Original Message-----
>
> From: Peter Haag [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24, 2008 7:00 AM
> To: Brown, Robin
> Cc: [email protected]
> Subject: Re: [Nfsen-discuss] Alert email address issue
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Robin,
> Indeed, there seem to be a bug. Here is the patch:
>
> - --- NfAlert.pm.orig Wed Sep 24 12:57:47 2008
> +++ NfAlert.pm Wed Sep 24 12:56:35 2008
> @@ -1367,7 +1367,7 @@
> $action_email =~ s/^\s+//;
> $action_email =~ s/\s$//;
> foreach my $email_addr ( split /\s*,\s*/, $action_email
> ) {
> - - if ( $action_email !~
> /^([A-Z0-9]+[._]?){1,}[A-Z0-9]+\@(([A-Z0-9]+[-]?){1,}[A-Z0-9]+\.){1,}[A-
> Z]{2,4}$/i ) {
> + if ( $action_email !~
> /^([A-Z0-9]+[._]?){1,}[A-Z0-9\-]+\@(([A-Z0-9]+[-]?){1,}[A-Z0-9]+\.){1,}[
> A-Z]{2,4}$/i ) {
> print $socket $EODATA;
> print $socket "ERR action_email
> '$action_email' not a valid email address\n";
> return;
>
>
>
> - Peter
>
> Brown, Robin wrote:
> > Hi, nfsen 1.3. I am trying to use an email address in an alert of the
> > format
> >
> > [EMAIL PROTECTED]
> >
> > Nfsen gives this error:
> >
> > ERROR: nfsend: action_email '[EMAIL PROTECTED]' not a valid email
> > address!
> >
> > But it is valid. Is it the '-' or is it the extra part of the domain
> > that it doesn't like? Is there a setting someplace I can change so it
> > will accept this as a valid email address?
> >
> > Thanks and regards,
> > Robin Brown
> >
> >
> ------------------------------------------------------------------------
> -
> > This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> > Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the
> world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Nfsen-discuss mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
> - --
> _______ SWITCH - The Swiss Education and Research Network ______
> Peter Haag, Security Engineer, Member of SWITCH CERT
> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iQCVAwUBSNodo/5AbZRALNr/AQKdJwP8CJXZ72j4dPr3PLIYx5RTx4cTmeKMlwhw
> HxiZlIJcEEH17XIINtTNTwjtvh48JGbTDjeXE5i+OzCJX1IEwC4fglQgU/UOCdwx
> 96Z3OZr78kKjm8qbzhFHlFd/DWfO188ziTUbnzDOHthWBz/Yg1eWy5AkqneuoOrG
> FRhPcyLWANY=
> =FVmc
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------
> -
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
