-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Donnelly, Michael (OFT) wrote:
> Looking to see a report of all "short" conversations by using the
> Duration parameter in the filter expression.. I get all duration sizes
> in
> the results .. Why doesn't this work ?
You do a record statistic => -s record/flows
The way this works: You apply the filter with duration < 1, which means you
select very short living flows. Due to the
statistics, flows are aggregated. While aggregating, the total duration of all
aggregated flows is recalculated as a new
value "last - first". That's why you get a differnet duration time, than what
you expect.
- Peter
>
> Filter: duration < 1
>
> Result:
>
> ** nfdump -M /usr/local/nfsen/profiles-data/live/xxxxxx -T -r
> 2008/09/24/nfcapd.200809240845 -n 100 -s record/flows -o long
> nfdump filter:
> duration < 1
> Aggregated flows 16725
>
> Top 100 flows ordered by flows:
> Date flow start Duration Proto Src IP Addr:Port
> Dst 2008-09-24 08:45:26.556 220.003 TCP xxx.xxx.236.75:443 ->
> <SNIP>
> 2008-09-24 08:45:26.720 219.979 TCP xxx.xxx.172.6:64297 ->
> <SNIP>
> 2008-09-24 08:46:25.504 180.076 TCP xxx.xxx.236.75:443 ->
> <SNIP>
>
> Thanks!
>
> Mike D
>
>
> --------------------------------------------------------
> This e-mail, including any attachments, may be confidential, privileged or
> otherwise legally protected. It is intended only for the addressee. If you
> received this e-mail in error or from someone who was not authorized to send
> it to you, do not disseminate, copy or otherwise use this e-mail or its
> attachments. Please notify the sender immediately by reply e-mail and delete
> the e-mail from your system.
>
>
> -----Original Message-----
>
> From: Peter Haag [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24, 2008 7:00 AM
> To: Brown, Robin
> Cc: [email protected]
> Subject: Re: [Nfsen-discuss] Alert email address issue
>
> Hi Robin,
> Indeed, there seem to be a bug. Here is the patch:
>
> --- NfAlert.pm.orig Wed Sep 24 12:57:47 2008
> +++ NfAlert.pm Wed Sep 24 12:56:35 2008
> @@ -1367,7 +1367,7 @@
> $action_email =~ s/^\s+//;
> $action_email =~ s/\s$//;
> foreach my $email_addr ( split /\s*,\s*/, $action_email
> ) {
> - if ( $action_email !~
> /^([A-Z0-9]+[._]?){1,}[A-Z0-9]+\@(([A-Z0-9]+[-]?){1,}[A-Z0-9]+\.){1,}[A-
> Z]{2,4}$/i ) {
> + if ( $action_email !~
> /^([A-Z0-9]+[._]?){1,}[A-Z0-9\-]+\@(([A-Z0-9]+[-]?){1,}[A-Z0-9]+\.){1,}[
> A-Z]{2,4}$/i ) {
> print $socket $EODATA;
> print $socket "ERR action_email
> '$action_email' not a valid email address\n";
> return;
>
>
>
> - Peter
>
> Brown, Robin wrote:
>> Hi, nfsen 1.3. I am trying to use an email address in an alert of the
>> format
>
>> [EMAIL PROTECTED]
>
>> Nfsen gives this error:
>
>> ERROR: nfsend: action_email '[EMAIL PROTECTED]' not a valid email
>> address!
>
>> But it is valid. Is it the '-' or is it the extra part of the domain
>> that it doesn't like? Is there a setting someplace I can change so it
>> will accept this as a valid email address?
>
>> Thanks and regards,
>> Robin Brown
>
>
> ------------------------------------------------------------------------
> -
>> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
>> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the
> world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Nfsen-discuss mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
- ------------------------------------------------------------------------
- -
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- -------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSNsxa/5AbZRALNr/AQKl1wP8Cm5GrB1fCQMlpfSPzgfJxy57tL1Hw1RU
GxrJn9XPhIc8X0eFUT0T/OUbHIg+Ars61NIuozH61awi+wWAqaBArwjFkQnPzlxw
hBiV0SOZq5b1dmhs+Gvdh6buqFnlq2+e66YOIpiePgH1qYYrcvdYuMf2Ze/uBFNG
hKtIcyDhbWI=
=uaT4
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
