-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Adrian,
The point is aggregation:
In the first example you have aggregated 39 flows to get the IP statistic.
The earliest flows starts on 11:04:59.864 the latest one ends 446.060s later.
But obviously none is longer than 300s as
you don't get any output in the second example. the 39 flows are all shorter
than 300s but shifted in time - overall
duration 446.060s. The filter 'duration' filters only individuall flows and not
aggregated data.
Post aggregation filters may be an option for 1.6 - however, I've not yet
finally decided.
Hope this help.
- Peter
Adrian Popa wrote:
> Hi,
>
> If I run this query (in the web interface) - I get one result back:
>
> *nfdump -M /data/nfsen/profiles/live/router1:router2:router3 -T -r
> nfcapd.200907221110 -n 200 -s ip/pps -l 2M*
> nfdump filter:
> *any*
> *Packet limit: > 2097152 packets*
> Top 200 IP Addr ordered by pps:
> Date first seen Duration Proto IP Addr Flows Packets
> Bytes pps bps bpp
> *2009-07-22 11:04:59.864 446.060 any xx.xxx.xx.xxx 39 3.1 M
> 134.6 M 7349 2.4 M 43*
>
> Summary: total flows: 4490413, total bytes: 7.9 G, total packets: 15.6 M,
> avg bps: 25.9 M, avg pps: 6550, avg bpp: 518
> Time window: 2009-07-22 10:33:24 - 2009-07-22 11:14:58
> Total flows processed: 4490413, Records skipped: 0, Bytes read: 233505016
> Sys: 4.342s flows/second: 1034100.1 Wall: 4.347s flows/second: 1032873.2
>
>
> If I run this query - I don't get any results back:
>
> *nfdump -M /data/nfsen/profiles/live/router1:router2:router3 -T -r
> nfcapd.200907221110 -n 200 -s ip/pps -l 2M*
> nfdump filter:
> *duration > 300000*
> *Packet limit: > 2097152 packets*
> Top 200 IP Addr ordered by pps:
> Date first seen Duration Proto IP Addr Flows
> Packets Bytes pps bps bpp
>
> Summary: total flows: 112657, total bytes: 3.4 G, total packets: 5.8
> M, avg bps: 11.2 M, avg pps: 2446, avg bpp: 601
> Time window: 2009-07-22 10:33:24 - 2009-07-22 11:14:58
> Total flows processed: 4490413, Records skipped: 0, Bytes read: 233505016
> Sys: 0.602s flows/second: 7447936.4 Wall: 0.606s flows/second: 7403703.8
>
>
> In the second case I added a filter - for flows with a duration greater than
> 300 seconds (5 minutes) - and I don't get any results.
>
> Could anyone explain to me why it doesn't work in the second case?
>
> My goal is to find flows which have over 2 million packets and lasts over 5
> minutes.
>
> Thanks,
> Adrian
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSmcM3P5AbZRALNr/AQK94AP+N1LweSKdPKUeWkhCeLb6ejuZmeqzSaTd
bvF+6YJVjzD6ZOzKbHzmEGZyi8rULDAFdF6pm8XyzNgRBWLoOBxILIVcqpS5Co3D
LTytcWkQaK+Zc1vkg1/5TWulJhyZ95AaY31O9CWI+nrRZCi985rIlsFZvLzHOEUO
isNnwT8EbV4=
=eLoN
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
