-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adrian Popa wrote:
> Hello Peter,
>
> Thanks for the clarification - but using "-l 2M" is compared to the
> aggregated output, right?
Yes - that's the only filter which affects the output. Everything else is
suppressed.
- Peter
>
> On Wed, Jul 22, 2009 at 3:58 PM, Peter Haag <[email protected]> wrote:
>
> Hi Adrian,
> The point is aggregation:
> In the first example you have aggregated 39 flows to get the IP statistic.
> The earliest flows starts on 11:04:59.864 the latest one ends 446.060s
> later. But obviously none is longer than 300s as
> you don't get any output in the second example. the 39 flows are all
> shorter than 300s but shifted in time - overall
> duration 446.060s. The filter 'duration' filters only individuall flows and
> not aggregated data.
> Post aggregation filters may be an option for 1.6 - however, I've not yet
> finally decided.
>
> Hope this help.
>
> - Peter
>
>
> Adrian Popa wrote:
>>>> Hi,
>>>>
>>>> If I run this query (in the web interface) - I get one result back:
>>>>
>>>> *nfdump -M /data/nfsen/profiles/live/router1:router2:router3 -T -r
>>>> nfcapd.200907221110 -n 200 -s ip/pps -l 2M*
>>>> nfdump filter:
>>>> *any*
>>>> *Packet limit: > 2097152 packets*
>>>> Top 200 IP Addr ordered by pps:
>>>> Date first seen Duration Proto IP Addr Flows
> Packets
>>>> Bytes pps bps bpp
>>>> *2009-07-22 11:04:59.864 446.060 any xx.xxx.xx.xxx 39 3.1
> M
>>>> 134.6 M 7349 2.4 M 43*
>>>>
>>>> Summary: total flows: 4490413, total bytes: 7.9 G, total packets: 15.6 M,
>>>> avg bps: 25.9 M, avg pps: 6550, avg bpp: 518
>>>> Time window: 2009-07-22 10:33:24 - 2009-07-22 11:14:58
>>>> Total flows processed: 4490413, Records skipped: 0, Bytes read: 233505016
>>>> Sys: 4.342s flows/second: 1034100.1 Wall: 4.347s flows/second: 1032873.2
>>>>
>>>>
>>>> If I run this query - I don't get any results back:
>>>>
>>>> *nfdump -M /data/nfsen/profiles/live/router1:router2:router3 -T -r
>>>> nfcapd.200907221110 -n 200 -s ip/pps -l 2M*
>>>> nfdump filter:
>>>> *duration > 300000*
>>>> *Packet limit: > 2097152 packets*
>>>> Top 200 IP Addr ordered by pps:
>>>> Date first seen Duration Proto IP Addr Flows
>>>> Packets Bytes pps bps bpp
>>>>
>>>> Summary: total flows: 112657, total bytes: 3.4 G, total packets: 5.8
>>>> M, avg bps: 11.2 M, avg pps: 2446, avg bpp: 601
>>>> Time window: 2009-07-22 10:33:24 - 2009-07-22 11:14:58
>>>> Total flows processed: 4490413, Records skipped: 0, Bytes read: 233505016
>>>> Sys: 0.602s flows/second: 7447936.4 Wall: 0.606s flows/second: 7403703.8
>>>>
>>>>
>>>> In the second case I added a filter - for flows with a duration greater
> than
>>>> 300 seconds (5 minutes) - and I don't get any results.
>>>>
>>>> Could anyone explain to me why it doesn't work in the second case?
>>>>
>>>> My goal is to find flows which have over 2 million packets and lasts over
> 5
>>>> minutes.
>>>>
>>>> Thanks,
>>>> Adrian
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
> ------------------------------------------------------------------------------
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Nfsen-discuss mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSmcR7P5AbZRALNr/AQKAkAP8DesWqBQFVhn5PYgO8oLazGn5P+t7JnP3
/QKCFs7yhOyYMG1zhjpTrcZ5oTJd53k0JQDYclSXOcyiZKA5SGprDrgzs0OqMEk2
K2cgcs0I0QU0KxoBsRkDZjtHPhGSvI9kwpYRhNSwSNfs1Fhcmo3Q7xwRO0qgGhtD
wqYcXofGgK8=
=+iL6
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
