Thanks! On Wed, Jul 22, 2009 at 4:19 PM, Peter Haag <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Adrian Popa wrote: > > Hello Peter, > > > > Thanks for the clarification - but using "-l 2M" is compared to the > > aggregated output, right? > > Yes - that's the only filter which affects the output. Everything else is > suppressed. > > - Peter > > > > On Wed, Jul 22, 2009 at 3:58 PM, Peter Haag <[email protected]> > wrote: > > > > Hi Adrian, > > The point is aggregation: > > In the first example you have aggregated 39 flows to get the IP > statistic. > > The earliest flows starts on 11:04:59.864 the latest one ends 446.060s > > later. But obviously none is longer than 300s as > > you don't get any output in the second example. the 39 flows are all > > shorter than 300s but shifted in time - overall > > duration 446.060s. The filter 'duration' filters only individuall flows > and > > not aggregated data. > > Post aggregation filters may be an option for 1.6 - however, I've not yet > > finally decided. > > > > Hope this help. > > > > - Peter > > > > > > Adrian Popa wrote: > >>>> Hi, > >>>> > >>>> If I run this query (in the web interface) - I get one result back: > >>>> > >>>> *nfdump -M /data/nfsen/profiles/live/router1:router2:router3 -T -r > >>>> nfcapd.200907221110 -n 200 -s ip/pps -l 2M* > >>>> nfdump filter: > >>>> *any* > >>>> *Packet limit: > 2097152 packets* > >>>> Top 200 IP Addr ordered by pps: > >>>> Date first seen Duration Proto IP Addr Flows > > Packets > >>>> Bytes pps bps bpp > >>>> *2009-07-22 11:04:59.864 446.060 any xx.xxx.xx.xxx 39 > 3.1 > > M > >>>> 134.6 M 7349 2.4 M 43* > >>>> > >>>> Summary: total flows: 4490413, total bytes: 7.9 G, total packets: 15.6 > M, > >>>> avg bps: 25.9 M, avg pps: 6550, avg bpp: 518 > >>>> Time window: 2009-07-22 10:33:24 - 2009-07-22 11:14:58 > >>>> Total flows processed: 4490413, Records skipped: 0, Bytes read: > 233505016 > >>>> Sys: 4.342s flows/second: 1034100.1 Wall: 4.347s flows/second: > 1032873.2 > >>>> > >>>> > >>>> If I run this query - I don't get any results back: > >>>> > >>>> *nfdump -M /data/nfsen/profiles/live/router1:router2:router3 -T -r > >>>> nfcapd.200907221110 -n 200 -s ip/pps -l 2M* > >>>> nfdump filter: > >>>> *duration > 300000* > >>>> *Packet limit: > 2097152 packets* > >>>> Top 200 IP Addr ordered by pps: > >>>> Date first seen Duration Proto IP Addr Flows > >>>> Packets Bytes pps bps bpp > >>>> > >>>> Summary: total flows: 112657, total bytes: 3.4 G, total packets: 5.8 > >>>> M, avg bps: 11.2 M, avg pps: 2446, avg bpp: 601 > >>>> Time window: 2009-07-22 10:33:24 - 2009-07-22 11:14:58 > >>>> Total flows processed: 4490413, Records skipped: 0, Bytes read: > 233505016 > >>>> Sys: 0.602s flows/second: 7447936.4 Wall: 0.606s flows/second: > 7403703.8 > >>>> > >>>> > >>>> In the second case I added a filter - for flows with a duration > greater > > than > >>>> 300 seconds (5 minutes) - and I don't get any results. > >>>> > >>>> Could anyone explain to me why it doesn't work in the second case? > >>>> > >>>> My goal is to find flows which have over 2 million packets and lasts > over > > 5 > >>>> minutes. > >>>> > >>>> Thanks, > >>>> Adrian > >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------------------ > >>>> > >>>> > > > ------------------------------------------------------------------------------ > >>>> > >>>> > ------------------------------------------------------------------------ > >>>> > >>>> _______________________________________________ > >>>> Nfsen-discuss mailing list > >>>> [email protected] > >>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > >> > > - -- > _______ SWITCH - The Swiss Education and Research Network ______ > Peter Haag, Security Engineer, Member of SWITCH CERT > PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland > E-mail: [email protected] Web: http://www.switch.ch/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > > iQCVAwUBSmcR7P5AbZRALNr/AQKAkAP8DesWqBQFVhn5PYgO8oLazGn5P+t7JnP3 > /QKCFs7yhOyYMG1zhjpTrcZ5oTJd53k0JQDYclSXOcyiZKA5SGprDrgzs0OqMEk2 > K2cgcs0I0QU0KxoBsRkDZjtHPhGSvI9kwpYRhNSwSNfs1Fhcmo3Q7xwRO0qgGhtD > wqYcXofGgK8= > =+iL6 > -----END PGP SIGNATURE----- >
------------------------------------------------------------------------------
_______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
