Re: [Nfsen-discuss] Correcting sampling rate when importing flow-tools data

Thu, 08 Jul 2010 05:52:59 -0700 

Hi Peter,

* Peter Haag

> Well - I'm afraid you have to properly split the flow-tools file beforehand.

Yep, I hacked together a script to do so using flow-nfilter to split
based on the end time of the flows.  I'm attaching it here in case
someone else needs to do the same and would like some inspiration.

However, I've now stumbled upon yet another problem - it seems the
router ID and next hop are lost when converting using ft2nfdump - using
"nfdump -s router" or "nfdump -s nhip" on converted files will just give
0.0.0.0 as the only available record.  Also I've noticed that when I use
"nfdump -A router" or "nfdump -A next" on such converted data I just get
a random value every time - it probably reads it from uninitialised memory.

I'm hoping to have a colleague who's a better coder than me look into
these things, hopefully we'll be able to submit a patch for them shortly.

> Not that easy. What you can try:
> o convert from flow-tools.
> o Put NfSen into Sim mode, by setting the proper %sim settings. See 
> nfsen-dist.conf
> o run the simulation for your files.
> o stop the simulator - do *not* reset!
> o Disable sim mode.
> o Restart NfSen.
> 
> It's a rather ugly and manual hack, but the only way at the moment.

Ugly and manual is infinitely better than impossible.  :-)  Thank you!

Best regards
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27

Attachment: convert.pl
Description: Perl program

filter-primitive tstart
        type time
        permit ge @{START:-00:00}

filter-primitive tend
        type time
        permit lt @{END:-00:00}

filter-primitive rid
        type ip-address
        permit @{RID:-any}
        default deny

filter-definition to
        match end-time tend
        match ip-exporter-address rid

filter-definition fromto
        match end-time tstart
        match end-time tend
        match ip-exporter-address rid

filter-definition from
        match end-time tstart
        match ip-exporter-address rid


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to