Dear all,
Due to the high demand to support NSEL event flows for CISCO ASA devices, and
due to some bugs in nfdump-1.5.7-nsel, I
decided to create and updated version nfdump-1.5.8-NSEL.
In order to release this version on Sourceforge, I would like to get some
feedback first from testers, willing to use
and test nfdump-1.5.8-NSEL thoroughly. If you want to help to test, feel free
to ping me off list, and I will send you a
tar ball. As I have no CISCO ASA equipment for testing, I only can do limited
testing with flow tracks sent by
supporting users. Many thanks to all of them.
Notes on nfdump-1.5.8-NSEL:
Why nfdump-1.5.8-NSEL and no integration into nfdump-1.6.x ?
The original NSEL code was contributed by CISCO and applied to nfdump-1.5.7.
Therefore, it was a lot easier for me to
port this code to nfdump-1.5.8 and fix the bugs related to nfdump-1.5.7-nsel.
Once the code turns out to be stable and running, I will port it to nfdump-1.6.
Limitation: Due to a major code cleanup and in respect to future upwards
compatibility with nfdump-1.6.x, the binary
data format changed from nfdump-1.5.7-nsel to nfdump-1.5.8-NSEL. Therefore the
bad news is, that flows collected with
nfdump-1.5.7-nsel can no longer be processed be nfdump-1.5.8-NSEL - sorry!
The good news: nfdump-1.5.8-NSEL is fully nfdump-1.5.8 up and downwards
compatible. Both versions can read either data
likewise, with the limitation of course, that nfdump-1.5.8 skips NSEL specifics
but displays other data correctly. This
also allows, that upcoming nfdump-1.6.x with NSEL support will be able to read
and upgrade data from nfdump-1.5.8-NSEL
transparently. It's fully 64bit compatible and should compile and run on any
standard *NIX.
NSEL event flows use a different time formats, than standard v9 flows.
nfdump-1.5.8-NSEL maps the time directly into
flow start/end time records likewise. For statistics reason, at least one
packet is accounted for each event flow.
Furthermore nfdump-1.5.8-NSEL has been upgraded to support NSEL specific output
formats and tags. The default display
format is -o nsel. All other formats like raw, line, long and extended are
still available. If you want to see a full
NSEL record use -o raw. See also the nfdump(1) man page for further details on
NSEL specific output formats.
nfdump-1.5.8-NSEL is fully NfSen compatible. --enable-nfprofile builds the
required profiler and the nseld binary for
the NSELtracker. NSELTracker is an NfSen plugin contributed by CISCO. See the
coresponding NSELTracker subdirectory for
further information.
Cheers
- Peter
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
