subject:"\[netsniff\-ng\] Re\: flowtop\: How should be src info printed in stdout dump mode"

[netsniff-ng] Re: flowtop: How should be src info printed in stdout dump mode

2016-04-26 Thread Tobias Klauser

On 2016-04-26 at 12:24:45 +0200, Vadim Kochan  wrote:
> On Tue, Apr 26, 2016 at 12:00 PM, Tobias Klauser  wrote:
> > On 2016-04-26 at 10:47:18 +0200, Vadim Kochan  wrote:
> >> On Tue, Apr 26, 2016 at 10:30:19AM +0200, Tobias Klauser wrote:
> >> > On 2016-04-25 at 16:55:53 +0200, Vadim Kochan  wrote:
> >> > > On Mon, Apr 25, 2016 at 11:21:57AM +0200, Tobias Klauser wrote:
> >> > > > On 2016-04-22 at 23:53:01 +0200, Vadim Kochan  
> >> > > > wrote:
> >> > > > > Hi,
> >> > > > >
> >> > > > > I am thinking about to add dump of flows to stdout. It seems OK if
> >> > > > > to use similar table format like in curses mode by default, but in 
> >> > > > > case
> >> > > > > of src peer info (2 lines per flow) the output processing by 
> >> > > > > external scripts
> >> > > > > or text processors might be too complex with considering of row
> >> > > > > numbering.
> >> > > > >
> >> > > > > So here are my conclusions:
> >> > > > >
> >> > > > > 1) Default is OK - 1 line per flows with DST info only.
> >> > > > >
> >> > > > > 2) If "-s" option is specified - print 2 lines per flows like in 
> >> > > > > curses mode.
> >> > > > >
> >> > > > > 3) Add "-o, --oneline" option to print src & dst info in 1 row, 
> >> > > > > even
> >> > > > > if it will be overflowed in next line - this is just for external 
> >> > > > > text
> >> > > > > processing.
> >> > > >
> >> > > > I'd strongly prefer this way of implementing it - similar to the -c
> >> > > > option for ifpps. IMO, there's bo reason to care about line 
> >> > > > overflows,
> >> > > > as the main target will be script processing.
> >> > > >
> >> > > > > Also may be it would be useful to print empty columns with "*" or 
> >> > > > > "-"
> >> > > > > it will be more visually readable (probably in curses mode too) 
> >> > > > > and also be
> >> > > > > processed by awk.
> >> > > >
> >> > > > Either this (just make sure it's a character that can't appear 
> >> > > > inside a
> >> > > > field), or separate the columns using comma or semicolon.
> >> > >
> >> > >
> >> > > I) This is an example of default output 'flowtop -d':
> >> > >
> >> > > PROCESS   PID PROTO  STATE   TIME ADDRESS  
> >> > >   PORT GEO  BYTES   RATE
> >> > >
> >> > > * *   tcpTIME-WAIT50s mc.yandex.ru 
> >> > >   httpsRUS476  *
> >> > > * *   tcpTIME-WAIT51s host10.rax.ru
> >> > >   http RUS164  *
> >> > > firefox   29425   tcpESTABLISHED  53s 74.117.181.52
> >> > >   http USA  1.7kB  *
> >> > > * *   tcpTIME-WAIT52s bs.yandex.ru 
> >> > >   http RUS  2.2kB  *
> >> > > * *   tcpTIME-WAIT51s host69.rax.ru
> >> > >   http RUS  1.3kB  *
> >> > > firefox   29425   tcpESTABLISHED  53s 74.117.181.52
> >> > >   http USA  1.9kB  *
> >> > > * *   tcpTIME-WAIT51s host10.rax.ru
> >> > >   http RUS533  *
> >> > >
> >> > > II) This is an example of output 'flowtop -ds', each flow entry
> >> > > separated with additional empty line to easy separate src & dst:
> >> > >
> >> > >
> >> > > PROCESS   PID PROTO  STATE   TIME ADDRESS  
> >> > >   PORT GEO  BYTES   RATE
> >> > > mutt  30420   tcpESTABLISHED   1m angus-think  
> >> > >   48154*3.9kB  *
> >> > >   --> lo-in-f108.1e100.net 
> >> > >   imapsUSA 95.7kB  *
> >> > >
> >> > > * *   tcpESTABLISHED  21h angus-think  
> >> > >   42480*3.9MB  *
> >> > >   --> 194.44.4.115 
> >> > >   httpsUKR191.0MB  *
> >> > >
> >> > > skype 20044   tcpESTABLISHED  48m angus-think  
> >> > >   50148*  302.7kB  *
> >> > >   --> 157.55.130.153   
> >> > >   40021USA187.8kB  *
> >> > >
> >> > > skype 20044   tcpESTABLISHED   7h angus-think  
> >> > >   51028*7.5kB  *
> >> > >   --> 91.190.217.47
> >> > >   12350LUX  4.9kB  *
> >> > >
> >> > >
> >> >

[netsniff-ng] Re: flowtop: How should be src info printed in stdout dump mode

2016-04-26 Thread Tobias Klauser

On 2016-04-25 at 16:55:53 +0200, Vadim Kochan  wrote:
> On Mon, Apr 25, 2016 at 11:21:57AM +0200, Tobias Klauser wrote:
> > On 2016-04-22 at 23:53:01 +0200, Vadim Kochan  wrote:
> > > Hi,
> > > 
> > > I am thinking about to add dump of flows to stdout. It seems OK if
> > > to use similar table format like in curses mode by default, but in case
> > > of src peer info (2 lines per flow) the output processing by external 
> > > scripts
> > > or text processors might be too complex with considering of row
> > > numbering.
> > > 
> > > So here are my conclusions:
> > > 
> > > 1) Default is OK - 1 line per flows with DST info only.
> > > 
> > > 2) If "-s" option is specified - print 2 lines per flows like in curses 
> > > mode.
> > > 
> > > 3) Add "-o, --oneline" option to print src & dst info in 1 row, even
> > > if it will be overflowed in next line - this is just for external text
> > > processing.
> > 
> > I'd strongly prefer this way of implementing it - similar to the -c
> > option for ifpps. IMO, there's bo reason to care about line overflows,
> > as the main target will be script processing.
> > 
> > > Also may be it would be useful to print empty columns with "*" or "-"
> > > it will be more visually readable (probably in curses mode too) and also 
> > > be
> > > processed by awk.
> > 
> > Either this (just make sure it's a character that can't appear inside a
> > field), or separate the columns using comma or semicolon.
> 
> 
> I) This is an example of default output 'flowtop -d':
> 
> PROCESS   PID PROTO  STATE   TIME ADDRESS 
>PORT GEO  BYTES   RATE 
>   
>   
> 
> * *   tcpTIME-WAIT50s mc.yandex.ru
>httpsRUS476  * 
> * *   tcpTIME-WAIT51s host10.rax.ru   
>http RUS164  * 
> firefox   29425   tcpESTABLISHED  53s 74.117.181.52   
>http USA  1.7kB  * 
> * *   tcpTIME-WAIT52s bs.yandex.ru
>http RUS  2.2kB  * 
> * *   tcpTIME-WAIT51s host69.rax.ru   
>http RUS  1.3kB  * 
> firefox   29425   tcpESTABLISHED  53s 74.117.181.52   
>http USA  1.9kB  * 
> * *   tcpTIME-WAIT51s host10.rax.ru   
>http RUS533  * 
> 
> II) This is an example of output 'flowtop -ds', each flow entry
> separated with additional empty line to easy separate src & dst:
> 
> 
> PROCESS   PID PROTO  STATE   TIME ADDRESS 
>PORT GEO  BYTES   RATE 
>   
>   
> mutt  30420   tcpESTABLISHED   1m angus-think 
>48154*3.9kB  * 
>   --> lo-in-f108.1e100.net
>imapsUSA 95.7kB  * 
> 
> * *   tcpESTABLISHED  21h angus-think 
>42480*3.9MB  * 
>   --> 194.44.4.115
>httpsUKR191.0MB  * 
> 
> skype 20044   tcpESTABLISHED  48m angus-think 
>50148*  302.7kB  * 
>   --> 157.55.130.153  
>40021USA187.8kB  * 
> 
> skype 20044   tcpESTABLISHED   7h angus-think 
>51028*7.5kB  * 
>   --> 91.190.217.47   
>12350LUX  4.9kB  * 
> 
> 
> What do you think ?

Two things come to mind:

1) bytes and rate - if applicable - should be printed as raw byte count
   (not shortened to kB, MB etc) in the stdout mode. This makes reusing
   the values in scripts much easier and can still be converted to other
   units if needed.

2) For the dump mode I wouldn't distinguish between one- and two-line
   mode (i.e. the -s option), but always print all information for a
   particular flow on one line, also the source. Again, this makes
   parsing using a script (which will be the primary usage for this
   feature) much easier.

I saw you already submitted your patch series. Could you please
incorporate

[netsniff-ng] Re: flowtop: How should be src info printed in stdout dump mode

2016-04-25 Thread Tobias Klauser

On 2016-04-22 at 23:53:01 +0200, Vadim Kochan  wrote:
> Hi,
> 
> I am thinking about to add dump of flows to stdout. It seems OK if
> to use similar table format like in curses mode by default, but in case
> of src peer info (2 lines per flow) the output processing by external scripts
> or text processors might be too complex with considering of row
> numbering.
> 
> So here are my conclusions:
> 
> 1) Default is OK - 1 line per flows with DST info only.
> 
> 2) If "-s" option is specified - print 2 lines per flows like in curses mode.
> 
> 3) Add "-o, --oneline" option to print src & dst info in 1 row, even
> if it will be overflowed in next line - this is just for external text
> processing.

I'd strongly prefer this way of implementing it - similar to the -c
option for ifpps. IMO, there's bo reason to care about line overflows,
as the main target will be script processing.

> Also may be it would be useful to print empty columns with "*" or "-"
> it will be more visually readable (probably in curses mode too) and also be
> processed by awk.

Either this (just make sure it's a character that can't appear inside a
field), or separate the columns using comma or semicolon.

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[netsniff-ng] Re: flowtop: How should be src info printed in stdout dump mode

[netsniff-ng] Re: flowtop: How should be src info printed in stdout dump mode

[netsniff-ng] Re: flowtop: How should be src info printed in stdout dump mode

3 matches

Site Navigation

Mail list logo

Footer information