btw. forgot: You can already have sep. stats: ./nfdump -r .. -s proto/ibyte ./nfdump -r .. -s proto/obyte
Cheers - Peter On 04/04/2014 12:02 PM, Brian Candler wrote: > On 04/04/2014 10:32, Peter Haag wrote: >> Hi Brian, >> Did you "upgrade" your Cisco device? > It's running ASA 8.4(7) > >> It may come with a new version of >> ASA which does include not only incoming, but also outgoing byte >> counters. >> >> To test, use this format with nfdump: >> ./nfdump -r .. -o "fmt:%ts %evt %xevt %pr %sap -> %dap %ibyt %obyt %fl" >> >> This example lists your flows with both counters. Whether or not this >> additional counter is available is a question of the ASA version. > $ gzip -dc nfcapd.201404031445.gz | nfanon -K <snip> | nfdump -o > "fmt:%ts %evt %xevt %pr %sap -> %dap %ibyt %obyt %fl" | head > Date first seen Event XEvent Proto Src IP > Addr:Port Dst IP Addr:Port In Byte Out Byte Flows > 2014-04-03 14:44:59.963 DELETE 2027 TCP 193.55.189.187:53443 -> > 193.120.53.218:8000 127 259 1 > 2014-04-03 14:44:59.983 DELETE 2030 TCP 127.33.194.23:37685 -> > 142.49.214.245:80 0 0 1 > 2014-04-03 14:45:00.203 DELETE 2027 TCP 193.55.189.187:53446 -> > 193.120.53.218:8000 127 259 1 > 2014-04-03 14:45:00.203 DELETE 2016 UDP 193.55.189.187:52511 -> > 40.8.128.6:53 34 121 1 > 2014-04-03 14:45:00.203 DELETE 2016 UDP 193.55.189.187:55583 -> > 40.8.128.6:53 34 64 1 > 2014-04-03 14:45:00.223 DELETE 2016 UDP 193.55.189.185:44187 -> > 40.8.136.9:53 82 165 1 > 2014-04-03 14:45:00.233 DELETE 2030 TCP 193.55.189.185:55142 -> > 74.129.251.247:80 161 459 1 > 2014-04-03 14:45:00.353 DELETE 2016 ICMP 193.55.187.219:0 -> > 193.55.185.110:8.0 68 68 1 > 2014-04-03 14:45:00.363 DELETE 2027 TCP 193.55.189.187:53449 -> > 193.120.53.218:8000 127 259 1 >> nfdump adds up both input and output in the summary line. The statistic >> output however, does only print the incoming bytes for compatibility and >> historic reason. That's where the difference comes from. > So you're saying that the -s proto/bytes is showing only the sum of the > input values, not the output? > > $ gzip -dc nfcapd.201404031445.gz | nfdump -N | perl -ne 'if > (/^\S+\s+\S+\s+\S+\s+\S+\s+(\S+).*\s+(\d+)\s+(\d+)$/ && $1 == 6) { > $flows+=1,$in+=$2,$out+=$3; } END { print > "flows=$flows,in=$in,out=$out\n"; }' > flows=15370,in=106062229,out=11962700182 > > You're right: 106062229 is the value shown by -s proto/bytes for TCP. > > Problem is, I'm trying to use nfsen to drill-down to locate the biggest > offender, but 99% of the traffic is not counted :-( > > I originally started grouping by source or destination address, and was > surprised to see only relatively small flows. Grouping by proto was just > to make the missing traffic obvious. > > Regards, > > Brian. > -- -- Be nice to your netflow data ------------------------------------------------------------------------------ _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss