btw. forgot:
You can already have sep. stats:

./nfdump -r .. -s proto/ibyte
./nfdump -r .. -s proto/obyte

Cheers

        - Peter

On 04/04/2014 12:02 PM, Brian Candler wrote:
> On 04/04/2014 10:32, Peter Haag wrote:
>> Hi Brian,
>> Did you "upgrade" your Cisco device?
> It's running ASA 8.4(7)
> 
>>   It may come with a new version of
>> ASA which does include not only incoming, but also outgoing byte
>> counters.
>>
>> To test, use this format with nfdump:
>> ./nfdump -r .. -o "fmt:%ts %evt %xevt %pr %sap -> %dap %ibyt %obyt %fl"
>>
>> This example lists your flows with both counters. Whether or not this
>> additional counter is available is a question of the ASA version.
> $ gzip -dc nfcapd.201404031445.gz | nfanon -K <snip> | nfdump -o
> "fmt:%ts %evt %xevt %pr %sap -> %dap %ibyt %obyt %fl" | head
> Date first seen          Event  XEvent Proto      Src IP
> Addr:Port          Dst IP Addr:Port   In Byte Out Byte Flows
> 2014-04-03 14:44:59.963 DELETE    2027 TCP 193.55.189.187:53443 ->  
> 193.120.53.218:8000       127 259     1
> 2014-04-03 14:44:59.983 DELETE    2030 TCP 127.33.194.23:37685 ->  
> 142.49.214.245:80           0 0     1
> 2014-04-03 14:45:00.203 DELETE    2027 TCP 193.55.189.187:53446 ->  
> 193.120.53.218:8000       127 259     1
> 2014-04-03 14:45:00.203 DELETE    2016 UDP 193.55.189.187:52511 ->      
> 40.8.128.6:53          34 121     1
> 2014-04-03 14:45:00.203 DELETE    2016 UDP 193.55.189.187:55583 ->      
> 40.8.128.6:53          34 64     1
> 2014-04-03 14:45:00.223 DELETE    2016 UDP 193.55.189.185:44187 ->      
> 40.8.136.9:53          82 165     1
> 2014-04-03 14:45:00.233 DELETE    2030 TCP 193.55.189.185:55142 ->  
> 74.129.251.247:80         161 459     1
> 2014-04-03 14:45:00.353 DELETE    2016 ICMP 193.55.187.219:0     ->  
> 193.55.185.110:8.0         68 68     1
> 2014-04-03 14:45:00.363 DELETE    2027 TCP 193.55.189.187:53449 ->  
> 193.120.53.218:8000       127 259     1
>> nfdump adds up both input and output in the summary line. The statistic
>> output however, does only print the incoming bytes for compatibility and
>> historic reason. That's where the difference comes from.
> So you're saying that the -s proto/bytes is showing only the sum of the
> input values, not the output?
> 
> $ gzip -dc nfcapd.201404031445.gz | nfdump -N | perl -ne 'if
> (/^\S+\s+\S+\s+\S+\s+\S+\s+(\S+).*\s+(\d+)\s+(\d+)$/ && $1 == 6) {
> $flows+=1,$in+=$2,$out+=$3; } END { print
> "flows=$flows,in=$in,out=$out\n"; }'
> flows=15370,in=106062229,out=11962700182
> 
> You're right: 106062229 is the value shown by -s proto/bytes for TCP.
> 
> Problem is, I'm trying to use nfsen to drill-down to locate the biggest
> offender, but 99% of the traffic is not counted :-(
> 
> I originally started grouping by source or destination address, and was
> surprised to see only relatively small flows. Grouping by proto was just
> to make the missing traffic obvious.
> 
> Regards,
> 
> Brian.
> 


-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to