Re: [Nfdump-discuss] Case of the missing data!

[Brian Candler]

On 04/04/2014 11:11, Peter Haag wrote:
> btw. forgot:
> You can already have sep. stats:
>
> ./nfdump -r .. -s proto/ibyte
> ./nfdump -r .. -s proto/obyte
Aha, not in 1.6.11, but it's there in 1.6.12, thanks :-)

$ gzip -dc ~/nfcapd.201404031445.gz | bin/nfdump -N -s proto/obyte
Top 10 Protocol ordered by obyte:
Date first seen          Duration Proto Protocol    Flows(%)     
Packets(%)       Bytes(%) pps      bps   bpp
2014-04-03 14:44:59.963   299.827 6 6    15491(35.0)        0( 0.0) 
11962700182(98.9)        0 319189404     0
2014-04-03 14:45:16.740   278.051 50 50       37( 0.1)        0( 
0.0)        0( 0.0)        0 0     0
2014-04-03 14:45:00.203   299.597 17 17    28500(64.5)        0( 0.0)  
9240190( 0.1)        0 246736     0
2014-04-03 14:45:08.151   244.776 105 105       15( 0.0)        0( 
0.0)        0( 0.0)        0 0     0
2014-04-03 14:45:00.353   299.197 1 1      172( 0.4)        0( 0.0)     
9720( 0.0)        0 259     0

Summary: total flows: 44215, total bytes: 12090101416, total packets: 0, 
avg bps: 322577971, avg pps: 0, avg bpp: 0
Time window: 2014-04-03 14:44:59 - 2014-04-03 14:49:59
Total flows processed: 44215, Blocks skipped: 0, Bytes read: 5723064
Sys: 0.052s flows/second: 850239.4   Wall: 0.093s flows/second: 470858.2

Would it be a small patch to nfsen to allow some extra options in the 
"order by" drop-down?

Now, I notice a problem when grouping by ip/ibyte and ip/obyte: they 
don't seem to be sorted properly.

$ gzip -dc ~/nfcapd.201404031445.gz | nfanon -K <snip> | bin/nfdump -N 
-s ip/obyte -n 20

rename() error in nfanon.c line 265: Bad address

Abort processing.

Top 20 IP Addr ordered by obyte:
Date first seen          Duration Proto           IP Addr    
Flows(%)     Packets(%)       Bytes(%)         pps bps   bpp
2014-04-03 14:45:01.132   298.108 any 142.49.214.229      457( 
1.0)        0( 0.0) 826562917( 6.8)        0 22181569     0
2014-04-03 14:45:10.301   284.540 any 193.55.185.95      112( 
0.3)        0( 0.0) 316246939( 2.6) 0  8891458     0
2014-04-03 14:45:08.621   290.469 any 193.55.185.59      162( 
0.4)        0( 0.0)  2248412( 0.0) 0    61925     0
2014-04-03 14:45:03.862   295.228 any 142.49.214.232      189( 
0.4)        0( 0.0)  2266121( 0.0) 0    61406     0
2014-04-03 14:45:01.132   298.108 any 42.0.127.37      350( 0.8)        
0( 0.0)  5492414( 0.0) 0   147393     0
2014-04-03 14:45:08.151   290.149 any 142.49.214.255      106( 
0.2)        0( 0.0)     3276( 0.0) 0       90     0
2014-04-03 14:45:03.862   295.078 any 142.49.214.228      112( 
0.3)        0( 0.0) 12483228( 0.1) 0   338438     0
2014-04-03 14:45:16.740   269.462 any 142.15.104.131       15( 
0.0)        0( 0.0)     2604( 0.0) 0       77     0
2014-04-03 14:45:22.110   244.775 any 193.55.185.56        5( 
0.0)        0( 0.0)  9060541( 0.1) 0   296126     0
2014-04-03 14:45:00.423   299.377 any 193.55.185.8    26999(61.1)        
0( 0.0) 3443325981(28.5) 0 92013106     0
2014-04-03 14:44:59.983   299.107 any 142.49.214.245      689( 
1.6)        0( 0.0) 13685529( 0.1) 0   366037     0
2014-04-03 14:45:00.353   299.197 any 193.55.187.219     
5569(12.6)        0( 0.0)  1803928( 0.0) 0    48233     0
2014-04-03 14:45:02.682   294.258 any 204.11.99.228      251( 
0.6)        0( 0.0)  5375263( 0.0) 0   146137     0
2014-04-03 14:45:00.203   299.597 any 40.8.128.6    22382(50.6)        
0( 0.0)  2508448( 0.0) 0    66981     0
2014-04-03 14:44:59.963   299.837 any 193.55.189.187     
7310(16.5)        0( 0.0) 220279680( 1.8)        0  5877318     0
2014-04-03 14:45:03.862   292.009 any 216.201.168.228       50( 
0.1)        0( 0.0) 87678416( 0.7)        0  2402074     0
2014-04-03 14:45:09.231   285.610 any 193.55.185.91      117( 
0.3)        0( 0.0) 35318336( 0.3) 0   989274     0
2014-04-03 14:45:58.384    63.141 any 78.26.44.182     1461( 3.3)        
0( 0.0) 467040542( 3.9) 0 59174297     0
2014-04-03 14:45:23.719   262.483 any 142.49.214.244       53( 
0.1)        0( 0.0)  2518840( 0.0) 0    76769     0
2014-04-03 14:45:00.643   294.888 any 193.55.185.69      127( 
0.3)        0( 0.0) 6723103023(55.6)        0 182390684     0

IP addresses anonymised
Summary: total flows: 44215, total bytes: 12090101416, total packets: 0, 
avg bps: 322577971, avg pps: 0, avg bpp: 0
Time window: <unknown>
Total flows processed: 44215, Blocks skipped: 0, Bytes read: 5369268
Sys: 0.060s flows/second: 736879.8   Wall: 2.671s flows/second: 16551.6

The largest numbers of bytes are shown at position 10 (28.5%) and 
position 20 (55.6%)

The "bad address" error in nfanon is another problem. But even without 
using nfanon, I get the same ordering issue:

$ gzip -dc ~/nfcapd.201404031445.gz | bin/nfdump -N -s ip/obyte -n 20 | 
sed -e 's/[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/x.x.x.x/g'
Top 20 IP Addr ordered by obyte:
Date first seen          Duration Proto           IP Addr    
Flows(%)     Packets(%)       Bytes(%)         pps bps   bpp
2014-04-03 14:45:01.132   298.108 any        x.x.x.x 457( 1.0)        0( 
0.0) 826562917( 6.8)        0 22181569     0
2014-04-03 14:45:10.301   284.540 any        x.x.x.x 112( 0.3)        0( 
0.0) 316246939( 2.6)        0  8891458     0
2014-04-03 14:45:08.621   290.469 any        x.x.x.x 162( 0.4)        0( 
0.0)  2248412( 0.0)        0    61925     0
2014-04-03 14:45:03.862   295.228 any        x.x.x.x 189( 0.4)        0( 
0.0)  2266121( 0.0)        0    61406     0
2014-04-03 14:45:01.132   298.108 any          x.x.x.x 350( 0.8)        
0( 0.0)  5492414( 0.0)        0   147393     0
2014-04-03 14:45:08.151   290.149 any         x.x.x.x 106( 0.2)        
0( 0.0)     3276( 0.0)        0       90     0
2014-04-03 14:45:03.862   295.078 any        x.x.x.x 112( 0.3)        0( 
0.0) 12483228( 0.1)        0   338438     0
2014-04-03 14:45:16.740   269.462 any       x.x.x.x 15( 0.0)        0( 
0.0)     2604( 0.0)        0       77     0
2014-04-03 14:45:22.110   244.775 any        x.x.x.x 5( 0.0)        0( 
0.0)  9060541( 0.1)        0   296126     0
2014-04-03 14:45:00.423   299.377 any         x.x.x.x 26999(61.1)        
0( 0.0) 3443325981(28.5)        0 92013106 0
2014-04-03 14:44:59.983   299.107 any        x.x.x.x 689( 1.6)        0( 
0.0) 13685529( 0.1)        0   366037     0
2014-04-03 14:45:00.353   299.197 any        x.x.x.x 5569(12.6)        
0( 0.0)  1803928( 0.0)        0    48233     0
2014-04-03 14:45:02.682   294.258 any       x.x.x.x 251( 0.6)        0( 
0.0)  5375263( 0.0)        0   146137     0
2014-04-03 14:45:00.203   299.597 any x.x.x.x    22382(50.6)        0( 
0.0)  2508448( 0.0)        0 66981     0
2014-04-03 14:44:59.963   299.837 any       x.x.x.x 7310(16.5)        0( 
0.0) 220279680( 1.8)        0  5877318     0
2014-04-03 14:45:03.862   292.009 any     x.x.x.x       50( 0.1)        
0( 0.0) 87678416( 0.7)        0  2402074     0
2014-04-03 14:45:09.231   285.610 any        x.x.x.x 117( 0.3)        0( 
0.0) 35318336( 0.3)        0   989274     0
2014-04-03 14:45:58.384    63.141 any       x.x.x.x 1461( 3.3)        0( 
0.0) 467040542( 3.9)        0 59174297     0
2014-04-03 14:45:23.719   262.483 any        x.x.x.x 53( 0.1)        0( 
0.0)  2518840( 0.0)        0    76769     0
2014-04-03 14:45:00.643   294.888 any        x.x.x.x 127( 0.3)        0( 
0.0) 6723103023(55.6)        0 182390684     0

Summary: total flows: 44215, total bytes: 12090101416, total packets: 0, 
avg bps: 322577971, avg pps: 0, avg bpp: 0
Time window: 2014-04-03 14:44:59 - 2014-04-03 14:49:59
Total flows processed: 44215, Blocks skipped: 0, Bytes read: 5723064
Sys: 0.056s flows/second: 789525.4   Wall: 0.087s flows/second: 504668.3

Finally, one completely unrelated point. It would be really useful to be 
able to group by the pairing of (source address,dest address), e.g. -s 
srcdstip/bytes. If you don't have that on the feature list request, I'd 
like to add it :-)

Cheers,

Brian.


------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss