[Nfdump-discuss] nfdump swaps fields on aggregation

Dmitry Petuhov Thu, 31 Dec 2015 00:54:13 -0800

Found strange behaviour on flow aggregation with binary output:
# nfdump -V
nfdump: Version: NSEL-NEL1.6.13
# nfdump -r nfcapd.201512311115 -a -w nfcapd.201512311115.a
# nfdump -r nfcapd.201512311115.a -o long | head
Date first seen          Duration Proto      Src IP Addr:Port          
Dst IP Addr:Port   Flags Tos  Packets    Bytes Flows
2015-12-31 11:16:34.976    38.936 UDP            0.0.0.4:25813 ->    
70.140.177.12:49001 ......   0  168.8 M        2 1572669509
2015-12-31 11:19:35.406   698.030 UDP           0.0.0.13:57288 ->        
10.2.11.6:10006 ......   0    1.2 G        0     0
2015-12-31 11:18:08.535    30.090 UDP            0.0.0.1:47574 ->     
10.4.139.190:30017 ......   0    1.9 G        0     0
2015-12-31 11:16:15.211   184.629 TCP           0.0.0.12:51654 ->    
10.33.169.110:443   ......   0    1.6 G        0     0
2015-12-31 11:26:19.012    11.944 TCP            0.0.0.6:443 ->    
217.69.139.42:50176 .AP.SF   0  168.4 M       55 1572669507
2015-12-31 11:17:56.516   129.004 TCP           0.0.0.12:58815 ->    
10.33.174.230:39959 ......   0    3.0 G        0     0


Aggregation with text output seems work fine:
# nfdump -r nfcapd.201512311115 -a -o long | head
Date first seen          Duration Proto      Src IP Addr:Port          
Dst IP Addr:Port   Flags Tos  Packets    Bytes Flows
2015-12-31 11:16:34.976    38.936 UDP      70.140.177.12:25813 ->     
10.15.12.133:49001 ......   0        2      973     2
2015-12-31 11:16:15.211   184.629 TCP      10.33.169.110:51654 ->     
95.83.191.12:443   ......   0        0        0     2
2015-12-31 11:26:19.012    11.944 TCP      217.69.139.42:443 ->      
10.9.73.230:50176 .AP.SF   0       55    62365     1
2015-12-31 11:18:18.884     0.108 TCP      94.140.201.98:80 ->     
10.33.170.28:58715 .AP.SF   0      179   261739     1
2015-12-31 11:27:38.988    60.940 UDP       110.32.96.78:18946 ->     
10.34.135.66:62348 ......   0        2      340     2
2015-12-31 11:28:36.548    11.448 TCP      217.20.156.21:443 ->       
10.4.89.29:21317 .AP.SF   0       19    15595     1
2015-12-31 11:31:15.952     1.040 TCP     64.233.164.132:443 ->     
10.2.241.198:50284 .AP.S.   0      106   124096     1
2015-12-31 11:15:46.181   401.232 UDP       85.95.188.69:20467 ->    
95.83.148.178:62470 ......   0        9      432     3
2015-12-31 11:17:04.928     0.000 UDP       120.29.73.76:51413 ->    
10.162.24.138:49001 ......   0        1      328     1

Maybe this is important: input files are written with nfcapd of 
different version:
# nfcapd -V
nfcapd: Version: 1.6.11 $Date: 2013-11-16 09:04:43 +0100 (Sat, 16 Nov 
2013) $

And have netflow v5 and v9+NEL.



------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

[Nfdump-discuss] nfdump swaps fields on aggregation

Reply via email to