nfdump discussion

Tony Gray | 17 Feb 2009 14:49

nfcapd -E

Hi,
Has the output format for nfcapd -E changed between nfdump-1.5.7 and the
current snapshot 1.5.7-20081221?

The output i am getting from the snapshot version looks like:

Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
File Block Header: 
  NumBlocks     =           0
  Size          =           0
  id             =           2
File Block Header: 
  NumBlocks     =           1
  Size          =          14
  id             =           2

Where as with the stable version i was getting:
Flow Record: 
  Flags       =       0x00000000
  size        =               52
  mark        =                0
  srcaddr     =     X.X.X.X
  dstaddr     =     X.X.X.X  
  first       =       1234522029 [2009-02-13 10:47:09]
  last        =       1234522029 [2009-02-13 10:47:09]
  msec_first  =              246
  msec_last   =              943

(Continue reading)

headers

Peter Haag | 19 Feb 2009 10:54

Re: nfcapd -E


Hi Tony,
The -E format still works - also with snapshot 20081221:

./nfcapd -E
Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
File Block Header:
  NumBlocks     =           0
  Size          =           0
  id             =           2

Flow Record:
  Flags        =              0x00
  size         =                44
  first        =        1235036708 [2009-02-19 10:45:08]
  last         =        1235036727 [2009-02-19 10:45:27]
  msec_first   =               160
  msec_last    =               253
  src addr     =           x.x.x.x
  dst addr     =           z.z.z.z
  src port     =             55115
  dst port     =               443
  fwd status   =                 0
  tcp flags    =              0x1b .AP.SF
  proto        =                 6
  (src)tos     =                 0
  (in)packets  =                26

(Continue reading)

headers

Tony Gray | 19 Feb 2009 15:08

Re: nfcapd -E

Peter,
Thanks for getting back to me.

I just upgraded to snapshot 20081221 on my test box, but i am not
getting any debug information on the actual records. 

Now that you have confirmed that the output should contain the records,
I will do some further debugging...
Thanks,
Tony

On Thu, 2009-02-19 at 10:54 +0100, Peter Haag wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Tony,
> The -E format still works - also with snapshot 20081221:
> 
> ./nfcapd -E
> Add extension: 2 byte input/output interface index
> Add extension: 4 byte input/output interface index
> Add extension: 2 byte src/dst AS number
> Add extension: 4 byte src/dst AS number
> File Block Header:
>   NumBlocks     =           0
>   Size          =           0
>   id             =           2
> 
> 
> Flow Record:

(Continue reading)

headers

Peter Kranz | 19 Feb 2009 21:29

Errors under nfcapd

Can someone point me on where to start with these errors I'm getting our
logs; thanks..

Feb 19 10:45:04 Svr01-JLS /usr/bin/nfcapd[21694]: Signal launcher
Feb 19 10:45:04 Svr01-JLS /usr/bin/nfcapd[21694]: Ident: 'none' Flows: 7923,
Packets: 17519, Bytes: 4354382, Sequence Errors: 105, Bad Packets: 0
Feb 19 10:45:04 Svr01-JLS /usr/bin/nfcapd[21695]: Launcher: Wakeup
Feb 19 10:45:04 Svr01-JLS /usr/bin/nfcapd[21695]: Run expire on
'/flow/rtr-365'
Feb 19 10:45:04 Svr01-JLS /usr/bin/nfcapd[21695]: Force rebuild stat record
Feb 19 10:45:04 Svr01-JLS /usr/bin/nfcapd[21694]: error condition in
'nfcapd.c', line '605', cnt: -1
Feb 19 10:45:04 Svr01-JLS kernel: [493732.966459] nfcapd[21695]: segfault at
b7f31000 eip 08059982 esp bfe638c0 error 4

nfcapd: Version: 1.5.7 $LastChangedDate: 2008-02-21 10:50:02 +0100 (Thu, 21
Feb 2008) $
$Id: nfcapd.c 97 2008-02-21 09:50:02Z peter $

Peter Kranz
Founder/CEO - Unwired Ltd
www.UnwiredLtd.com
Desk: 510-868-1614 x100
Mobile: 510-207-0000
pkranz@...

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation

(Continue reading)

18	May 2013
15	April 2013
11	March 2013
11	February 2013
25	January 2013
8	December 2012
10	November 2012
11	October 2012
9	September 2012
24	August 2012
15	July 2012
14	June 2012
5	May 2012
6	April 2012
6	March 2012
7	February 2012
16	January 2012
1	December 2011
7	November 2011
15	October 2011
14	September 2011
10	August 2011
17	July 2011
15	June 2011
6	May 2011
2	April 2011
19	March 2011
20	February 2011
14	January 2011
7	December 2010
4	November 2010
6	October 2010
7	September 2010
11	August 2010
4	July 2010
43	June 2010
4	May 2010
9	April 2010
4	March 2010
6	February 2010
6	January 2010
24	December 2009
18	November 2009
11	October 2009
4	September 2009
18	August 2009
17	July 2009
17	June 2009
5	May 2009
4	April 2009
1	March 2009
4	February 2009
1	November 2008
5	October 2008
1	September 2008
10	August 2008
13	July 2008
2	June 2008
1	May 2008
5	April 2008
9	March 2008
5	February 2008
3	January 2008
10	December 2007
13	November 2007
21	October 2007
10	September 2007
34	August 2007
25	July 2007
6	June 2007
11	May 2007
9	April 2007
6	March 2007
8	February 2007
6	January 2007

Mon	Tue	Wed	Thu	Fri	Sat	Sun

						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28