nfdump
nfdump copied to clipboard
phaag
Flow label can not work properly...
Hi all,
I've tried nfdump v1.6.20 and v1.6.23...but I don't know how to make flow label work.. I followed the format on the manpage and tested: (Example: (ip in [172.16.1.0/24]) %ISP_1 or (ip in [172.16.16.0/24]) %IPS_2 or %GoogleDNS((proto udp or proto tcp) and ip 8.8.8.8) )
[root@lab ~]# nfdump -R /mnt/tclog/nfcapd -t "2021/10/14.13:00:00-2021/10/14.23:59:59" -n 5 -N -s record/bytes -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" "(ip in [172.31.3.0/24]) %Test" 2021-10-14 13:35:08.806, 7501.415,6 , 172.31.3.1:22 , 36.225.185.181:64809, 65535, 145, 3485, 9099163, 9703, 10,<none> 2021-10-14 13:35:08.705, 7501.581,6 , 36.225.185.181:64809, 172.31.3.1:22 , 145, 65535, 4850, 233032, 248, 9,<none> 2021-10-14 13:00:03.570,12179.277,1 , 213.67.222.41:0 , 172.31.3.1:8.0 , 145, 65535, 204, 17136, 11, 204,<none> 2021-10-14 13:00:19.293,12180.207,1 , 213.67.222.45:0 , 172.31.3.1:8.0 , 145, 65535, 204, 17136, 11, 204,<none> 2021-10-14 13:00:03.570,12179.277,1 , 172.31.3.1:0 , 213.67.222.41:0.0 , 65535, 145, 204, 17136, 11, 204,<none>
The label field always shown <none>
Any suggestion will be appreciated!!!
Hi All
After I did some tests,I found the function can not work properly, can fix it? :
Can work: nfdump -R /mnt/tclog/nfcapd -t "2021/09/30.00:00:00-2021/09/30.23:59:59" -n 5 -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" " (%ISP1 (if 154)) " nfdump -R /mnt/tclog/nfcapd -t "2021/09/30.00:00:00-2021/09/30.23:59:59" -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" " (%ISP1 (if 154)) "
Partial work: nfdump -R /mnt/tclog/nfcapd -t "2021/09/30.00:00:00-2021/09/30.23:59:59" -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" " (%ISP1 (if 154) or %ISP2 (if 153)) " 2021-09-30 17:33:37.384, 6.500,6 , 192.168.1.124:80 , 114.119.145.47:9006 , 153, 154, 43, 67278, 82803, 1,<none> 2021-09-30 17:33:38.021, 5.884,6 , 192.168.1.124:80 , 114.119.145.47:9146 , 153, 154, 91, 141905, 192936, 1,<none> 2021-09-30 17:33:38.022, 5.998,6 , 192.168.1.124:80 , 114.119.145.47:9152 , 153, 154, 26, 45683, 60930, 1,<none> 2021-09-30 17:33:38.021, 5.998,6 , 114.119.145.47:9152 , 192.168.1.124:80 , 154, 153, 29, 5293, 7059, 1, ISP1 2021-09-30 17:14:32.686, 1152.176,17 , 192.168.1.70:55209, 108.177.97.189:443 , 153, 158, 564, 38998, 270, 1, ISP2
nfdump -R /mnt/tclog/nfcapd -t "2021/09/30.00:00:00-2021/09/30.23:59:59" -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" "(if 145) %ISP_1 or (if 149) %IPS_2 or %GoogleDNS((proto udp or proto tcp) and ip 8.8.8.8)" 2021-09-30 23:59:55.361, 0.000,17 , 122.116.63.225:47295, 8.8.8.8:53 , 65535, 149, 1, 56, 0, 1,<none> 2021-09-30 23:59:58.199, 0.533,6 , 203.67.222.20:53848, 192.168.1.124:22 , 149, 144, 23, 4895, 73470, 1, IPS_2 2021-09-30 23:59:58.813, 0.000,6 , 165.232.141.43:32767, 122.116.63.215:38081, 149, 65535, 1, 40, 0, 1, IPS_2 2021-09-30 23:59:58.996, 0.000,17 , 203.67.222.20:60743, 8.8.8.8:53 , 65535, 145, 1, 69, 0, 1,<none>
Following commands can not work at all: nfdump -R /mnt/tclog/nfcapd -t "2021/09/30.00:00:00-2021/09/30.23:59:59" -n 50 -N -s record/bytes -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" " (%ISP1 (if 154)) " nfdump -R /mnt/tclog/nfcapd -t "2021/09/30.00:00:00-2021/09/30.23:59:59" -n 50 -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" " (%ISP1 (if 154)) and not if 65535" nfdump -R /mnt/tclog/nfcapd -t "2021/09/30.00:00:00-2021/09/30.23:59:59" -n 50 -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" " (%ISP1 (if 154 and not if 65535)) " nfdump -R /mnt/tclog/nfcapd -t "2021/10/15.00:00:00-2021/10/15.23:59:59" -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" " (not ip 127.0.0.1 and not ip 172.31.3.1 and not proto icmp and (%ISP1 (if 149) or %ISP2 (if 145)) and not if 65535) " nfdump -R /mnt/tclog/nfcapd -t "2021/10/15.00:00:00-2021/10/15.23:59:59" -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" " (not %lo (if 65535) or %ISP1 (if 149) or %ISP2 (if 145)) " nfdump -R /mnt/tclog/nfcapd -t "2021/10/15.00:00:00-2021/10/15.23:59:59" -N -q -o "fmt:%ts,%td,%pr,%sap,%dap,%in,%out,%pkt,%byt,%bps,%fl,%lbl" "%ISP1(if 149 and not ip 127.0.0.1 and not ip 172.31.3.1 and not proto icmp and not if 65535)"
I will check that. Please note, that the flow labels are kind of experimental. Can you explain me you intended use? So, I can try to fit better the requests
Hi, Tunnel or PPPoE's index number(%in,%out) be changed after the reconnection. I want to add flow label to mark the tunnel/pppoe sessions. After done the label , I also want to use -w parameter to save back original file or a new file. (<=I also tested , the flow label field can't be saved by -w parameter.) Use nfdump to query the label can give me correct Tunnel/PPPoE link's info.
But I am trying to make Tunnel or PPPoE use fixed index number now.
Flow labels are now correctly implemented in the unicorn branch. This includes -w as well as filtering according a flow label: ... flowlabel <label> ...