nfdump icon indicating copy to clipboard operation
nfdump copied to clipboard
verified publisher icon phaag

Request: Add TTL field

Open caikpigosso opened this issue 1 year ago • 1 comments

Hello, I would like to know if it's possible to add the TTL field to be displayed in nfdump. It would be very useful for monitoring altered sources with spoofing.

caikpigosso avatar Jul 02 '24 00:07 caikpigosso

Do you have an exporter, which sends this information? Which element IDs are used? There are multiple option: 192, 52, 53

phaag avatar Jul 02 '24 05:07 phaag

@caikpigosso - any comments on the question above?

phaag avatar Jul 08 '24 10:07 phaag

Hello,

I sent the sample to your email, with this wireshark screenshot to select the field

Captura de Tela 2024-07-08 às 09 14 12

caikpigosso avatar Jul 08 '24 13:07 caikpigosso

give it a try with latest commit. Implements filtering e.g. ttl > 64 as well as aggregation and statistics -s ttl

phaag avatar Jul 11 '24 12:07 phaag

@phaag mind adding this extension to go-nfdump as well?

gabrielmocan avatar Jul 11 '24 12:07 gabrielmocan

@phaag It worked, thank you very much.

image

caikpigosso avatar Jul 11 '24 14:07 caikpigosso

@gabrielmocan see https://github.com/phaag/go-nfdump/issues/15 completed.

phaag avatar Jul 12 '24 18:07 phaag