farrokhi/nfdump
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of github.com:phaag/nfdump

Browse Source
This commit is contained in:
Peter Haag 2016-11-26 12:17:55 +01:00
commit 4cd1ef119d
16 changed files with 34 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bin/grammar.y
View File

@ -822,7 +822,7 @@ term: ANY { /* this is an unconditionally true expression, as a filter applies i
if ( $5 > (bytes*8) ) { if ( $5 > (bytes*8) ) {
yyerror("Too many netbits for this IP addresss"); yyerror("Too many netbits for this IP address");
YYABORT; YYABORT;
} }
@ -1413,7 +1413,7 @@ term: ANY { /* this is an unconditionally true expression, as a filter applies i
if ( $5 > (bytes*8) ) { if ( $5 > (bytes*8) ) {
yyerror("Too many netbits for this IP addresss"); yyerror("Too many netbits for this IP address");
YYABORT; YYABORT;
} }

2
bin/grammar.y.mine
View File

@ -944,7 +944,7 @@ term: ANY { /* this is an unconditionally true expression, as a filter applies i
if ( $5 > (bytes*8) ) { if ( $5 > (bytes*8) ) {
yyerror("Too many netbits for this IP addresss"); yyerror("Too many netbits for this IP address");
YYABORT; YYABORT;
} }

2
bin/ipfix.c
View File

@ -666,7 +666,7 @@ size_t size_required;
// skip exporter_sysid and reserved // skip exporter_sysid and reserved
offset += 4; offset += 4;
/* IP addresss record /* IP address record
* This record is expected in the output stream. If not available * This record is expected in the output stream. If not available
* in the template, assume empty v4 address. * in the template, assume empty v4 address.
*/ */

6
bin/launch.c
View File

@ -412,18 +412,18 @@ srecord_t *InfoRecord;
} }
} }
if ( child_exit ) { if ( child_exit ) {
syslog(LOG_INFO, "laucher child exit %d childs.", child_exit); syslog(LOG_INFO, "launcher child exit %d children.", child_exit);
while ( (pid = waitpid (-1, &stat, WNOHANG)) > 0 ) { while ( (pid = waitpid (-1, &stat, WNOHANG)) > 0 ) {
if ( WIFEXITED(stat) ) { if ( WIFEXITED(stat) ) {
syslog(LOG_DEBUG, "launcher child %i exit status: %i", pid, WEXITSTATUS(stat)); syslog(LOG_DEBUG, "launcher child %i exit status: %i", pid, WEXITSTATUS(stat));
} }
if ( WIFSIGNALED(stat) ) { if ( WIFSIGNALED(stat) ) {
syslog(LOG_WARNING, "laucher child %i died due to signal %i", pid, WTERMSIG(stat)); syslog(LOG_WARNING, "launcher child %i died due to signal %i", pid, WTERMSIG(stat));
} }
child_exit--; child_exit--;
} }
syslog(LOG_INFO, "laucher waiting childs done. %d childs", child_exit); syslog(LOG_INFO, "launcher waiting children done. %d children", child_exit);
child_exit = 0; child_exit = 0;
} }
if ( done ) { if ( done ) {

2
bin/netflow_v9.c
View File

@ -755,7 +755,7 @@ size_t size_required;
// skip exporter_sysid and reserved // skip exporter_sysid and reserved
offset += 4; offset += 4;
/* IP addresss record /* IP address record
* This record is expected in the output stream. If not available * This record is expected in the output stream. If not available
* in the template, assume empty v4 address. * in the template, assume empty v4 address.
*/ */

2
bin/nfanon.c
View File

@ -90,7 +90,7 @@ static void process_data(void *wfile);
static void usage(char *name) { static void usage(char *name) {
printf("usage %s [options] \n" printf("usage %s [options] \n"
"-h\t\tthis text you see right here\n" "-h\t\tthis text you see right here\n"
"-K <key>\tAnonymize IP addressses using CryptoPAn with key <key>.\n" "-K <key>\tAnonymize IP addresses using CryptoPAn with key <key>.\n"
"-r\t\tread input from file\n" "-r\t\tread input from file\n"
"-M <expr>\tRead input from multiple directories.\n" "-M <expr>\tRead input from multiple directories.\n"
"-R <expr>\tRead input from sequence of files.\n" "-R <expr>\tRead input from sequence of files.\n"

4
bin/nfcapd.c
View File

@ -203,7 +203,7 @@ pid_t ret;
sleep(1); sleep(1);
} }
if ( i >= LAUNCHER_TIMEOUT ) { if ( i >= LAUNCHER_TIMEOUT ) {
LogError("Laucher does not want to terminate - signal again"); LogError("Launcher does not want to terminate - signal again");
kill(pid, SIGTERM); kill(pid, SIGTERM);
sleep(1); sleep(1);
} }
@ -708,7 +708,7 @@ srecord_t *commbuff;
if ( verbose ) { if ( verbose ) {
uint16_t count = ntohs(nf_header->count); uint16_t count = ntohs(nf_header->count);
if ( blast_cnt != count ) { if ( blast_cnt != count ) {
// LogError("Missmatch blast check: Expected %u got %u\n", blast_cnt, count); // LogError("Mismatch blast check: Expected %u got %u\n", blast_cnt, count);
blast_cnt = count; blast_cnt = count;
blast_failures++; blast_failures++;
} else { } else {

6
bin/nfdump.c
View File

@ -297,7 +297,7 @@ static void usage(char *name) {
"-M <expr>\tRead input from multiple directories.\n" "-M <expr>\tRead input from multiple directories.\n"
"\t\t/dir/dir1:dir2:dir3 Read the same files from '/dir/dir1' '/dir/dir2' and '/dir/dir3'.\n" "\t\t/dir/dir1:dir2:dir3 Read the same files from '/dir/dir1' '/dir/dir2' and '/dir/dir3'.\n"
"\t\trequests either -r filename or -R firstfile:lastfile without pathnames\n" "\t\trequests either -r filename or -R firstfile:lastfile without pathnames\n"
"-m\t\tdepricated\n" "-m\t\tdeprecated\n"
"-O <order> Sort order for aggregated flows - tstart, tend, flows, packets bps pps bbp etc.\n" "-O <order> Sort order for aggregated flows - tstart, tend, flows, packets bps pps bbp etc.\n"
"-R <expr>\tRead input from sequence of files.\n" "-R <expr>\tRead input from sequence of files.\n"
"\t\t/any/dir Read all files in that directory.\n" "\t\t/any/dir Read all files in that directory.\n"
@ -897,7 +897,7 @@ char Ident[IDENTLEN];
print_order = "tstart"; print_order = "tstart";
Parse_PrintOrder(print_order); Parse_PrintOrder(print_order);
date_sorted = 1; date_sorted = 1;
LogError("Option -m depricated. Use '-O tstart' instead\n"); LogError("Option -m deprecated. Use '-O tstart' instead\n");
break; break;
case 'M': case 'M':
Mdirs = optarg; Mdirs = optarg;
@ -1009,7 +1009,7 @@ char Ident[IDENTLEN];
} }
if ( rfile && Rfile ) { if ( rfile && Rfile ) {
LogError("-r and -R are mutually exclusive. Plase specify either -r or -R\n"); LogError("-r and -R are mutually exclusive. Please specify either -r or -R\n");
exit(255); exit(255);
} }
if ( Mdirs && !(rfile || Rfile) ) { if ( Mdirs && !(rfile || Rfile) ) {

2
bin/nfexpire.c
View File

@ -376,7 +376,7 @@ channel_t *channel, *current_channel;
printf("Rescan again, due to file changes in directory!\n"); printf("Rescan again, due to file changes in directory!\n");
} }
if ( BookSequence(current_channel->books) != last_sequence ) { if ( BookSequence(current_channel->books) != last_sequence ) {
fprintf(stderr, "Could not savely rescan the directory. Data is not consistent.\n"); fprintf(stderr, "Could not safely rescan the directory. Data is not consistent.\n");
ReleaseBookkeeper(current_channel->books, DETACH_ONLY); ReleaseBookkeeper(current_channel->books, DETACH_ONLY);
if ( current_channel->status == OK ) if ( current_channel->status == OK )
WriteStatInfo(current_channel->dirstat); WriteStatInfo(current_channel->dirstat);

2
bin/nfexport.c
View File

@ -295,7 +295,7 @@ char *string;
} }
if ( c != maxindex ) { if ( c != maxindex ) {
LogError("Abort: Missmatch %s line %d: %s\n", __FILE__, __LINE__, strerror (errno)); LogError("Abort: Mismatch %s line %d: %s\n", __FILE__, __LINE__, strerror (errno));
return 0; return 0;
} }

2
bin/sfcapd.c
View File

@ -178,7 +178,7 @@ pid_t ret;
sleep(1); sleep(1);
} }
if ( i >= LAUNCHER_TIMEOUT ) { if ( i >= LAUNCHER_TIMEOUT ) {
syslog(LOG_WARNING, "Laucher does not want to terminate - signal again"); syslog(LOG_WARNING, "Launcher does not want to terminate - signal again");
kill(pid, SIGTERM); kill(pid, SIGTERM);
sleep(1); sleep(1);
} }

4
man/ft2nfdump.1
View File

@ -14,11 +14,11 @@ at stdout.
.SH OPTIONS .SH OPTIONS
.TP 3 .TP 3
.B -r <flow-tools-file> .B -r <flow-tools-file>
Read flow-tools formated netflow data from file \fIflow-tools-file. Read flow-tools formatted netflow data from file \fIflow-tools-file.
Default: Read from stdin. Default: Read from stdin.
.TP 3 .TP 3
.B -w <nfdump-file> .B -w <nfdump-file>
Write nfdump formated file for converted netflow data Write nfdump formatted file for converted netflow data
Default: Write to stdout. Default: Write to stdout.
.TP 3 .TP 3
.B -j .B -j

4
man/nfcapd.1
View File

@ -64,7 +64,7 @@ Join the specified IPv4 or IPv6 multicast group for listening.
.B -R \fIhost[/port} .B -R \fIhost[/port}
Enable packet repeater. Send all incoming packets to another \fIhost\fR and \fIport\fR. Enable packet repeater. Send all incoming packets to another \fIhost\fR and \fIport\fR.
\fIhost\fR is either a valid IPv4/IPv6 address, or a valid symbolic hostname, which resolves to \fIhost\fR is either a valid IPv4/IPv6 address, or a valid symbolic hostname, which resolves to
a IPv6 or IPv4 address. \fIport\fR may be ommited and defaults to port 9995. Note: Due to IPv4/IPv6 a IPv6 or IPv4 address. \fIport\fR may be omitted and defaults to port 9995. Note: Due to IPv4/IPv6
accepted addresses the port separator is '/'. accepted addresses the port separator is '/'.
.TP 3 .TP 3
.B -I \fIIdentString ( capital letter i ) .B -I \fIIdentString ( capital letter i )
@ -259,7 +259,7 @@ becomes available. The following command expansion is available:
.TP 3 .TP 3
.B -X .B -X
Collect and embed extended statistics. Currently a port and bpp histogram Collect and embed extended statistics. Currently a port and bpp histogram
is embeded. Mostly experimental for now is embedded. Mostly experimental for now
.TP 3 .TP 3
.B -e .B -e
Auto expire files at every cycle. \fImax lifetime\fP and \fImax filesize\fP Auto expire files at every cycle. \fImax lifetime\fP and \fImax filesize\fP

20
man/nfdump.1
View File

@ -51,7 +51,7 @@ to exist in all the given directories. The options \-r and \-R must
not contain any directory part when used in conjunction with \-M. not contain any directory part when used in conjunction with \-M.
.TP 3 .TP 3
.B -m .B -m
depricated option. Use -O tstart instead. deprecated option. Use -O tstart instead.
.TP 3 .TP 3
.B -O \fIorder .B -O \fIorder
Set sort order to print flows or aggregated flows. \fIorder\fR can be: Set sort order to print flows or aggregated flows. \fIorder\fR can be:
@ -90,7 +90,7 @@ obpp Sort according to output packets
.br .br
tstart Sort according to start time of flow - former -m tstart Sort according to start time of flow - former -m
.br .br
tend" Sort according to end time of flows tend Sort according to end time of flows
.RE .RE
.TP 3 .TP 3
.B -w \fIoutputfile .B -w \fIoutputfile
@ -536,9 +536,9 @@ additional computed information such as \fBpps\fR, \fBbps\fR and \fBbpp\fR.
.P .P
.RS 3 .RS 3
\fBDate flow start:\fR Start time flow first seen. ISO 8601 format \fBDate flow start:\fR Start time flow first seen. ISO 8601 format
including miliseconds. including milliseconds.
.P .P
\fBDuration:\fR Duration of the flow in seconds and miliseconds. \fBDuration:\fR Duration of the flow in seconds and milliseconds.
If flows are aggregated, \fIduration\fR is the time span over the If flows are aggregated, \fIduration\fR is the time span over the
entire periode of time from first seen to last seen. entire periode of time from first seen to last seen.
.P .P
@ -984,7 +984,7 @@ Select the IPv4 network \fIa.b.c.d\fR with netmask \fIm.n.r.s\fR.
.br .br
with \fI<net>\fR as a valid IPv4 or IPv6 network and \fI<num>\fR as maskbits. with \fI<net>\fR as a valid IPv4 or IPv6 network and \fI<num>\fR as maskbits.
The number of mask bits must match the appropriate address familiy in IPv4 or The number of mask bits must match the appropriate address familiy in IPv4 or
IPv6. Networks may be abreviated such as 172.16/16 if they are unambiguous. IPv6. Networks may be abbreviated such as 172.16/16 if they are unambiguous.
.RE .RE
.TP 4 .TP 4
.I Port .I Port
@ -1032,7 +1032,7 @@ Example: \fBin if 3\fR
\fB[src|dst|prev|next] as [comp] <num>\fR \fB[src|dst|prev|next] as [comp] <num>\fR
.br .br
Selects source, dstination, previous, next or any AS number Selects source, dstination, previous, next or any AS number
with \fI<num>\fR as any valid as number. 32bit AS numbers are suported. If with \fI<num>\fR as any valid as number. 32bit AS numbers are supported. If
\fIcomp\fR is omitted, '=' is assumed. \fIcomp\fR is explained more detailed below. \fIcomp\fR is omitted, '=' is assumed. \fIcomp\fR is explained more detailed below.
.br .br
@ -1147,7 +1147,7 @@ To filter for flows with specific packets per second.
.I Duration: Calculated value .I Duration: Calculated value
\fBduration\fR \fI[comp]\fR \fInum\fR \fBduration\fR \fI[comp]\fR \fInum\fR
.br .br
To filter for flows with specific duration in miliseconds. To filter for flows with specific duration in milliseconds.
.TP 4 .TP 4
.I Bits per second: Calculated value. .I Bits per second: Calculated value.
\fBbps\fR \fI[comp]\fR \fInum\fR \fI[scale]\fR \fBbps\fR \fI[comp]\fR \fInum\fR \fI[scale]\fR
@ -1206,7 +1206,7 @@ Select the translated IP address
.br .br
with \fI<net>\fR as a valid translated IPv4 or IPv6 network and \fI<num>\fR as maskbits. with \fI<net>\fR as a valid translated IPv4 or IPv6 network and \fI<num>\fR as maskbits.
The number of mask bits must match the appropriate address familiy in IPv4 or The number of mask bits must match the appropriate address familiy in IPv4 or
IPv6. Networks may be abreviated such as 172.16/16 if they are unambiguous. IPv6. Networks may be abbreviated such as 172.16/16 if they are unambiguous.
.P .P
\fB[src|dst] xport <port>\fR \fB[src|dst] xport <port>\fR
.br .br
@ -1255,7 +1255,7 @@ Select the NAT port
.TP 4 .TP 4
.I NEL NAT vrf .I NEL NAT vrf
\fBingress vrf <num>\fR \fBingress vrf <num>\fR
.b .br
Select the vrf Select the vrf
.RE .RE
.PD .PD
@ -1277,7 +1277,7 @@ Generates the Top 20 statistics from 08:45 to 09:45 from 3 sources
Generates the Top 20 statistics, extended output format Generates the Top 20 statistics, extended output format
.P .P
.B nfdump \-r /and/dir/nfcapd.201107110845 \-s record \-n 20 'in if 5 and bps > 10k' .B nfdump \-r /and/dir/nfcapd.201107110845 \-s record \-n 20 'in if 5 and bps > 10k'
Generates the Top 20 statistics from flows comming from interface 5 Generates the Top 20 statistics from flows coming from interface 5
.P .P
.B nfdump \-r /and/dir/nfcapd.201107110845 'inet6 and proto tcp and ( src port > 1024 and dst port 80 ) .B nfdump \-r /and/dir/nfcapd.201107110845 'inet6 and proto tcp and ( src port > 1024 and dst port 80 )
Dumps all port 80 IPv6 connections to any web server. Dumps all port 80 IPv6 connections to any web server.

4
man/nfexpire.1
View File

@ -10,7 +10,7 @@ is used to manage the expiration of old netflow data files, created
by nfcapd(1) or other data collectors such as sfcapd(1). Data expiration by nfcapd(1) or other data collectors such as sfcapd(1). Data expiration
is done either by nfcapd(1) in auto expiry mode, or by nfexpire which is done either by nfcapd(1) in auto expiry mode, or by nfexpire which
can by run at any time or any desired time interval by cron. nfexpire can by run at any time or any desired time interval by cron. nfexpire
can also be savely run while nfcapd auto expires files, for cleaning up can also be safely run while nfcapd auto expires files, for cleaning up
full disks etc. nfexpire is sub directory hierarchy aware, and handles full disks etc. nfexpire is sub directory hierarchy aware, and handles
any format automatically. For a fast and efficient expiration, nfexpire any format automatically. For a fast and efficient expiration, nfexpire
creates and maintains a stat file named \fB.nfstat\fR in the data directory. creates and maintains a stat file named \fB.nfstat\fR in the data directory.
@ -45,7 +45,7 @@ are assumed.
.TP 3 .TP 3
.B -u \fIdatadir .B -u \fIdatadir
Updates the max size and lifetime limits, specified by \-s \-t and \-w and stores them Updates the max size and lifetime limits, specified by \-s \-t and \-w and stores them
in the statfile as default values. A running nfcapd(1) processs doing auto expiry in the statfile as default values. A running nfcapd(1) process doing auto expiry
will take these new values starting with the next expiry cycle. Running nfexpire will take these new values starting with the next expiry cycle. Running nfexpire
next time doing file expiration will take these new limits unless \-s \-t or \-w are next time doing file expiration will take these new limits unless \-s \-t or \-w are
specified. specified.

2
man/sfcapd.1
View File

@ -41,7 +41,7 @@ Join the specified IPv6 or IPv6 multicast group for listening.
.B -R \fIhost[/port} .B -R \fIhost[/port}
Enable packet repeater. Send all incoming packets to another \fIhost\fR and \fIport\fR. Enable packet repeater. Send all incoming packets to another \fIhost\fR and \fIport\fR.
\fIhost\fR is either a valid IPv4/IPv6 address, or a valid simbolic hostname, which resolves to \fIhost\fR is either a valid IPv4/IPv6 address, or a valid simbolic hostname, which resolves to
a IPv6 or IPv4 address. \fIport\fR may be ommited and defaults to port 6343. Note: Due to IPv4/IPv6 a IPv6 or IPv4 address. \fIport\fR may be omitted and defaults to port 6343. Note: Due to IPv4/IPv6
accepted addresses the port separator is '/'. accepted addresses the port separator is '/'.
.TP 3 .TP 3
.B -I \fIIdentString ( capital letter i ) .B -I \fIIdentString ( capital letter i )