Skip to content

Instantly share code, notes, and snippets.

@narutaro

narutaro/nfdump usage.md

Last active August 5, 2022 20:21
Show Gist options
  • Save narutaro/68798a513c9c4779e6d4 to your computer and use it in GitHub Desktop.
Save narutaro/68798a513c9c4779e6d4 to your computer and use it in GitHub Desktop.
Download ZIP
nfdump usage
Raw
nfdump usage.md

#Using nfdump nfdump is a light-weight and simple netflow collector.

#Receive netflow

nfcapd -w -D -l /flows -p 2055

#Show basic stats

me@netflowc:/flows$ nfdump -v nfcapd.201510051640
File    : nfcapd.201510051640
Version : 1 - not compressed
Blocks  : 288
 Type 1 : 0
 Type 2 : 288
 Type 3 : 0
Records : 5006901

#Show flows

inoue@netflowc:/flows$ nfdump -r nfcapd.201510051640 -c 10
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0   16.4 M     1
Summary: total flows: 10, total bytes: 163.8 M, total packets: 0, avg bps: 21.8 M, avg pps: 0, avg bpp: 0
Time window: 2006-09-06 22:53:10 - 2006-09-06 22:54:10
Total flows processed: 17475, Blocks skipped: 0, Bytes read: 1048576
Sys: 0.000s flows/second: 0.0        Wall: 0.001s flows/second: 10153980.2

#Aggregate flows

me@netflowc:/flows/tester$ nfdump -r nfcapd.201510051910 -a
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2006-09-06 22:53:10.007    60.000 TCP           10.0.0.1:1000  ->         10.0.0.2:80           0    1.8 T 1104359
2006-09-06 14:08:22.007    60.000 TCP           10.0.0.3:1000  ->         10.0.0.4:80           0    4.7 T 2877764
2006-09-06 17:58:46.007    60.000 TCP           10.0.0.9:1000  ->        10.0.0.10:80           0    4.0 T 2411714
Summary: total flows: 6393837, total bytes: 10.5 T, total packets: 0, avg bps: 2.7 G, avg pps: 0, avg bpp: 0
Time window: 2006-09-06 14:08:22 - 2006-09-06 22:54:10
Total flows processed: 6393837, Blocks skipped: 0, Bytes read: 383634720
Sys: 0.936s flows/second: 6831022.4  Wall: 0.938s flows/second: 6811918.5

#Filter examples ##Show tcp flow only

nfdump -r nfcapd.201510020155 'proto tcp'

##Specify an input directory instead of a file

nfdump -R /flows/pa-core01/ 'host 8.8.8.8'

##Format output

nfdump -r /flows/pa-core01/nfcapd.201510012120 'src ip 10.40.8.201' -o "fmt:%ts %td %pr %sap -> %dap %pkt %byt %fl"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment