Hej,
i've recently upgraded our installation of nfsen. I know, Peter is no
longer developing it, but I'm not prepared to abandon that marvel in the
near future.
The new installation is nfdump 1.7.4 and nfsen 1.3.11 from the source.
One problem I ran into was an incompatibility between nfdum (and it's
docs) and NfAlert. According to the (sonewhat aged?) docs, nfdump -o
pipe sends start and end time of the flows as two separate 32bit integers:
Address family PF_INET or PF_INET6
Time first seen UNIX time seconds
msec first seen Mili seconds first seen
Time last seen UNIX time seconds
msec last seen Mili seconds first seen
That's waht NfAlert expects:
} elsif ( $af == AF_INET || $af == AF_INET6) {
my ($tstart, $tstart_msec, $tend, $tend_msec, $proto, $ip1, $ip2,
$ip3, $ip4,
$flows, $packets, $bytes, $pps, $bps, $bpp ) = split /\|/, $_tmp;
(af has been parsed earlier)
However, current versions of nfdummp to send the start and end times as
one single %llu, thus the fields read by NfAlert get shifted by two places.
I'd like to propose a patch to NfAlert, attached.
Since I don't know when the format changed, I test for the number of
fields to be as compatible as possible. I didn't touch the case of
AF_UNSPEC as I have no clue when that happens and/or what to do there.
Note also that nfdump deprecates -o pipe and suggest using -o json
instead. I gave it a try, my version told me that json wasn't
implemented yet for top1 stats. The next version of nfdump drops -o pipe
completely, thus nfsen will break. Should be easy to fix, but something
to be aware of.
The patch is attached, it was part of a way larger patch. I hope it
makes sense and I didn't mess up.
Cheers,
Alexander
--
Alexander Talos-Zens
IT-Security - ACOnet-CERT
Zentraler Informatikdienst
https://zid.univie.ac.at
Universität Wien
Universitätsstraße 7
1010 Wien
T +43-1-4277-14351
[email protected]
GPG-Key-Id: 0xA29E057FE711EAB9
diff -cr nfsen-v.1.3.11/libexec/NfAlert.pm nfsen-v.1.3.11.new/libexec/NfAlert.pm
*** nfsen-v.1.3.11/libexec/NfAlert.pm 2023-10-06 15:13:20.000000000 +0000
--- nfsen-v.1.3.11.new/libexec/NfAlert.pm 2024-09-23 12:59:43.763877661 +0000
***************
*** 756,761 ****
--- 756,766 ----
$$statinfo[0]{'bps'} = 0;
$$statinfo[0]{'bpp'} = 0;
foreach my $line ( @output ) {
+ # nfdump -o pipe (in recent versions at least) doesn't write
+ # write tstart_msec and tend_msec as separate fields.
+ my ($tstart, $tstart_msec, $tend, $tend_msec,
+ $proto, $ip1, $ip2, $ip3, $ip4, $value,
+ $flows, $packets, $bytes, $pps, $bps, $bpp );
chomp $line;
# each empty line marks the end of the current stat
# prepare for next stat block.
***************
*** 771,777 ****
}
my ($af, $_tmp) = split /\|/, $line, 2;
if ( $af == AF_UNSPEC ) {
! my ($tstart, $tstart_msec, $tend, $tend_msec, $proto, $value,
$flows, $packets, $bytes, $pps, $bps, $bpp ) = split /\|/, $_tmp;
$$statinfo[$i]{'flows'} = $flows;
$$statinfo[$i]{'packets'} = $packets;
--- 776,783 ----
}
my ($af, $_tmp) = split /\|/, $line, 2;
if ( $af == AF_UNSPEC ) {
! # *_msec: Not sure how to deal with this case
! ($tstart, $tstart_msec, $tend, $tend_msec, $proto, $value,
$flows, $packets, $bytes, $pps, $bps, $bpp ) = split /\|/, $_tmp;
$$statinfo[$i]{'flows'} = $flows;
$$statinfo[$i]{'packets'} = $packets;
***************
*** 781,788 ****
$$statinfo[$i]{'bpp'} = $bpp;
} elsif ( $af == AF_INET || $af == AF_INET6) {
! my ($tstart, $tstart_msec, $tend, $tend_msec, $proto, $ip1, $ip2, $ip3, $ip4,
! $flows, $packets, $bytes, $pps, $bps, $bpp ) = split /\|/, $_tmp;
$$statinfo[$i]{'flows'} = $flows;
$$statinfo[$i]{'packets'} = $packets;
$$statinfo[$i]{'bytes'} = $bytes;
--- 787,806 ----
$$statinfo[$i]{'bpp'} = $bpp;
} elsif ( $af == AF_INET || $af == AF_INET6) {
! if ( split(/\|/, $_tmp) < 15 ) {
! ($tstart, $tend,
! $proto, $ip1, $ip2, $ip3, $ip4,
! $flows, $packets, $bytes, $pps, $bps, $bpp )
! = split /\|/, $_tmp;
! $tstart = $tstart / 1000; # never used??
! $tstart_msec = 0;
! }
! else {
! ($tstart, $tstart_msec, $tend, $tend_msec,
! $proto, $ip1, $ip2, $ip3, $ip4,
! $flows, $packets, $bytes, $pps, $bps, $bpp )
! = split /\|/, $_tmp;
! }
$$statinfo[$i]{'flows'} = $flows;
$$statinfo[$i]{'packets'} = $packets;
$$statinfo[$i]{'bytes'} = $bytes;
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
